Hello,
I've been struggling to resolve an odd networking issue.
Initially I expected it was an npf.conf misconfiguration,
but that conf has been pared down to almost nothing, yet
when I load the config, networking stops. Now, I suspect the
issue is a vswitch breaking tcp cksum, but I'm not sure why
that would only be an issue when npfctl is enabled?
Here is the network; port forwarding from the lan gw
reaches the srv vm, which forwards the connection on to
main.grdn vm, via a walled garden network 10.8.1.0/24
(on grdn vswitch). Additionally, the srv vm provides a gw.
So, external access to main.grdn, and additional nodes
from there is possible while keeping the 192.168.50.0/24
network inaccessible.
+ 192.168.50.1 lan gw
|
+ 192.168.50.192 admin-laptop
|
synology DSM 7.2 (NAS and hypervisor)
|
+ 192.168.50.3 vioif0 -(NetBSD srv 9.2 vm)- 10.8.1.3 vioif1 -(grdn vswitch)
(grdn vswitch)
|
+10.8.1.1 vioif main.grdn
|
+ 10.8.1.11 vioif node01.grdn
sysctl.conf :
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
npfctl validate :
procedure "log"
group "ext" on vioif0 {
pass stateful in all
pass stateful out all
}
group "grdn" on vioif1 {
pass in final all
pass out final all
}
group default {
pass final on lo0 all
pass final on vioif0 all
pass final on vioif1 all
}
when I npfctl start, I loose my ssh connection,
and must use the hypervisor console to npfctl stop.
I find this in the logs, after attempting to reconnect ssh:
tail -c50000 -F /var/log/npflog0.pcap | tcpdump --immediate-mode -vvv -Ir -
21:36:30.598736 IP (tos 0x48, ttl 64, id 59850, offset 0, flags [DF], proto
TCP (6), length 112, bad cksum 14 (->6a61)!)
192.168.50.3.ssh > 192.168.50.192.55695: Flags [P.], seq
2291708002:2291708062, ack 2004118541, win 4197, options [nop,nop,TS val 89
ecr 266063492], length 60
21:36:30.599884 IP (tos 0x48, ttl 64, id 0, offset 0, flags [DF], proto TCP
(6), length 52, bad cksum 14 (->5468)!)
192.168.50.3.ssh > 192.168.50.192.55695: Flags [F.], cksum 0xe63a
(incorrect -> 0xab2b), seq 60, ack 1, win 4197, options [nop,nop,TS val 89
ecr 266063492], length 0
21:36:31.585339 IP (tos 0x48, ttl 64, id 10000, offset 0, flags [DF], proto
TCP (6), length 224, bad cksum 14 (->2cac)!)
192.168.50.3.ssh > 192.168.50.192.55695: Flags [FP.], seq
4294967184:60, ack 1, win 4197, options [nop,nop,TS val 91 ecr 266063492],
length 172
21:36:33.587137 IP (tos 0x48, ttl 64, id 28093, offset 0, flags [DF], proto
TCP (6), length 224, bad cksum 14 (->e5fe)!)
192.168.50.3.ssh > 192.168.50.192.55695: Flags [FP.], seq
4294967184:60, ack 1, win 4197, options [nop,nop,TS val 95 ecr 266063492],
length 172
21:36:37.590689 IP (tos 0x48, ttl 64, id 2248, offset 0, flags [none],
proto TCP (6), length 224, bad cksum 14 (->8af4)!)
192.168.50.3.ssh > 192.168.50.192.55695: Flags [FP.], seq
4294967184:60, ack 1, win 4197, options [nop,nop,TS val 103 ecr 266063492],
length 172
with npf stopped, ssh from admin-laptop to srv, and on to main.grdn works
fine.
could this be something besides a vswitch software issue? what should I try?
Thanks!
-George
--
George Georgalis, (415) 894-2710, http://www.galis.org/
