From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 5 00:21:29 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4DDE316A46D for ; Tue, 5 Jun 2007 00:21:29 +0000 (UTC) (envelope-from dayne.miller@gmail.com) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.186]) by mx1.freebsd.org (Postfix) with ESMTP id BE0E813C448 for ; Tue, 5 Jun 2007 00:21:28 +0000 (UTC) (envelope-from dayne.miller@gmail.com) Received: by mu-out-0910.google.com with SMTP id w9so1664552mue for ; Mon, 04 Jun 2007 17:21:27 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=sL9fAvmge2Z3D/GJ8jdUsJ9xJ6kQmNYuE/zLdXfcWRWRJSI9kQp0y865+4Lo8r6BEynIyYkjUj4krNvcc1Klu4aI15az/vAk1eXp8Ko38tkGbGTysAMfH6uDu35Mpl+B9IHC7WnXWPbfWQNSq66Gai7UGtvh+uu/39ip3f7UFT0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=FGnQ6l5Eh4E96grkmD2BFjIVvhmXULHngv1EBoHj99loLEw5ZXVtZVh8TU5MY9ZSa00pNwEa8FW7ypCuZ/jgOC3IYmj+GeJy1FEBgnr5Ei1C49LaOf5rxVWZMJLEGckf3hr21Zg1VpYq3smj6GUKW1X4TOwq34BTLF7VkEx3xD4= Received: by 10.82.112.3 with SMTP id k3mr7484821buc.1181000484360; Mon, 04 Jun 2007 16:41:24 -0700 (PDT) Received: by 10.82.140.4 with HTTP; Mon, 4 Jun 2007 16:41:24 -0700 (PDT) Message-ID: <1810bab50706041641o5f696b20r450883f40e9897f9@mail.gmail.com> Date: Mon, 4 Jun 2007 16:41:24 -0700 From: "Dayne Miller" To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: ipfw+dummynet bridging (VMware guests) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jun 2007 00:21:29 -0000 Hello- I'm hoping someone can help. I have a configuration that I *think* is simple and should "just work", but so far I'm having no luck. It's possible this belongs on another list or forum entirely -- if it ends up being a VMware config issue -- but for now I'm operating under the assumption that I have dummynet set up incorrectly. The infrastructure for this is VMware ESX Server 3.0.1. I have the following VLANs/tags set up within the virtual switch: vlan 1010 "vm_admin" vlan 1020 "vm_server" vlan 1201 "vm_perf" (These are non-contiguous number for some unimportant legacy reasons.) My goal is to use a FreeBSD 6.2-STABLE VM as a "WAN emulator"; I want clients on VLAN 1201 to be bridged into VLAN 1020, where I've placed several virtual servers. VLAN 1010 is for administrative interfaces; I gave the FreeBSD an IP address on the virtual interface homed on that network. My /etc/rc.conf looks like this: hostname="dummy00.demo.local" ifconfig_em0="inet 172.27.222.25 netmask 255.255.255.128" cloned_interfaces="bridge0" ifconfig_bridge0="addm em1 addm em2 up" ifconfig_em1="up" ifconfig_em2="up" sshd_enable="yes" firewall_enable="yes" firewall_script="/usr/local/etc/dummy00.default" firewall_logging="yes" The 'dummy00.default' script is: #!/bin/sh ipfw -q -f flush cmd="ipfw -q add" admif="em0" clientif="em1" serverif="em2" $cmd 00005 allow all from any to any via $admif $cmd 00010 allow all from any to any via lo0 $cmd 00100 check-state $cmd 01000 pipe 1 ip from any to any bridged ipfw -q pipe 1 config $cmd 65000 allow ip from any to any setup keep-state $cmd 65100 allow log ip from any to any (I'll add characterisitics to the pipe later, I just want it to work first... And I realize this is not the most-efficient ruleset, but again, I want to get it simply passing traffic first, then I'll worry about details.) My /etc/sysctl.conf looks like this: net.inet.ip.fw.one_pass=0 net.link.bridge.ipfw=1 Finally, the relevant sections of my kernel config file are: device if_bridge options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT options IPFIREWALL_DEFAULT_TO_ACCEPT options DUMMYNET I have a very-recent version of VMware Tools running. As a non-bridging (i.e. routing) dummynet VM, this has worked well. I cloned a working VM, added the 'options if_bridge' and other relevant things and recompiled the kernel as required. Now I can't seem to get packets to pass... I have this setup, if you can forgive the ASCII diagram: (client 10.133.20.119) | | [vlan 1201] | |em1 (FreeBSD 6.2-STABLE)em3--[VLAN 1010 -- 172.27.222/25] |em2 | [vlan 1020] | | (servers 10.133.20.x/24) The client is unable to connect to any server resources (nor can the servers connect to the client, of course.) I've made sure the client has all the correct IP parameters. If I change the client VM config within VMware so that the interface is on the server VLAN, with no other changes, all works correctly. On the dummynet box, a point-in-time 'ipfw show' gives: 00005 42 3360 allow ip from any to any via em0 00010 0 0 allow ip from any to any via lo0 00100 0 0 check-state 01000 159 26719 pipe 1 ip from any to any layer2 65000 0 0 allow ip from any to any setup keep-state 65100 477 80157 allow log logamount 1 ip from any to any 65535 0 0 allow ip from any to any I can get the rules at 1000 and 65100 to increment just by attempting to pass traffic from client to server or vice versa. However, since there are no deny rules, I'm unsure what's happening to the packets after they hit the bridge -- they are definitely NOT making it as far as the destination server(s). Any suggestions for troubleshooting, or configuration changes? I thought I had all of the basics taken care of, but apparently not. Thanks in advance- -Dayne