>> >> Thanks Mike and Stefan for your suggestions. >> >> I have the network appliance set up with two NICs, one connected to >> the external network and one to the local private subnet, and >> forwarding is working fine. When one VM on the private subnet is >> sending traffic to another VM, I see an initial packet on the network >> appliance VM but nothing after that. > > Sounds like all three VMs are connected to a private bridge on the > host. VM1 and VM2 are on the same IP subnet. VM1 broadcasts an ARP > Request packet to find out the MAC address of VM2. VM2 will respond > with an ARP Reply so that VM1 learns its MAC address. > > When VM1 finds out the MAC address of VM2 it can transmit packets to > VM2's MAC address. The network bridge in the host kernel will forward > packets directly between VM1 and VM2 once it has a mapping of MAC > address to bridge ports. So the first packet may be broadcast if > there is no mapping yet, but once the host has a mapping it would be > inefficient to broadcast out packets on all bridge ports (that's the > difference between a bridge and a hub). > > You can see this in /proc/net/arp and brctl showmacs virbr0. > > There are a few ways to force traffic through the appliance. One way > is by adding an IP route inside VM1 for VM2 via the appliance, and > vice versa inside VM2 for VM1. Try something like (untested): ip > route add 192.168.1.12 via 192.168.1.254. > > Other approaches are: netfilter rules (ebtables/iptables) on the > bridge to force VM1 and VM2 traffic through the appliance, or maybe > even ARP spoofing to hijack traffic on an Ethernet segment. > > Maybe other people have cleaner configuration ideas. One obvious > approach is to put VM1 and VM2 into different IP subnets so they > always use the appliance as their gateway (no manual route required). > > Stefan Yes, I think this is exactly what's happening. I tried the "obvious" solution of different subnets, and it appears to be working with some initial tcpdumps--thanks for that suggestion! The iptables suggestion sounds good as well--let me see if I understand how that would work: I'd have rules on the VM host to route traffic from one VM to another, even on the same private subnet, through the "network appliance" VM? Thanks, Kevin -- sedecim@xxxxxxxxx -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
