Hi all, Sorry for the noise. I found out that it was pf. When I tested with pf disabled I always only did this with pf disabled on one side. Once I disabled on both sides it worked. So I need to figure out now, what exactly is the issue.
Thanks Markus > On 26. Nov 2022, at 11:19, Markus Wipp <mw@wipp.bayern> wrote: > > Hi all, > > I hope that someone here on the list could give me some hints on how I can > make my setup working. > > I have the following setup: > > "Virtual server 1" is connected to "Virtual server 2" via egre over ipsec on > both sides I’m using a bridge and a vether interface. > Both virtual servers are located at different hosters and have public ip > addresses. > Between them the mentioned private connection is always coming up and working > (I can ping 192.168.79.1 / 192.168.79.2 from each other) > > In addition I have my router at home which connects via separate egre over > ipsec with a bridge and a vether interface connections > to each of the virtual servers. This router unfortunately has only a dynamic > ipv4 address. > The connection between the router and the virtual servers is for some reason > not coming up completely. > To my analysis so far it seems that the router bridge learns the Mac > addresses of the remote virtual servers vether interfaces, but for > some reason the bridges on the virtual servers do not learn the address of > the routers vether interface. > tcpdump does show traffic coming into enc0, but it never reaches the bridge, > even with pf disabled. > > > As I can ping the interface with ip 192.168.66.1 from each of the virtual > servers on the router, I’m leaving out the iced configuration. > If this is needed I could also provide it. > > Find here the corresponding configurations of each of the machines: > > Virtual server 1: > (Working between virtual server 1 and 2) > /etc/hostname.bridge0 > add vether0 > add egre0 > up > > /etc/hostname.vether0 > mtu 1500 > inet 192.168.79.1/24 > up > > /etc/hostname.egre0 > mtu 1500 -tunneldf > tunnel a.b.c.d w.x.y.z > vnetid 12 > up > > (Not working between virtual server 1 and router) > /etc/hostname.bridge2 > add vether1 > add egre1 > up > > /etc/hostname.vether1 > mtu 1500 > inet 192.168.80.1/24 > up > > /etc/hostname.egre1 > mtu 1500 -tunneldf > tunnel a.b.c.d 192.168.66.1 > vnetid 31 > up > > Virtual server 2: > (Working between virtual server 1 and 2) > /etc/hostname.bridge0 > add vether0 > add egre0 > up > > /etc/hostname.vether0 > mtu 1500 > inet 192.168.79.2/24 > up > > /etc/hostname.egre0 > mtu 1500 -tunneldf > tunnel w.x.y.z a.b.c.d > vnetid 12 > up > > (Not working between virtual server 1 and router) > /etc/hostname.bridge2 > add vether2 > add egre2 > up > > /etc/hostname.vether2 > mtu 1500 > inet 192.168.81.1/24 > up > > /etc/hostname.egre2 > mtu 1500 -tunneldf > tunnel w.x.y.z 192.168.66.1 > vnetid 32 > up > > > Router: > /etc/hostname.bridge0 > add vether1 > add egre1 > up > > /etc/hostname.vether1 > mtu 1500 > inet 192.168.80.2/24 > up > > /etc/hostname.egre1 > mtu 1500 -tunneldf > tunnel 192.168.66.1 a.b.c.d > vnetid 31 > up > > /etc/hostname.bridge2 > add vether2 > add egre2 > up > > /etc/hostname.vether2 > mtu 1500 > inet 192.168.81.2/24 > up > > /etc/hostname.egre2 > mtu 1500 -tunneldf > tunnel 192.168.66.1 w.x.y.z > vnetid 32 > up > > As an example I provide here the output of ifconfig for the relevant > interfaces on virtual server 1 (ipv6 stuff removed): > > > vio0: > flags=e08843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF6,INET6_NOSOII,AUTOCONF4> > mtu 1500 > lladdr 56:00:03:8c:96:8c > index 1 priority 0 llprio 3 > groups: egress > media: Ethernet autoselect > status: active > inet a.b.c.d netmask 0xfffffe00 broadcast 199.247.3.255 > > enc0: flags=41<UP,RUNNING> > index 2 priority 0 llprio 3 > groups: enc > status: active > > bridge0: flags=41<UP,RUNNING> mtu 1500 > index 4 llprio 3 > groups: bridge > priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp > egre0 flags=3<LEARNING,DISCOVER> > port 6 ifpriority 0 ifcost 0 > vether0 flags=3<LEARNING,DISCOVER> > port 8 ifpriority 0 ifcost 0 > > bridge2: flags=41<UP,RUNNING> mtu 