Hello misc,
Problem
A physical server with a switch (add em0 up) cannot access the internet.
However, the same host with a bridge (add em0 up) can access the
internet.
Steps
$ ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 22:22:22:22:22:22
index 1 priority 0 llprio 3
groups: egress
media: Ethernet autoselect (1000baseT full-duplex,master)
status: active
inet 20.20.20.20 netmask 0xffffff00 broadcast 20.20.20.255
...
$ doas route -n show
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 20.20.20.1 UGS 0 1XXX - 8 em0
224/4 127.0.0.1 URS 0 0 32768 8 lo0
127/8 127.0.0.1 UGRS 0 0 32768 8 lo0
127.0.0.1 127.0.0.1 UHhl 1 X 32768 1 lo0
20.20.20/24 20.20.20.20 UCn 1 9XX - 4 em0
20.20.20.1 33:33:33:33:33:33 UHLch 1 1XXX - 3 em0
20.20.20.20 44:44:44:44:44:44 UHLl 0 X - 1 em0
20.20.20.255 20.20.20.20 UHb 0 0 - 1 em0
$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=61 time=x.xxx ms
...
$ doas ifconfig switch0 create
$ doas ifconfig switch0 add em0
$ doas ifconfig switch0 up
$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
^C
--- 8.8.8.8 ping statistics ---
31 packets transmitted, 0 packets received, 100.0% packet loss
$ ifconfig
em0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu
1500
lladdr 22:22:22:22:22:22
index 1 priority 0 llprio 3
groups: egress
media: Ethernet autoselect (1000baseT full-duplex,master)
status: active
inet 20.20.20.20 netmask 0xffffff00 broadcast 20.20.20.255
switch0: flags=41<UP,RUNNING>
index 6 llprio 3
groups: switch
datapath xxxxxxxxxxxxxxxxxx maxflow 10000 maxgroup 1000
em0 flags=0<>
port 1 ifpriority 0 ifcost 0
...
$ doas route -n show
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 20.20.20.1 UGS 0 1XXX - 8 em0
224/4 127.0.0.1 URS 0 0 32768 8 lo0
127/8 127.0.0.1 UGRS 0 0 32768 8 lo0
127.0.0.1 127.0.0.1 UHhl 1 X 32768 1 lo0
20.20.20/24 20.20.20.20 UCn 1 9XX - 4 em0
20.20.20.1 33:33:33:33:33:33 UHLch 1 1XXX - 3 em0
20.20.20.20 44:44:44:44:44:44 UHLl 0 X - 1 em0
20.20.20.255 20.20.20.20 UHb 0 0 - 1 em0
$ doas ifconfig switch0 destroy
$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=61 time=x.xxx ms
Repeating the above steps with bridge0 does let the ping pass through
after the bridge is brought up. The only delta between the switch and
bridge output is in the ifconfig.
$ ifconfig
bridge0: flags=41<UP,RUNNING>
index 8 llprio 3
groups: bridge
priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rtsp
em0 flags=3<LEARNING,DISCOVER>
port 1 ifpriority 0 ifcost 0
...
I have run "doas route -n monitor" in a separate session while doing
this. However, I cannot comprehend the output. pf is not involved -
running tcpdump -nettti pflog0 with the catchall "block log" produces
the normal output of blocked packets with the bridge. However, it stops
producing the normal output of blocked packets with the switch. Once the
switch is destroyed, it is back to normal blocked packets output.
What am I doing wrong/missing? The only thing that stands out to me is
the em0 flags=0<> line in the ifconfig for the switch. And I do not know
what to make of it.
Regards,
ab
---------|---------|---------|---------|---------|---------|---------|--
