I believe this used to work in older versions of SmartOS, specifically
I have an old server running joyent_20130919T215407Z with a
KVM based VM running pfSense with VLAN trunking just fine.
Some month ago I tried to upgrade that server to a recent version
of SmartOS but after the upgrade I could not get that VM to work
properly. Somehow the networking was broken.
I was not able to fully debug the problem at that time since the
pfSense VM was critical and also providing the connectivity
between various subnets and the Internet so when things did
not work I soon rolled back to the older SmartOS version
and everything worked again.
Now upon seeing this thread I am thinking that I probably
ran into this very same issue back then. BTW, this problem
is still open for me and on my todo list.
Just a wild guess: could this have anything to do with the introduction
of Project Bardiche into SmartOS? This went deep into the networking
stack, especially for KVM guests and fundamentally changed the
inner working of guest networking.
Whatever the root cause may be: I consider the behavior of stripping
VLAN tags from ethernet frames to a guest VM that is specifically
configured and allowed to handle VLAN traffic a serious bug.
For some applications the guest VM needs the ability to do its own
VLAN tagging independent of the host hypervisor. Not allowing this
would exclude this class of applications on top of SmartOS and
set SmartOS back behind other hypervisors that support this.
For example, VMware supports this use case without problems.
And it has worked with older versions of SmartOS.
Does anyone have a clue why the VLAN tags get stripped and
how this can be fixed?
- Dirk
> Am 27.08.2015 um 23:00 schrieb David Finster
> <david.fins...@seymourwhyte.com.au>:
>
> I encountered this recently for another reason. My scenario is that I had a
> host with a separate physical NIC that was a VLAN trunk (many different
> VLANs) but I needed a VM (zone or KVM makes no difference) that had
> unfiltered promisc on only one of those VLANs.
>
> I ended up not being able to use that strategy since unfiltered_promisc gives
> the VM everything with the vlan_id stripped from the packet (so the VM gets
> everything on the physical NIC but can't do its own VLAN filtering). Removing
> unfiltered_promisc, although I had mac_spoof enabled this only allows the
> sending of packets with different MACs and any responses to the MAC won't be
> passed up by the vnic. Since my application was a WAN accelerator with any
> number of MACs behind it, it wasn't feasible to manage the list.
>
> I did attempt to use dladm to create a vlan entry and see if I could bridge
> that to an ether stub. Snooping the VLAN interface gave me the traffic I
> wanted but you can't bridge those to anything.
>
> Still a work in progress, but I ended up dedicating a physical NIC to the
> VLAN that the VM needed promisc on. The core blocker to me was that the
> normal promisc supplies the packets with vlans stripped, which RM from Joyent
> confirmed is expected behaviour at this stage.
>
> - Dave
>
>> On 28 Aug 2015, at 4:36 AM, Jorge Schrauwen <sjorge...@blackdot.be> wrote:
>>
>> It could also be an illumos qwerk.
>> If you can join #smartos on freenode and see if rm is online. He's quite
>> knowlagble on the network stack.
>>
>>> On 2015-08-27 20:23, Daryl Turner wrote:
>>>
>>> I'll check what the behaviour is on the working VM tomorrow. I'm not able
>>> to confirm that this isn't just a symptom of the system diagnostics.
>>> -------- Original Message --------
>>> Subject: Re: [smartos-discuss] VLAN tagging to guest zone
>>> Time (UTC): August 27 2015 6:11 pm
>>> From: daryl.tur...@protonmail.ch
>>> To: sjorge...@blackdot.be
>>> CC: smartos-disc...@lists.smartos.org
>>> I've just checked and yes I do. I see it leave with VLAN ID applied but
>>> received with the VLAN stripped from the frame.
>>> -------- Original Message --------
>>> Subject: Re: [smartos-discuss] VLAN tagging to guest zone
>>> Time (UTC): August 27 2015 5:18 pm
>>> From: sjorge...@blackdot.be
>>> To: smartos-disc...@lists.smartos.org
>>> Do you see the ARP's withing the vm?
>>>> On 2015-08-27 19:18, Daryl Turner wrote:
>>>> etherstub.
>>>> Funnily enough checking the NICs with snoop it appears the ARP request
>>>> makes it to the destination NIC but obviously isn't being picked up by
>>>> the destination machine.