1500 > index 5 llprio 3 > groups: bridge > priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp > egre1 flags=3<LEARNING,DISCOVER> > port 12 ifpriority 0 ifcost 0 > vether1 flags=3<LEARNING,DISCOVER> > port 9 ifpriority 0 ifcost 0 > > egre0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 > lladdr fe:e1:ba:d0:b9:3c > index 6 priority 0 llprio 3 > encap: vnetid 12 txprio 0 rxprio packet > groups: egre > tunnel: inet a.b.c.d --> w.x.y.z ttl 64 nodf > > vether0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 > lladdr fe:e1:ba:d2:eb:05 > index 8 priority 0 llprio 3 > groups: vether > media: Ethernet autoselect > status: active > inet 192.168.79.1 netmask 0xffffff00 broadcast 192.168.79.255 > > vether1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 > lladdr fe:e1:ba:d3:94:e9 > index 9 priority 0 llprio 3 > groups: vether > media: Ethernet autoselect > status: active > inet 192.168.80.1 netmask 0xffffff00 broadcast 192.168.80.255 > > egre1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 > lladdr fe:e1:ba:d4:c5:8f > index 12 priority 0 llprio 3 > encap: vnetid 31 txprio 0 rxprio packet > groups: egre > tunnel: inet a.b.c.d --> 192.168.66.1 ttl 64 nodf > > > And here the router side (ipv6 stuff removed): > > em0: > flags=808b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST,AUTOCONF4> > mtu 1500 > lladdr 00:0d:b9:44:ec:dc > description: External Connection 1 Cable > index 1 priority 0 llprio 3 > groups: egress > media: Ethernet autoselect (1000baseT full-duplex) > status: active > inet e.f.g.h netmask 0xffffff00 broadcast 95.89.130.255 > > enc0: flags=41<UP,RUNNING> > index 4 priority 0 llprio 3 > groups: enc > status: active > > bridge0: flags=41<UP,RUNNING> mtu 1500 > index 6 llprio 3 > groups: bridge > priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp > designated: id 00:00:00:00:00:00 priority 0 > egre1 flags=3<LEARNING,DISCOVER> > port 8 ifpriority 0 ifcost 0 > vether1 flags=3<LEARNING,DISCOVER> > port 14 ifpriority 0 ifcost 0 > Addresses (max cache: 100, timeout: 240): > fe:e1:ba:d3:94:e9 egre1 1 flags=0<> > > bridge2: flags=41<UP,RUNNING> mtu 1500 > index 36 llprio 3 > groups: bridge > priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp > designated: id 00:00:00:00:00:00 priority 0 > egre2 flags=3<LEARNING,DISCOVER> > port 9 ifpriority 0 ifcost 0 > vether2 flags=3<LEARNING,DISCOVER> > port 15 ifpriority 0 ifcost 0 > Addresses (max cache: 100, timeout: 240): > fe:e1:ba:d3:42:9c egre2 1 flags=0<> > > egre1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 > lladdr fe:e1:ba:d0:dc:c9 > index 8 priority 0 llprio 3 > encap: vnetid 31 txprio 0 rxprio packet > groups: egre > tunnel: inet 192.168.66.1 --> a.b.c.d ttl 64 nodf > > egre2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 > lladdr fe:e1:ba:d1:4f:4c > index 9 priority 0 llprio 3 > encap: vnetid 32 txprio 0 rxprio packet > groups: egre > tunnel: inet 192.168.66.1 --> w.x.y.z ttl 64 nodf > > vether1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 > lladdr fe:e1:ba:d2:ac:6b > index 14 priority 0 llprio 3 > groups: vether > media: Ethernet autoselect > status: active > inet 192.168.80.2 netmask 0xffffff00 broadcast 192.168.80.255 > > vether2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 > lladdr fe:e1:ba:d3:80:aa > index 15 priority 0 llprio 3 > groups: vether > media: Ethernet autoselect > status: active > inet 192.168.81.2 netmask 0xffffff00 broadcast 192.168.81.255 > > Doing a tcpdump, when pinging from router to virtual server I see arp > requests on enc0, but no responses, the traffic never shows up on bridge2 > (even with pf disabled) > > tcpdump -nvveei enc0 host e.f.g.h > tcpdump: listening on enc0, link-type ENC > 11:11:46.538947 (authentic,confidential): SPI 0xb20636b0: e.f.g.h > a.b.c.d: > e.f.g.h > a.b.c.d: gre [K] 6558 key=31|0+1f fe:e1:ba:d2:ac:6b > ff:ff:ff:ff:ff:ff 0806 42: arp who-has 192.168.80.1 tell 192.168.80.2 (ttl > 64, id 46024, len 70) (ttl 54, id 49233, len 90) > > > Many thanks for any hints that could help me make this work! > > Bedst rewards > Markus
signature.asc
Description: Message signed with OpenPGP
