Solved FreeBSD bridge not recieving ARP responses

[tarkhil]

FreeBSD 12.3. CBSD+vnet (but does not seems to be a CBSD issue)

ARP requests works just fine locally, but gets lost somewhere between em0 and bridge. ARP replies arrives on em0, but not on bridge.

Turning off or tuning ipfw did not yield any result.

Looks like the problem is two-way, setting arp manually in jail resulted in packets getting out from em0 but no reply.

Nothing in logs.

 

[D-FENS]

Do you disable bridge member filtering as recommended by iocage?

Add these tunables to /etc/sysctl.conf:

net.inet.ip.forwarding=1 # Enable IP forwarding between interfaces
net.link.bridge.pfil_onlyip=0  # Only pass IP packets when pfil is enabled
net.link.bridge.pfil_bridge=0  # Packet filter on the bridge interface
net.link.bridge.pfil_member=0  # Packet filter on the member interface

Alternatively, you need to add the bridge member interfaces to an IPFW allow rule. An example from my configuration:

# On main host:

${ipfw} table InternalBridge destroy
${ipfw} table InternalBridge create type "iface"
${ipfw} table InternalBridge add br_041
# ...

${ipfw} table InternalEpairHostSide destroy
${ipfw} table InternalEpairHostSide create type "iface"
${ipfw} table InternalEpairHostSide add ih_041_047
${ipfw} table InternalEpairHostSide add ih_041_043
# ...

${ipfw} add 30000 set 3 allow all from any to any via 'table(InternalBridge)'
${ipfw} add 30100 set 3 allow all from any to any via 'table(InternalEpairHostSide)'

Can you please give an example of how exactly you create the network interface in the jail and what kind it is? If I recall correctly, Epair does not need a special devfs.rules entry. However, for tun interfaces one must add it to devfs.rules, otherwise they would not be allowed to be passed to the jail. I can imagine tap interfaces need this too.

It would be helpful if you post the relevant parts of your rc.conf, ipfw.rules and devfs.rules.

If turning off IPFW indeed does not change anything, it is probably devfs.rules.
I would suggest using epairs for jails as opposed to tap. Epair works in a similar way but it is a big shortcut implemented directly in the kernel, instead of simulating a real hardware.

 

[tarkhil]

No success with tunables.

No success with ipfw either.

bridge1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: em0
        ether 02:29:46:64:28:01
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: epair1a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 5 priority 128 path cost 2000
        member: em0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 1 priority 128 path cost 20000
        groups: bridge
        nd6 options=1<PERFORMNUD>

ARP reply is received on em0, but not on bridge0. So the issue is most likely not on vlan/jail side.

 

[tarkhil]

Sorry all. That was Henzner's filter. My mistake.

 

[covacat]

arp definitely works on bridges otherwise vm-bhyve will mostly not work