82
edits
Changes
New page: = Bridge doesn't forward packets = Sometimes bridge can mysteriously drop the packets and not forward them. e.g. eyck user experienced a problem when some of the broadcasts were not deli...
= Bridge doesn't forward packets =
Sometimes bridge can mysteriously drop the packets and not forward them.
e.g. eyck user experienced a problem when some of the broadcasts were not delivered to VE via the bridge.
Original report and the thread: [http://forum.openvz.org/index.php?t=tree&th=4052& forum thread]
== Simplest configuration ==
VE #101 with veth interface (veth101.0) connected to eth0 physical interface via bridge.
== Problem statement ==
We faced a situation when some of the broadcast packets were not delivered to the VE.
Actually it could happen with any packets, not with the broadcasts only. But broadcasts are
simpler and obviously should have been delivered to all the networking interfaces with no doubt.
Using tcpdump we see that BOOTP/DHCP request is visible on br0 interface in the host system (VE0):
15:21:52.258220 00:1b:d5:2c:bf:38 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 350: 0.0.0.0.68 > 255.255.255.255.67:
BOOTP/DHCP, Request from 00:1b:d5:2c:bf:38, length 308
15:21:52.287269 00:08:02:ac:36:20 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 172.17.8.254.67 > 255.255.255.255.68:
BOOTP/DHCP, Reply, length 300
However, eth0 inside VE receives only 2nd packet with BOOTP/DHCP reply and doesn't see the 1st one with the request itself:
15:21:52.291145 00:08:02:ac:36:20 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 172.17.8.254.67 > 255.255.255.255.68:
BOOTP/DHCP, Reply, length 300
== Resolution ==
It is not obvious at all, but bridges (though have own ebtables filters) do also call iptables FORWARD chain when forwarding packets between interfaces.
Thus your FORWARD iptables rules should allow all the packets which are supposed to go through.
in our case eyck had a default DROP policy on FORWARD and had to add:
iptables -A FORWARD -d 255.255.255.255 -j ACCEPT
to fix the issue.
== Credits ==
Many credits to Dariush Pietrzak, who patiently helped to debug this.
[[Category:Troubleshooting]]
[[Category:Networking]]
Sometimes bridge can mysteriously drop the packets and not forward them.
e.g. eyck user experienced a problem when some of the broadcasts were not delivered to VE via the bridge.
Original report and the thread: [http://forum.openvz.org/index.php?t=tree&th=4052& forum thread]
== Simplest configuration ==
VE #101 with veth interface (veth101.0) connected to eth0 physical interface via bridge.
== Problem statement ==
We faced a situation when some of the broadcast packets were not delivered to the VE.
Actually it could happen with any packets, not with the broadcasts only. But broadcasts are
simpler and obviously should have been delivered to all the networking interfaces with no doubt.
Using tcpdump we see that BOOTP/DHCP request is visible on br0 interface in the host system (VE0):
15:21:52.258220 00:1b:d5:2c:bf:38 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 350: 0.0.0.0.68 > 255.255.255.255.67:
BOOTP/DHCP, Request from 00:1b:d5:2c:bf:38, length 308
15:21:52.287269 00:08:02:ac:36:20 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 172.17.8.254.67 > 255.255.255.255.68:
BOOTP/DHCP, Reply, length 300
However, eth0 inside VE receives only 2nd packet with BOOTP/DHCP reply and doesn't see the 1st one with the request itself:
15:21:52.291145 00:08:02:ac:36:20 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 172.17.8.254.67 > 255.255.255.255.68:
BOOTP/DHCP, Reply, length 300
== Resolution ==
It is not obvious at all, but bridges (though have own ebtables filters) do also call iptables FORWARD chain when forwarding packets between interfaces.
Thus your FORWARD iptables rules should allow all the packets which are supposed to go through.
in our case eyck had a default DROP policy on FORWARD and had to add:
iptables -A FORWARD -d 255.255.255.255 -j ACCEPT
to fix the issue.
== Credits ==
Many credits to Dariush Pietrzak, who patiently helped to debug this.
[[Category:Troubleshooting]]
[[Category:Networking]]