Date: Tue, 20 Oct 2020 08:44:56 -0400 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: D'Arcy Cain <darcy@druid.net> Cc: freebsd-virtualization@freebsd.org Subject: Re: When is a switch not a switch? Message-ID: <20201020124456.kyvlhus3qj4o7gtp@mutt-hbsd> In-Reply-To: <57c32e6d-5572-3d3b-1a57-f3064bee7dc2@druid.net> References: <57c32e6d-5572-3d3b-1a57-f3064bee7dc2@druid.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--e3lyc3bdulbpnglp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Oct 19, 2020 at 10:02:17PM -0400, D'Arcy Cain wrote: > I am using bhyve with vm-bhyve, I am trying to set up a virtual network > with multiple hosts. The idea is that a VM would be on the same virtual > network no matter which actual host it is on. >=20 > Say I have a public network a.b.c.0/24. I thought I could create a switch > on a host. The host would be a.b.c.1 and the VMs would be a.b.c.100 and > a.b.c.101. The idea would be that the VMs would appear on the real netwo= rk. > Then the 101 VM could migrate to a.b.c.2 and still be accessible. I > envisioned some sort of proxy arp would happen so that every VM would sim= ply > announce itself wherever it was. >=20 > This did seem to work in that I could ping from the VM: >=20 > # ping 8.8.8.8 > PING 8.8.8.8 (8.8.8.8): 56 data bytes > 64 bytes from 8.8.8.8: icmp_seq=3D0 ttl=3D114 time=3D1.734 ms >=20 > Even IPV6: >=20 > # ping6 2605:2600:1001::4b > PING6(56=3D40+8+8 bytes) 2605:2600:1001::4 --> 2605:2600:1001::4b > 16 bytes from 2605:2600:1001::4b, icmp_seq=3D0 hlim=3D64 time=3D0.960 ms > 16 bytes from 2605:2600:1001::4b, icmp_seq=3D1 hlim=3D64 time=3D0.415 ms >=20 > However TCP doesn't work. In fact, I could only ping by IP because the > system couldn't connect to the DNS server, to get an address even though = it > could ping it. >=20 > I guess my first question is does this seem doable? If so, what am I > missing? Is it possible that a bhyve switch is more like a router? >=20 > Thanks. >=20 > --=20 > D'Arcy J.M. Cain <darcy@druid.net> | Democracy is three wolves > http://www.druid.net/darcy/ | and a sheep voting on > +1 416 788 2246 (DoD#0082) (eNTP) | what's for dinner. > IM: darcy@VybeNetworks.com, VoIP: sip:darcy@druid.net >=20 > Disclaimer: By sending an email to ANY of my addresses you > are agreeing that: >=20 > 1. I am by definition, "the intended recipient". > 2. All information in the email is mine to do with as I see > fit and make such financial profit, political mileage, or > good joke as it lends itself to. In particular, I may quote > it where I please. > 3. I may take the contents as representing the views of > your company if I so wish. > 4. This overrides any disclaimer or statement of > confidentiality that may be included or implied in > your message. I usually configure my bridgeN device to have an IP and subnet that I know won't be on any of the physical networks I care about. I'll then add only the tapN..M devices that the bhyve VMs will use to that bridgeN. I'll then use pf to NAT from that private network on bridgeN to the real world. =3D=3D=3D=3D BEGIN rc.conf =3D=3D=3D=3D cloned_interfaces=3D"bridge0 tap0 tap1" ifconfig_bridge0=3D"inet 192.168.254.1 subnet mask 255.255.255.0" ifconfig_bridge0=3D"${ifconfig_bridge0} addm tap0 addm tap1" =3D=3D=3D=3D END rc.conf =3D=3D=3D=3D =3D=3D=3D=3D BEGIN pf.conf =3D=3D=3D=3D table <nats> counters { \ 192.168.254.0/24 \ } scrub in all nat on em0 from {<nats>} to any -> (em0) nat on wlan0 from {<nats>} to any -> (wlan0) pass in all pass out all =3D=3D=3D=3D END pf.conf =3D=3D=3D=3D Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD GPG Key ID: 0xFF2E67A277F8E1FA GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2 https://git-01.md.hardenedbsd.org/HardenedBSD/pubkeys/src/branch/master/Sha= wn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --e3lyc3bdulbpnglp Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAl+O28UACgkQ/y5nonf4 4fpp9BAAmvrWeKaI9Jrbp7wZ3pcG7x6vlwF0Mp08FqOhbz+mKsMbbPibr7WTWy/x 8CRNo4EwgLD9spWyq+g6YFIvQ0KmIB4kFgMJ9913Ztr9NvaYa2D7DQ/5a/3/31yg MWCpbq3jbwD6ej9SrclURwMcM8vAEUqJOZh20FQgTJ6k6I7TncmBqEjCa0FKJuYP 8kDkenEjk8hk8rmhQTVx4ATyqWcWDRu7vw959MXO1rdenJn+caXRU9eAhzXU8NHd M66fJ8Qyl+EhM/camJm2hFBwJtZ7+BjmW5uXBzjiGTgSOeLRSi1vEQ3FDD1f0in7 upX7LCdPAEJGclWZHncu/H+hxqUx51byqaGIYx8SZC1j9jjk5sIFUDIyntjWHlmx 2e6FKaRDoXeMtsbvotcVGBZZ/20rcf5cfMfAoajtJO6YBDX88mAb2EOdkRz+Ssxi ZacH+OmmtQmfXyURxp89rtsmGHkpYhk3ZaAr4jkVDQDdk5Q+nkpMmxzgGFQ+tQ45 XN2mSKujMyIA76SAfdUgid/hqFoZyK2cJuJrGfmrv0yHKX/D3RjB/86jS3FpNj8O +otD32fxi5bsBGoHn3HSOLpRPAMcMGOJxPD0j5TNH6Ge2dDMc9KoVQDNVvmL1fbJ bwI994sMaQzKjmNjxALP4MWH1e5BmYsnQPMUUmJwgfRt8qmtPec= =+sm/ -----END PGP SIGNATURE----- --e3lyc3bdulbpnglp--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20201020124456.kyvlhus3qj4o7gtp>