>>>> [root@00-0c-29-87-c9-0b ~]# snoop -z
>>>> a57e5f07-cee7-47ed-a74b-f54b227cd25f -d net0
>>>> Using device net0 (promiscuous mode)
>>>> VLAN#200: 192.168.0.1 -> (broadcast) ARP C Who is 192.168.0.2,
>>>> 192.168.0.2 ?
>>>> VLAN#200: 192.168.0.1 -> (broadcast) ARP C Who is 192.168.0.2,
>>>> 192.168.0.2 ?
>>>> VLAN#200: 192.168.0.1 -> (broadcast) ARP C Who is 192.168.0.2,
>>>> 192.168.0.2 ?
>>>> VLAN#200: 192.168.0.1 -> (broadcast) ARP C Who is 192.168.0.2,
>>>> 192.168.0.2 ?
>>>> VLAN#200: 192.168.0.1 -> (broadcast) ARP C Who is 192.168.0.2,
>>>> 192.168.0.2 ?
>>>> VLAN#200: 192.168.0.1 -> (broadcast) ARP C Who is 192.168.0.2,
>>>> 192.168.0.2 ?
>>>> VLAN#200: 192.168.0.1 -> (broadcast) ARP C Who is 192.168.0.2,
>>>> 192.168.0.2 ?
>>>> VLAN#200: 192.168.0.1 -> (broadcast) ARP C Who is 192.168.0.2,
>>>> 192.168.0.2 ?
>>>> VLAN#200: 192.168.0.1 -> (broadcast) ARP C Who is 192.168.0.2,
>>>> 192.168.0.2 ?
>>>> VLAN#200: 192.168.0.1 -> (broadcast) ARP C Who is 192.168.0.2,
>>>> 192.168.0.2 ?
>>>> VLAN#200: 192.168.0.1 -> (broadcast) ARP C Who is 192.168.0.2,
>>>> 192.168.0.2 ?
>>>> ^C[root@00-0c-29-87-c9-0b ~]# snoop -z
>>>> a57e5f07-cee7-47ed-a74b-f54b227cd25f -d net1
>>>> Using device net1 (promiscuous mode)
>>>> VLAN#200: 192.168.0.1 -> (broadcast) ARP C Who is 192.168.0.2,
>>>> 192.168.0.2 ?
>>>> VLAN#200: 192.168.0.1 -> (broadcast) ARP C Who is 192.168.0.2,
>>>> 192.168.0.2 ?
>>>> VLAN#200: 192.168.0.1 -> (broadcast) ARP C Who is 192.168.0.2,
>>>> 192.168.0.2 ?
>>>> VLAN#200: 192.168.0.1 -> (broadcast) ARP C Who is 192.168.0.2,
>>>> 192.168.0.2 ?
>>>> VLAN#200: 192.168.0.1 -> (broadcast) ARP C Who is 192.168.0.2,
>>>> 192.168.0.2 ?
>>>> VLAN#200: 192.168.0.1 -> (broadcast) ARP C Who is 192.168.0.2,
>>>> 192.168.0.2 ?
>>>> VLAN#200: 192.168.0.1 -> (broadcast) ARP C Who is 192.168.0.2,
>>>> 192.168.0.2 ?
>>>> VLAN#200: 192.168.0.1 -> (broadcast) ARP C Who is 192.168.0.2,
>>>> 192.168.0.2 ?
>>>>> -------- Original Message --------
>>>>> Subject: Re: [smartos-discuss] VLAN tagging to guest zone
>>>>> Time (UTC): August 27 2015 4:27 pm
>>>>> From: sjorge...@blackdot.be
>>>>> To: smartos-disc...@lists.smartos.org
>>>>> loop0 is an etherstub or a physical interface?
>>>>>> On 2015-08-27 18:25, Daryl Turner wrote:
>>>>>> Here is what i currently have set. This probably wasn't the best
>>>>>> machine to start with as it's already a little unusual.
>>>>>> This machine is a simulated Juniper router. Net0 loops back into Net1
>>>>>> and each end is placed into logical systems. Multiple links are
>>>>>> simulated by using VLAN tags to create separate point to point
>>>>>> circuits
>>>>>> and allows you to build up a topology of interconnected logical
>>>>>> routers. At the moment tagged frames from net0 aren't received on
>>>>>> net1.
>>>>>> If i use untagged frames I can ping between logical systems as
>>>>>> expected.
