You are not logged in.
★ My setup:
Host (ArchLinux, nanoBox):
Physical interfaces: with eth0 (no ip) and wlan0 (hostapd).
Virtual interfaces: br0 (static IP 192.168.7.2 assigned with netctl profile)
Guest (pfSense inside KVM):
Guest interfaces:
vtnet0 - bridged to eth0
vtnet1 - bridged to br0 (192.168.7.1)
My Host is also a web sever. I do not know if this is good practice, but br0 is the interface which which host services connect to internet.
I assign static IP to br0 for two reasons:
1 - when I set it to DHCP it does not receive any IP. I have no idea why - it worked for a month before, but it just doesn’t anymore.
2 - it allows me to access the host even when pfSense VM is down
★ What works:
- accessing internet from Host
- accessing internet from WiFi clients connecting to the internet using hostapd
- port forwarding from the internet to WiFi clients connecting to the internet using hostapd
★★★ What does not work: ★★★
- port forwarding from the internet to the Host! This means that any service running on Host (http, ssh, VNC etc.) is not accessible from the Internet.
I have no idea why, because:
➤ All the NAT and Firewall rules on pfSense are set up and identical (config restore) to when they worked on VirtualBox setup. NAT rules: http://i.imgur.com/jqzqYYu.png Firewall rules: http://i.imgur.com/pfuuwAz.png
(nanoBox alias is assigned to 192.168.7.2 ip. Replacing alias with the ip itself makes no difference)
➤ The static IP of br0 is the same as the IP of the destination host in every IP rule.
➤ Host can access internet.
➤ Host can be pinged on its IP (192.168.7.2) from pfSense
➤ NAT and Firewall rules worked for any other internal IP (for example, a VNC server on one of WiFi clients)
★ Configs
Host's ifconfig
# ifconfig
br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.7.2 netmask 255.255.255.0 broadcast 192.168.7.255
inet6 fe80::4ccb:a9ff:feb7:5617 prefixlen 64 scopeid 0x20<link>
ether a0:88:69:0d:5c:41 txqueuelen 0 (Ethernet)
RX packets 2825 bytes 330247 (322.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3339 bytes 802554 (783.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::5ea1:75a3:7d46:befd prefixlen 64 scopeid 0x20<link>
ether 00:90:27:77:fb:02 txqueuelen 1000 (Ethernet)
RX packets 223027 bytes 20719723 (19.7 MiB)
RX errors 0 dropped 178 overruns 0 frame 0
TX packets 6747 bytes 2101069 (2.0 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 12388 bytes 1341938 (1.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 12388 bytes 1341938 (1.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
macvtap0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::26f4:1e55:97a0:c0cb prefixlen 64 scopeid 0x20<link>
ether 00:90:27:77:fb:02 txqueuelen 500 (Ethernet)
RX packets 217268 bytes 20328935 (19.3 MiB)
RX errors 8919 dropped 8919 overruns 0 frame 0
TX packets 6620 bytes 2073711 (1.9 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vnet0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::5d6b:398c:6b44:d602 prefixlen 64 scopeid 0x20<link>
ether fe:54:00:6f:2e:15 txqueuelen 500 (Ethernet)
RX packets 4558 bytes 4062075 (3.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4583 bytes 624983 (610.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlp1s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::6e57:fe92:1321:1521 prefixlen 64 scopeid 0x20<link>
ether a0:88:69:0d:5c:41 txqueuelen 1000 (Ethernet)
RX packets 6040 bytes 811010 (792.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7038 bytes 4986969 (4.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0/etc/netctl/br
Interface=br0
Connection=bridge
BindsToInterfaces=()
#IP=dhcp
IP=static
Address=('192.168.7.2/24')
Routes=('192.168.0.0/24 via 192.168.7.1')
Gateway=('192.168.7.1')
## Ignore (R)STP and immediately activate the bridge
#SkipForwardingDelay=yes★ Notes that may or may not be relevant:
* When KVM starts, it creates an apparently useless vnet0 interface on host. I say it is useless because when I was using VirtualBox in identical setup, it did not create anything beyond the interfaces listed at the beginning of this post, and things worked fine. vnet0 remains IP-less. However, if I destroy br0, vnet0 immediately receives a DHCP IP from pfSense guest.
* when I look at DHCP logs on pfSense, I can see repetitive entries:
Apr 4 08:12:03 dhcpd: DHCPDISCOVER from 4e:cb:a9:b7:56:17 via vtnet1
Apr 4 08:12:03 dhcpd: unexpected ICMP Echo Reply from 85.28.128.1
Apr 4 08:12:04 dhcpd: DHCPOFFER on 192.168.7.102 to 4e:cb:a9:b7:56:17 (nanoBox) via vtnet1
Apr 4 08:12:52 dhcpd: DHCPDISCOVER from fe:54:00:6f:2e:15 (nanoBox) via vtnet1
Apr 4 08:12:52 dhcpd: unexpected ICMP Echo Reply from 85.28.128.1
Apr 4 08:12:53 dhcpd: DHCPOFFER on 192.168.7.100 to fe:54:00:6f:2e:15 (nanoBox) via vtnet1
Apr 4 08:13:06 dhcpd: DHCPDISCOVER from 4e:cb:a9:b7:56:17 (nanoBox) via vtnet1
Apr 4 08:13:07 dhcpd: unexpected ICMP Echo Reply from 85.28.128.1
Apr 4 08:13:07 dhcpd: DHCPOFFER on 192.168.7.102 to 4e:cb:a9:b7:56:17 (nanoBox) via vtnet1
Apr 4 08:13:56 dhcpd: DHCPDISCOVER from fe:54:00:6f:2e:15 (nanoBox) via vtnet1
Apr 4 08:13:56 dhcpd: unexpected ICMP Echo Reply from 85.28.128.1
Apr 4 08:13:57 dhcpd: DHCPOFFER on 192.168.7.100 to fe:54:00:6f:2e:15 (nanoBox) via vtnet1
Apr 4 08:14:10 dhcpd: DHCPDISCOVER from 4e:cb:a9:b7:56:17 (nanoBox) via vtnet1
Apr 4 08:14:11 dhcpd: unexpected ICMP Echo Reply from 85.28.128.1
Apr 4 08:14:12 dhcpd: DHCPOFFER on 192.168.7.102 to 4e:cb:a9:b7:56:17 (nanoBox) via vtnet1
Apr 4 08:15:00 dhcpd: DHCPDISCOVER from fe:54:00:6f:2e:15 (nanoBox) via vtnet1
Apr 4 08:15:01 dhcpd: unexpected ICMP Echo Reply from 85.28.128.1
Apr 4 08:15:01 dhcpd: DHCPOFFER on 192.168.7.100 to fe:54:00:6f:2e:15 (nanoBox) via vtnet1
Apr 4 08:15:15 dhcpd: DHCPDISCOVER from 4e:cb:a9:b7:56:17 (nanoBox) via vtnet1
Apr 4 08:15:16 dhcpd: unexpected ICMP Echo Reply from 85.28.128.1
Apr 4 08:15:16 dhcpd: DHCPOFFER on 192.168.7.102 to 4e:cb:a9:b7:56:17 (nanoBox) via vtnet1★ Things I tried:
- disabling DHCP server on pfSense
- changing host's static IP
- in Firewall/NAT ruels, replacing alias nanoBox with the ip itself
- many other tinkering things over the last two days that I can't recall
Offline