Summary: I have a routing firewall and a machine on the internal network hosting a virtual machine. I used a tunnel to connect the (bridged) VM with the (bridged) WAN interface of the firewall, making the VM appear outside the firewall. Connections from outside the firewall to the VM work fine; however, connections from inside the firewall to the VM stall soon after starting, and pass a few more packets if I generate other traffic. (An SSH connection to the VM seems to work, but scp stalls until I prod the SSH connection.) I'd like to know why this happens, and how I can fix my network configuration or topology to prevent it. Details: I have an OpenWrt-based router (call it "openwrt"), with a 6-port Ethernet switch (one port attached to eth0) and wifi (eth1). Its default setup divides the switch into four LAN ports (vlan0) and a WAN port (vlan1), bridges the LAN ports and the wifi (as br0), and routes between that bridge and the WAN. According to the documentation, the switch port attached to eth0 uses VLAN tagging, and the other switch ports do not have VLAN tagging. I have a machine (call it "host") attached to one of the LAN ports; it hosts virtual machines. I want to make a VM (call it "vm") appear outside the firewall, so it can directly use one of the static IPs my ISP supplies, and host services. To do this, I created a layer 2 tunnel between host and openwrt using SSH (tap100 on host, tap0 on openwrt), bridged host's tap100 to the VMs tap device (as "br-virt") and bridged openwrt's tap0 to the WAN interface vlan1 (as "br1"). This setup mostly seems to work. vm can use one of my ISP's static IPs directly, make connections to the Internet, and receive connections from the Internet. I can also SSH from host or other machines on my local network to vm, and the SSH connection seems to work fine. However, when I scp between host (or another internal machine) and vm, the scp connection starts out OK but then stalls after a short time. If I press keys on an SSH connection to the box, the scp connection unstalls for a short time again. I investigated, and noticed one odd item: with scp stalled, "brctl showmacs br-virt" on host and "brctl showmacs br1" on openwrt both show the MAC address of the VM with an increasing age; furthermore, "brctl showmacs br-virt" on host shows the router's MAC address with an increasing age. Generating traffic on an SSH connection to vm causes packets with its MAC to show up, resulting in This seems likely related to the stall. Why does this stall occur? How can I change my network configuration or topology to fix this, while still letting the VMs directly use static IPs from my ISP? (Also, feel free to suggest alternatives to SSH for the layer 2 tunnel; I used SSH because I knew how to use it as a tunnel, but I wouldn't mind something simpler and more efficient.) Thanks, Josh Triplett
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Bridge mailing list Bridge@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/bridge
