Hi, just a hint that you can also use “snoop” on SmartOS to sniff KVM traffic from the hypervisor thanks to VND. The usage is as follows:
snoop -rd netX -z <uuid> With this you can also check what really comes out of the KVM zone VNIC. Now for your problem, I don’t think that it is possible to add VLAN tag from inside the KVM. I suppose that the packet should be dropped. If I am mistaken, please somebody correct me. Cheers, Adam > On Mar 21, 2016, at 2:15 PM, Christopher J. Ruwe <[email protected]> wrote: > > Hi, > > at the moment I am trying to debug an issue with a KVM-virtualized > firewall appliance (pfsense) and think I need some help. > > Currently, I am trying to replace my vendor-supplied and otherwise > crappy DSL router (used as modem with pppoe) with a DSL modem > (smaller, more energy efficient, can do IPv6, which the router cannot, > ...). > > Upstream traffic over DLS arrives VLAN-tagged (VLAN 10). The router > which I want to replace removes the VLAN tag, so that I do not need to > do anything on the SmartOS hypervisor or the VM. > > The modem can only pass-through the VLAN-tagged ethernet frames. On my > notebook (Debian testing), connections with pppoe are straight-forward > to setup, I create a vNIC on eth0 tagged with VLAN 10 and dial up with > pppoe. > > I tried to reproduce this known-to-work setup on a KVM-virtualized > Debian8 (2f56d126-20d0-11e5-9e5b-5f3ef6688aba, debian-8, 20150702) > before moving on to pfsense - doesn't work there either and pfsense is > not very nice to debug ...) > > The NIC I give to this machine is defined as > > { > "nic_tag": "external", > "model": "e1000", > "ip": "dhcp", > "vlan_id": 10, > "allow_dhcp_spoofing": true, > "allow_ip_spoofing": true, > "allow_mac_spoofing": true, > "allow_restricted_traffic": true > } > > A successful ppoe transaction on my notebook (sudo tcpdump -i eth0 -Uw > | sudo tcpdump -en -r - vlan 10) looks like this: > > 12:46:46. 754960 50:7b:9d:30:56:13 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q > (0x8100), length 36: vlan 10, p 0, ethertype PPPoE D, PPPoE PADI > [Service-Name] [Host-Uniq 0x5E540000] > 540062 00:90:1a:a2:b4:c3 > 32:98:e8:57:94:13, ethertype 802.1Q > (0x8100), length 122: vlan 10, p 1, ethertype PPPoE S, PPPoE [ses > 0x2e78] IP6 (0x0057), length 98: fe80::90:1a00:242:9bfe > ff02::1: > ICMP6, router advertisement, length 56 > 084319 00:90:1a:a2:b4:c3 > 32:98:e8:57:94:13, ethertype 802.1Q > (0x8100), length 472: vlan 10, p 1, ethertype PPPoE S, PPPoE [ses > 0x2e78] IP (0x0021), length 448: 209.126.117.224.5078 > > 5061: UDP, length 418 > 274281 50:7b:9d:30:56:13 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q > (0x8100), length 36: vlan 10, p 0, ethertype PPPoE D, PPPoE PADI > [Service-Name] [Host-Uniq 0x06550000] > 279840 00:90:1a:a2:b4:c3 > 50:7b:9d:30:56:13, ethertype 802.1Q > (0x8100), length 66: vlan 10, p 1, ethertype PPPoE D, PPPoE PADO [AC- > Name "<...>"] [Host-Uniq 0x06550000] [Service-Name] [AC-Cookie <...>] > > [...] > > On the KVM-virtualized machine, the transaction never completes: > > 11:22:00. 733654 72:f2:50:ec:8d:b7 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q > (0x8100), length 36: vlan 10, p 0, ethertype PPPoE D, PPPoE PADI > [Service-Name] [Host-Uniq 0x31070000] > 739185 72:f2:50:ec:8d:b7 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q > (0x8100), length 36: vlan 10, p 0, ethertype PPPoE D, PPPoE PADI > [Service-Name] [Host-Uniq 0x31070000] > > [...] > > Putting the modem on a switch allows me to watch what the KVM-machine > sends and recieves using the same tcpdump pattern. In addition, I can > (pppoe discovery uses broadcast) watch the KVM-machine sending from my > notebook. > > pppoe discovery leaves the KVM machine on the proper VLAN 10 and is > visible only on VLAN 10 on my notebook. I suspect this can be > generalized so that the modem is actually reached. > > No pppoe discovery replies reaches the KVM machine. I suspect the modem > replies to the pppoe discovery also for the KVM machines request as it > does for my notebook, but I do not know how to prove it. > > I am not too good with the tools available on a Solaris, I tried snoop > (snoop -d igb1 | grep -i pppoe) > > ? -> (broadcast) PPPoE PADI > ? -> (broadcast) PPPoE PADI > ? -> (broadcast) PPPoE PADI > VLAN#10: ? -> (broadcast) PPPoE PADI > VLAN#10: ? -> * PPPoE PADO > > which I interpret as the host seeing the discovery packets sent by the > host (PADI) and the answer (PADO). I am not sure however. > > I would interpret my attempts to observe the network traffic, so that > VLAN tagged traffic leaves and reaches the host but is not properly > passed on to the KVM-guest. > > Does anybody either ( would be best :-) ) how to properly connect KVM > guest to VLAN-tagged networks or would know how to debug that issue > better than I just tried? > > In any case, thanks and cheers, > -- > Christopher >
signature.asc
Description: Message signed with OpenPGP using GPGMail
------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