>>>>>> # vmadm get a57e5f07-cee7-47ed-a74b-f54b227cd25f | json nics
>>>>>> [
>>>>>> {
>>>>>> "interface": "net0",
>>>>>> "mac": "f2:da:d4:5c:ba:70",
>>>>>> "nic_tag": "loop0",
>>>>>> "ip": "dhcp",
>>>>>> "model": "e1000",
>>>>>> "allow_ip_spoofing": true,
>>>>>> "allow_mac_spoofing": true,
>>>>>> "allow_restricted_traffic": true,
>>>>>> "allow_unfiltered_promisc": true,
>>>>>> "primary": true
>>>>>> },
>>>>>> {
>>>>>> "interface": "net1",
>>>>>> "mac": "52:fb:a9:db:86:f4",
>>>>>> "nic_tag": "loop0",
>>>>>> "ip": "dhcp",
>>>>>> "model": "e1000",
>>>>>> "allow_ip_spoofing": true,
>>>>>> "allow_mac_spoofing": true,
>>>>>> "allow_restricted_traffic": true,
>>>>>> "allow_unfiltered_promisc": true
>>>>>> }
>>>>>> ]
>>>>>> I will check the behaviour using separate machines and try using
>>>>>> Joyent
>>>>>> zones to see if it makes any difference.
>>>>>> Thanks,
>>>>>> Daryl.
>>>>>>> -------- Original Message --------
>>>>>>> Subject: Re: [smartos-discuss] VLAN tagging to guest zone
>>>>>>> Time (UTC): August 27 2015 4:01 pm
>>>>>>> From: sjorge...@blackdot.be
>>>>>>> To: smartos-disc...@lists.smartos.org
>>>>>>> CC: daryl.tur...@protonmail.ch
>>>>>>> Hi Daryl,
>>>>>>> You probably need to have allow_unfiltered_promisc set to true.
>>>>>>> I simple add multiple nics with a different vlan_id set for each
>>>>>>> myself,
>>>>>>> which also works fine.
>>>>>>> Regards
>>>>>>> Jorge
>>>>>>>> On 2015-08-27 17:31, Daryl Turner wrote:
>>>>>>>> Hi All,
>>>>>>>> I'm currently working on porting over some machines from a network
>>>>>>>> lab
>>>>>>>> from ESXi to SmartOS. There is a requirement to carry tagged
>>>>>>>> traffic
>>>>>>>> between several KVM branded zones to simulate a specific network
>>>>>>>> topology.
>>>>>>>> From what I can see, and have tried this isn't possible even with
>>>>>>>> the
>>>>>>>> permit_restricted_traffic flag. I've also added spoof_ip and
>>>>>>>> spoof_mac
>>>>>>>> permits.
>>>>>>>> Can anyone confirm if this is a restriction in the virtual
>>>>>>>> networking
>>>>>>>> stack in SmartOS or if there is a possible workaround? The link
>>>>>>>> between
>>>>>>>> the zones is logically point to point so the etherstub wouldn't
>>>>>>>> need
>>>>>>>> to
>>>>>>>> VLAN aware as such, just passing the traffic would satisfy my
>>>>>>>> requirement for now.
>>>>>>>> Thanks,
>>>>>>>> Daryl.
>>>>>>>> SMARTOS-DISCUSS | Archives [1] [2] | Modify [3] Your Subscription
>>>>>>>> [4]
>>>>>>> Links:
>>>>>>> ------
>>>>>>> [1] https://www.listbox.com/member/archive/184463/=now
>>>>>>> https://www.listbox.com/member/archive/rss/184463/26452851-88b650c7
>>>>>>> https://www.listbox.com/member/?&;
>>>>>>> http://www.listbox.com
>>>>>> SMARTOS-DISCUSS | Archives [1] [2] | Modify [3] Your Subscription
>>>>>> [4]
>>>>> Links:
>>>>> ------
>>>>> [1] https://www.listbox.com/member/archive/184463/=now
>>>>> https://www.listbox.com/member/archive/rss/184463/26452851-88b650c7
>>>>> https://www.listbox.com/member/?&;
>>>>> http://www.listbox.com
>>>> SMARTOS-DISCUSS | Archives [1] [2] | Modify [3] Your Subscription
>>>> [4]
>>> Links:
>>> ------
>>> [1] https://www.listbox.com/member/archive/184463/=now
>>> https://www.listbox.com/member/archive/rss/184463/26452851-88b650c7
>>> https://www.listbox.com/member/?&;
>>> http://www.listbox.com
>>
>>
>
>
-------------------------------------------
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription:
https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com
