On Mon, Oct 19, 2020 at 10:02:17PM -0400, D'Arcy Cain wrote: > I am using bhyve with vm-bhyve, I am trying to set up a virtual network > with multiple hosts. The idea is that a VM would be on the same virtual > network no matter which actual host it is on. > > Say I have a public network a.b.c.0/24. I thought I could create a switch > on a host. The host would be a.b.c.1 and the VMs would be a.b.c.100 and > a.b.c.101. The idea would be that the VMs would appear on the real network. > Then the 101 VM could migrate to a.b.c.2 and still be accessible. I > envisioned some sort of proxy arp would happen so that every VM would simply > announce itself wherever it was. > > This did seem to work in that I could ping from the VM: > > # ping 8.8.8.8 > PING 8.8.8.8 (8.8.8.8): 56 data bytes > 64 bytes from 8.8.8.8: icmp_seq=0 ttl=114 time=1.734 ms > > Even IPV6: > > # ping6 2605:2600:1001::4b > PING6(56=40+8+8 bytes) 2605:2600:1001::4 --> 2605:2600:1001::4b > 16 bytes from 2605:2600:1001::4b, icmp_seq=0 hlim=64 time=0.960 ms > 16 bytes from 2605:2600:1001::4b, icmp_seq=1 hlim=64 time=0.415 ms > > However TCP doesn't work. In fact, I could only ping by IP because the > system couldn't connect to the DNS server, to get an address even though it > could ping it. > > I guess my first question is does this seem doable? If so, what am I > missing? Is it possible that a bhyve switch is more like a router? > > Thanks. > > -- > D'Arcy J.M. Cain <da...@druid.net> | Democracy is three wolves > http://www.druid.net/darcy/ | and a sheep voting on > +1 416 788 2246 (DoD#0082) (eNTP) | what's for dinner. > IM: da...@vybenetworks.com, VoIP: sip:da...@druid.net > > Disclaimer: By sending an email to ANY of my addresses you > are agreeing that: > > 1. I am by definition, "the intended recipient". > 2. All information in the email is mine to do with as I see > fit and make such financial profit, political mileage, or > good joke as it lends itself to. In particular, I may quote > it where I please. > 3. I may take the contents as representing the views of > your company if I so wish. > 4. This overrides any disclaimer or statement of > confidentiality that may be included or implied in > your message.
I usually configure my bridgeN device to have an IP and subnet that I
know won't be on any of the physical networks I care about. I'll then
add only the tapN..M devices that the bhyve VMs will use to that
bridgeN. I'll then use pf to NAT from that private network on bridgeN
to the real world.
==== BEGIN rc.conf ====
cloned_interfaces="bridge0 tap0 tap1"
ifconfig_bridge0="inet 192.168.254.1 subnet mask 255.255.255.0"
ifconfig_bridge0="${ifconfig_bridge0} addm tap0 addm tap1"
==== END rc.conf ====
==== BEGIN pf.conf ====
table <nats> counters { \
192.168.254.0/24 \
}
scrub in all
nat on em0 from {<nats>} to any -> (em0)
nat on wlan0 from {<nats>} to any -> (wlan0)
pass in all
pass out all
==== END pf.conf ====
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
GPG Key ID: 0xFF2E67A277F8E1FA
GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2
https://git-01.md.hardenedbsd.org/HardenedBSD/pubkeys/src/branch/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
signature.asc
Description: PGP signature
