Hi everyone, I am running a Debian Wheezy host with the following setup:
bridge br0 - 192.168.133.100 - contains: 1) physical LAN interface of Host 2) virtual LAN interface of pfSense guest - 192.168.133.1 bridge br1 - 192.168.0.41 (DHCP) - contains: 1) physical WAN interface of Host 2) virtual WAN interface of pfSense guest - 192.168.0.197 (DHCP) bridge br2 - no IP - contains: 1) virtual DMZ interface of pfSense guest - 172.16.0.2 2) virtual DMZ interface of a Debian Wheezy guest - 172.16.0.110 The system is set up in a way that once the network is configured and up, a route is added to br0: route add -net 172.16.0.0/12 gw 192.168.133.1 This works all fine and dandy as long as I'm not using virtio: *** Welcome to pfSense 2.1.3-RELEASE-pfSense (i386) on cora *** LAN (lan) -> em1 -> v4: 192.168.133.1/24 WAN (wan) -> em0 -> v4/DHCP4: 192.168.0.197/24 DMZ (opt1) -> em2 -> v4: 172.16.0.2/12 [...] I can connect from any client on the LAN to 192.168.133.1 as well as from the host (192.168.133.100) itself. I can also connect from any client on the LAN to 172.16.0.110 (due to 192.168.133.1 being set as the default gateway on the clients) as well as from the host (192.168.133.100) itself (due to the added route). Also, traffic between LAN, WAN and DMZ works just as expected per the rules set in pfSense. Now, as soon as I change everything to use virtio, following the guidelines on https://doc.pfsense.org/index.php/VirtIO_Driver_Support and making the corresponding changes in the guest config file on the host (/etc/libvirt/qemu/pfsense.xml), things look like this: *** Welcome to pfSense 2.1.3-RELEASE-pfSense (i386) on cora *** LAN (lan) -> vtnet1 -> v4: 192.168.133.1/24 WAN (wan) -> vtnet0 -> v4/DHCP4: 192.168.0.197/24 DMZ (opt1) -> vtnet2 -> v4: 172.16.0.2/12 I can connect from any client on the LAN to 192.168.133.1 as well as from the host (192.168.133.100) itself. I can also connect from any client on the LAN to 172.16.0.110 (due to 192.168.133.1 being set as the default gateway on the clients). BUT: I cannot connect to 172.16.0.110 from the host (192.168.133.100) itself any more. As soon as I delete the route and manually assign 172.168.0.111 to bridge br2 of the host, I can connect to 172.16.0.110 again. Obviously, that's not what I want to do in production - it was just an attempt to debug the issue. Still, the remaining traffic between LAN, WAN and DMZ works just as expected per the rules set in pfSense. Any ideas as to what might be wrong? Is it a pfSense issue, a Debian Linux issue, a kvm issue, a virtio issue? If you need more info to debug this, just let me know. After changing the config from non-virtio to virtio, I rebooted the entire host, to be sure that there's no spanning tree/MAC address detection issue or something like that. Still, the result is as described above. It is also repeatable - fall back to the old config, everything works, switch to the new one, issue as described above appears. -Stefan _______________________________________________ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list