ipfw+dummynet bridging (VMware guests)
Dayne Miller
dayne.miller at gmail.com
Tue Jun 5 00:21:29 UTC 2007
Hello-
I'm hoping someone can help. I have a configuration that I *think* is
simple and should "just work", but so far I'm having no luck. It's
possible this belongs on another list or forum entirely -- if it ends
up being a VMware config issue -- but for now I'm operating under the
assumption that I have dummynet set up incorrectly.
The infrastructure for this is VMware ESX Server 3.0.1. I have the
following VLANs/tags set up within the virtual switch:
vlan 1010 "vm_admin"
vlan 1020 "vm_server"
vlan 1201 "vm_perf"
(These are non-contiguous number for some unimportant legacy reasons.)
My goal is to use a FreeBSD 6.2-STABLE VM as a "WAN emulator"; I want
clients on VLAN 1201 to be bridged into VLAN 1020, where I've placed
several virtual servers. VLAN 1010 is for administrative interfaces; I
gave the FreeBSD an IP address on the virtual interface homed on that
network.
My /etc/rc.conf looks like this:
hostname="dummy00.demo.local"
ifconfig_em0="inet 172.27.222.25 netmask 255.255.255.128"
cloned_interfaces="bridge0"
ifconfig_bridge0="addm em1 addm em2 up"
ifconfig_em1="up"
ifconfig_em2="up"
sshd_enable="yes"
firewall_enable="yes"
firewall_script="/usr/local/etc/dummy00.default"
firewall_logging="yes"
The 'dummy00.default' script is:
#!/bin/sh
ipfw -q -f flush
cmd="ipfw -q add"
admif="em0"
clientif="em1"
serverif="em2"
$cmd 00005 allow all from any to any via $admif
$cmd 00010 allow all from any to any via lo0
$cmd 00100 check-state
$cmd 01000 pipe 1 ip from any to any bridged
ipfw -q pipe 1 config
$cmd 65000 allow ip from any to any setup keep-state
$cmd 65100 allow log ip from any to any
(I'll add characterisitics to the pipe later, I just want it to work
first... And I realize this is not the most-efficient ruleset, but
again, I want to get it simply passing traffic first, then I'll worry
about details.)
My /etc/sysctl.conf looks like this:
net.inet.ip.fw.one_pass=0
net.link.bridge.ipfw=1
Finally, the relevant sections of my kernel config file are:
device if_bridge
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT
options IPFIREWALL_DEFAULT_TO_ACCEPT
options DUMMYNET
I have a very-recent version of VMware Tools running. As a
non-bridging (i.e. routing) dummynet VM, this has worked well. I
cloned a working VM, added the 'options if_bridge' and other relevant
things and recompiled the kernel as required. Now I can't seem to get
packets to pass...
I have this setup, if you can forgive the ASCII diagram:
(client 10.133.20.119)
|
|
[vlan 1201]
|
|em1
(FreeBSD 6.2-STABLE)em3--[VLAN 1010 -- 172.27.222/25]
|em2
|
[vlan 1020]
|
|
(servers 10.133.20.x/24)
The client is unable to connect to any server resources (nor can the
servers connect to the client, of course.) I've made sure the client
has all the correct IP parameters. If I change the client VM config
within VMware so that the interface is on the server VLAN, with no
other changes, all works correctly.
On the dummynet box, a point-in-time 'ipfw show' gives:
00005 42 3360 allow ip from any to any via em0
00010 0 0 allow ip from any to any via lo0
00100 0 0 check-state
01000 159 26719 pipe 1 ip from any to any layer2
65000 0 0 allow ip from any to any setup keep-state
65100 477 80157 allow log logamount 1 ip from any to any
65535 0 0 allow ip from any to any
I can get the rules at 1000 and 65100 to increment just by attempting
to pass traffic from client to server or vice versa. However, since
there are no deny rules, I'm unsure what's happening to the packets
after they hit the bridge -- they are definitely NOT making it as far
as the destination server(s).
Any suggestions for troubleshooting, or configuration changes? I
thought I had all of the basics taken care of, but apparently not.
Thanks in advance-
-Dayne
More information about the freebsd-ipfw
mailing list