No packets between hypervisor interface and guest

I don't have traffic back between router and vm1.
I've set pass all with logs enabled to see better packets flow.


FreeBSD BOX: hypervisor
vm1: VM guest
router: wifi router gateway

igb2: 192.168.1.1
bridge0: 10.0.0.1
tap0: 10.0.0.18
router: 192.168.1.2

-----------------------------------------------
| FreeBSD BOX ----- |
| (bridge0)----(tap0)-|vm1| |
| ----- |
-----(igb2)------------------------------------
|
|
(WAN)
------------
| router |
------------

[from router to vm1 on FreeBSD BOX]
Code:
pass in on igb2: 192.168.1.2.63908 > 10.0.0.18.53: Flags
pass out on bridge0: 192.168.1.2.63908 > 10.0.0.18.53: Flags
[from router to vm1 on vm1]
Code:
pass in on vtnet0: 192.168.1.2.63908 > 10.0.0.18.53: Flags
[from vm1 to router on vm1]
Code:
pass out on vtnet0: 10.0.0.18.53 > 192.168.1.2.63908: Flags [S.]
[from vm1 to router on FreeBSD BOX]
Code:
pass in on bridge0: 10.0.0.18.53 > 192.168.1.2.63908: Flags [S.]
...and no forward packets.

Any ideas?
 
You have your bridge/guest configured with a 10.x ip address, and a 192.x address on the main network. You don't show much of your actual config (really useful when asking for networking help...) but I'm going to assume that igb2 is not a member of the bridge, so the FreeBSD host should be routing packets between the two networks.

So first of all have you got forwarding enabled on the FreeBSD box so it will forward packets between the 10.x and 192.x networks?

Secondly when packets get to your router they will have a source address on the 10.x network (unless you configure NAT in FreeBSD). Have you added a static route on the router to tell it that it needs to send packets via 192.168.1.1 to get to the 10.x network?
 
Thanks.

I had gateway_enable="YES"
Below are my routing tables.

sudo setfib 0 netstat -rn -f inet
Code:
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            A.B.C.D       UGS        igb0
10.0.0.0/23        link#8             U       bridge0
10.0.0.1           link#8             UHS         lo0
127.0.0.1          link#7             UH          lo0
192.168.1.0/30     link#3             U          igb2
192.168.1.1        link#3             UHS         lo0

sudo setfib 1 netstat -rn -f inet
Code:
Routing tables (fib: 1)

Internet:
Destination        Gateway            Flags     Netif Expire
default            D.C.B.A         UGS        igb1
10.0.0.0/23        link#8             U       bridge0
127.0.0.1          link#7             UH          lo0
192.168.1.0/30     link#3             U          igb2

When I set "block all" on PF I see the following packets are block despite pass rule is correct.
Code:
block in on tap0: 10.0.0.18.53 > 192.168.1.2.53928: Flags [S.]
 
Why two routing tables? The second routing table has a default gateway going out igb1 but the interface doesn't have an IP address. I suggest removing the second table.
 
Works.
I've added the following entry to VM guest routing table.

route add 192.168.1.2/32 10.0.0.1

Thank you for your help.
 
Back
Top