Re: VLAN+bridge problem [was: no network between jails and host with VNET on same interface]

Wed, 02 Oct 2019 02:32:15 -0700 

On 27 Sep 2019, at 13:31, Alexander N. Lunev via freebsd-net wrote:


Hello everyone!

I have a strange connectivity problem on jails with VNET networking.
I've deployed a jail system with VNET networking on a server with FreeBSD 12.0-RELEASE-p10. Jails are working fine, can reach out outer network and each other, but there's no connectivity between host and jails.
Server is connected to switch trunk port by igb1 interface, which is bridged with epairXa interfaces in bridge0, while jails using epairXb interfaces (they are renamed to jail0 in each jail to simplify things). 


=======  host =============================
    [igb1]-----------------------\
       |                     +---------+
 [vlan4 (10.1.1.247)]        |         |
                             | bridge0 |
 /--[epair1a]----------------|         |
/                            +---------+
| /-[epair0a]--------------------/
| |
=====  jail1_filter2 ======================
| \-[jail0(ex-epair0b)]
|     |
|     [vlan4 (10.1.1.26)]
=====  jail2_noc ==========================
\-[jail0(ex-epair1b)]
    |
    [vlan4 (10.1.1.201)]
===========================================
On the host and in every jail i have a vlan4 interface, and here's addresses for those vlan4 interfaces: 

host@vlan4:          10.1.1.247
jail1_filter2@vlan4: 10.1.1.26
jail2_noc@vlan4:     10.1.1.201
Host can't ping jails, but can ping outer world. Jails can ping each other and outer world, but not host - "ping: sendto: Host is down", there's no ARP entry for host' vlan4 address.
I've tried to add static arp entry for 10.1.1.247 in jails - with no success (arp is added, network still not working). 

Host and both jails have firewall_type=OPEN configured.

What is wrong here?
I believe the problem here is not jail specific at all. I’d assume, the same would happen in other scenarios where you bridge on the host to another interface.
I am assuming the VLAN interface output routine calls the igb1 output routine and the bridge never sees that packet but I haven’t looked at the vlan code in a long time.
My best guess would be to try to create the VLAN interface on the host upon the bridge and not upon the physical interface. Can you try that and see if that works? 


/bz





_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Reply via email to