[SOLVED] ping OK - dig OK

ericson007 · 08-09-2015, 10:43 AM

Good day guys. I sincerely apologize for putting this up, but it really has me scratching my head.

I am trying to recreate my network as it was with CentOS 6, it works great, the bridge even works on all attached physical clients and virtual clients. The drama starts when trying to use that same bridge on the Virtual host.

I can ping, I can dig but as soon as anything higher in the network stack happens, the virtual host cannot access resources.

Below are the main information segments. Is there anything I am obviously doing wrong and need to hire an assistant to bang my head on the table for?

Code:

############
# KVM Host #
############

CentOS Linux release 7.1.1503 (Core)

INTEL PRO 1000 -> Pass through to KVM based router <STATUS OK>
Onboard Realtek NIC -> Used for LAN BRIDGE and KVM Host
			-> HOST, LAN and VMs <STATUS LIMITED CONNECTIVITY>

###################
# Setup procedure #
###################

Added kernel parameters -> intel_iommu=on iommu=pt
Added -> net.ipv4.ip_forward = 1 to /etc/sysctl.conf
Loaded ip4 forwarding -> # sysctl -p /etc/sysctl.conf
Disabled NetworkManager
Created interface config files as below:
Rebooted

############
# ifconfig # 
############

brlan: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.10.250  netmask 255.255.255.0  broadcast 192.168.10.255
        inet6 fe80::52e5:49ff:fec2:1a73  prefixlen 64  scopeid 0x20<link>
        ether 50:e5:49:c2:1a:73  txqueuelen 0  (Ethernet)
        RX packets 479  bytes 233040 (227.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 594  bytes 54498 (53.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp6s0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 50:e5:49:c2:1a:73  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 60  bytes 6194 (6.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 60  bytes 6194 (6.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255
        ether 52:54:00:a6:a2:36  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

vnet0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::fc54:ff:feea:c9a5  prefixlen 64  scopeid 0x20<link>
        ether fe:54:00:ea:c9:a5  txqueuelen 500  (Ethernet)
        RX packets 479  bytes 239746 (234.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 905  bytes 70902 (69.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0



##########
# Bridge #
##########

# brctl show

bridge name	bridge id		STP enabled	interfaces
brlan		8000.50e549c21a73	yes		enp6s0
							vnet0
virbr0		8000.525400a6a236	yes		virbr0-nic

#################
# Bridge config #
#################

cat /etc/sysconfig/network-scripts/ifcfg-brlan

DEVICE=brlan
TYPE=Bridge
IPADDR=192.168.10.250
PREFIX=24
DNS1=192.168.10.1
GATEWAY=192.168.10.1
BOOTPROTO=none
ONBOOT=yes
DELAY=0
STP=on

##############
# NIC config #
##############

cat /etc/sysconfig/network-scripts/ifcfg-enp6s0

DEVICE=enp6s0
TYPE=Ethernet
HWADDR=50:E5:49:XX:XX:XX
BOOTPROTO=none
ONBOOT=yes
BRIDGE=brlan

##################
# Ping test NO.1 #
##################

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=40 time=66.4 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=40 time=63.4 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=40 time=63.2 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=40 time=63.6 ms
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 received, 0 packet loss, time 3003ms
rtt min/avg/max/mdev = 63.264/64.219/66.426/1.283 ms

##################
# Ping test NO.2 #
##################

PING linuxquestions.com (208.73.211.70) 56(84) bytes of data.
64 bytes from 208.73.211.70: icmp_seq=1 ttl=232 time=171 ms
64 bytes from 208.73.211.70: icmp_seq=2 ttl=232 time=171 ms
64 bytes from 208.73.211.70: icmp_seq=3 ttl=232 time=171 ms
64 bytes from 208.73.211.70: icmp_seq=4 ttl=232 time=171 ms

--- linuxquestions.com ping statistics ---
4 packets transmitted, 4 received, 0 packet loss, time 3003ms
rtt min/avg/max/mdev = 171.017/171.316/171.473/0.449 ms

############
# Dig test #
############

; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.3 <<>> cnn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24263
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cnn.com.			IN	A

;; ANSWER SECTION:
cnn.com.		251	IN	A	157.166.226.25
cnn.com.		251	IN	A	157.166.226.26

;; Query time: 62 msec
;; SERVER: 192.168.10.1#53(192.168.10.1)
;; WHEN: Sun Aug 09 23:00:45 JST 2015
;; MSG SIZE  rcvd: 68

Hope all that did not get you guys too bored.
I suspect there may be something going on systemd or firewalld since everything just magically works again if I restore the original configurations scripts.

Now... Did I remember to plug in that cable?

smallpond · 08-09-2015, 11:09 AM

To see if there is a firewall rule dropping packets do:

Code:

iptables -vL

ericson007 · 08-09-2015, 12:54 PM

Hi there I re-tested.
All devices connected to the bridge virtual and physical can ping and dig.
Nothing can connect with tcp though. Sorry, miss typed initially.

@smallpond: thanks for that. I have double checked that and firewalld is just default with all interfaces in public.

I will head to bed now but will run a script just recursively telnetting to see packet counts for individual sections.

I did however notice that using the bridge, the packets can get to the firewall in the vm and according to that it is sent so, maybe there is something on the bridge causing packets not to know where to go or dropping packet when they return.

I have disabled firewalld and the same behaviour is still observed. Thanks for the input so far guys.

Will try pushing some more data through tomorrow.
Have a good one.

ericson007 · 08-11-2015, 09:14 AM

Hi there

The cause of the problem was the Virtual router (pfsense 2.2.4 - running freebsd 10). Virtio drivers loaded by qemu/KVM have issues with hardware checksum offloading. After disabling this setting on the router, the bridge went into full swing.

On the hunt in diagnosing the bridge, I have found the following website useful (for newbs like me, not routinely setting these things up) as they provide a very simple to understand way of initial troubleshooting with a bridge.

http://www.microhowto.info/troublesh..._on_linux.html

And finally a special thanks to smallpond. It was a clear reminder to check more obvious things first (like check boxes in the router web admin interface)that went a long way.