Thanks for the precisions. What I find weird is that here is what I see with tcpdump/snoop (the vm interface is configured with vlan_id 500):
- the QinQ packet enter the SmartOS host via the physical interface with two tags (500 400) - (on the host) SmartOS/kvm/whatever strips the first tag (500) and correctly send the packet to the VM via its interface, the packet is now a vlan packet tagged only 400 - (in the VM) the vlan interface created on top of the interface configured as vlan 500 in smartos sees that the packet is for it and responds with an ARP Reply - the packet is dropped If QinQ is not supported I would image it would either never work in both directions or the packet would be passed along because only the first tag would be checked and removed/added, why does it half works here ? Is there a way I can "cheat" here by bridging the physical interface directly with the VM interface without any control from SmartOS/KVM ? All the VM are managed by me so that would be an acceptable solution, for now at least, we have no client VMs. On 12 May 2015 at 00:04, Robert Mustacchi <[email protected]> wrote: > On 5/11/15 2:46 , Schmurfy wrote: > > Hello, > > I am using QinQ in my network and can't figure out how to properly use it > > on the VMs, I configured the vm to get one interface as being a vlan > > interface and this works (the interface works properly in the VM) but > when > > I try to create a vlan interface inside the VM backed on the first > > interface packets don't get through SmartOS. I see incoming ARP Request > > packets and the response from inside the VM (with the correct vlan tag) > but > > using snoop on the host I never see them get out. > > > > While trying to make it works I enabled allow_ip_spoofing, > > allow_dhcp_spoofing, allow_mac_spoofing, allow_restricted_traffic, > > allow_unfiltered_promisc but none of them seems to help, packets still > get > > blocked on the way out :( > > does anyone know what could be blocking the packets ? > > Hi, > > There are few different things that are going on here. Probably the most > important is that, to my knowledge, we don't support 802.1ad (Q in Q). > > Second, let me clarify what exactly is happening with respect to VNICs, > VLANs, and the different kinds of instances you can create. When you > specify a VLAN id in the JSON file, we'll create a VNIC that is marked > with that tag. That means that the system will enforce that packets that > enter and leave the interface have that tag. If you're just creating > zones (whether lx, docker, or smartos), then this doesn't matter. > > With kvm, it's a different story. We treat a KVM guest as though it's > NIC is always in access mode, and instead the hypervisor is responsible > for adding and removing a tag. If the guest is setting a tag, then it's > liable that it'll be dropped. > > Robert > > > ------------------------------------------- > smartos-discuss > Archives: https://www.listbox.com/member/archive/184463/=now > RSS Feed: > https://www.listbox.com/member/archive/rss/184463/27127964-b8d97130 > Modify Your Subscription: > https://www.listbox.com/member/?&; > Powered by Listbox: http://www.listbox.com > ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
