Hi,
at the moment I am trying to debug an issue with a KVM-virtualized
firewall appliance (pfsense) and think I need some help.
Currently, I am trying to replace my vendor-supplied and otherwise
crappy DSL router (used as modem with pppoe) with a DSL modem
(smaller, more energy efficient, can do IPv6, which the router cannot,
...).
Upstream traffic over DLS arrives VLAN-tagged (VLAN 10). The router
which I want to replace removes the VLAN tag, so that I do not need to
do anything on the SmartOS hypervisor or the VM.
The modem can only pass-through the VLAN-tagged ethernet frames. On my
notebook (Debian testing), connections with pppoe are straight-forward
to setup, I create a vNIC on eth0 tagged with VLAN 10 and dial up with
pppoe.
I tried to reproduce this known-to-work setup on a KVM-virtualized
Debian8 (2f56d126-20d0-11e5-9e5b-5f3ef6688aba, debian-8, 20150702)
before moving on to pfsense - doesn't work there either and pfsense is
not very nice to debug ...)
The NIC I give to this machine is defined as
{
"nic_tag": "external",
"model": "e1000",
"ip": "dhcp",
"vlan_id": 10,
"allow_dhcp_spoofing": true,
"allow_ip_spoofing": true,
"allow_mac_spoofing": true,
"allow_restricted_traffic": true
}
A successful ppoe transaction on my notebook (sudo tcpdump -i eth0 -Uw
- | sudo tcpdump -en -r - vlan 10) looks like this:
12:46:46.754960 50:7b:9d:30:56:13 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q
(0x8100), length 36: vlan 10, p 0, ethertype PPPoE D, PPPoE PADI
[Service-Name] [Host-Uniq 0x5E540000]
12:47:17.540062 00:90:1a:a2:b4:c3 > 32:98:e8:57:94:13, ethertype 802.1Q
(0x8100), length 122: vlan 10, p 1, ethertype PPPoE S, PPPoE [ses
0x2e78] IP6 (0x0057), length 98: fe80::90:1a00:242:9bfe > ff02::1:
ICMP6, router advertisement, length 56
12:47:23.084319 00:90:1a:a2:b4:c3 > 32:98:e8:57:94:13, ethertype 802.1Q
(0x8100), length 472: vlan 10, p 1, ethertype PPPoE S, PPPoE [ses
0x2e78] IP (0x0021), length 448: 209.126.117.224.5078 >
87.79.158.192.5061: UDP, length 418
12:47:36.274281 50:7b:9d:30:56:13 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q
(0x8100), length 36: vlan 10, p 0, ethertype PPPoE D, PPPoE PADI
[Service-Name] [Host-Uniq 0x06550000]
12:47:36.279840 00:90:1a:a2:b4:c3 > 50:7b:9d:30:56:13, ethertype 802.1Q
(0x8100), length 66: vlan 10, p 1, ethertype PPPoE D, PPPoE PADO [AC-
Name "<...>"] [Host-Uniq 0x06550000] [Service-Name] [AC-Cookie <...>]
[...]
On the KVM-virtualized machine, the transaction never completes:
11:22:00.733654 72:f2:50:ec:8d:b7 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q
(0x8100), length 36: vlan 10, p 0, ethertype PPPoE D, PPPoE PADI
[Service-Name] [Host-Uniq 0x31070000]
11:22:05.739185 72:f2:50:ec:8d:b7 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q
(0x8100), length 36: vlan 10, p 0, ethertype PPPoE D, PPPoE PADI
[Service-Name] [Host-Uniq 0x31070000]
[...]
Putting the modem on a switch allows me to watch what the KVM-machine
sends and recieves using the same tcpdump pattern. In addition, I can
(pppoe discovery uses broadcast) watch the KVM-machine sending from my
notebook.
pppoe discovery leaves the KVM machine on the proper VLAN 10 and is
visible only on VLAN 10 on my notebook. I suspect this can be
generalized so that the modem is actually reached.
No pppoe discovery replies reaches the KVM machine. I suspect the modem
replies to the pppoe discovery also for the KVM machines request as it
does for my notebook, but I do not know how to prove it.
I am not too good with the tools available on a Solaris, I tried snoop
(snoop -d igb1 | grep -i pppoe)
? -> (broadcast) PPPoE PADI
? -> (broadcast) PPPoE PADI
? -> (broadcast) PPPoE PADI
VLAN#10: ? -> (broadcast) PPPoE PADI
VLAN#10: ? -> * PPPoE PADO
which I interpret as the host seeing the discovery packets sent by the
host (PADI) and the answer (PADO). I am not sure however.
I would interpret my attempts to observe the network traffic, so that
VLAN tagged traffic leaves and reaches the host but is not properly
passed on to the KVM-guest.
Does anybody either ( would be best :-) ) how to properly connect KVM
guest to VLAN-tagged networks or would know how to debug that issue
better than I just tried?
In any case, thanks and cheers,
--
Christopher
-------------------------------------------
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription:
https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com
