[Netkit.users] TAP interface & masquerade

Massimo Rimondini rimondin at dia.uniroma3.it
Tue Jul 14 09:39:57 CEST 2009 

Dear Cyrille,

I'm glad to hear you solved the problem.
Setting up the tunnel is surely possible (provided that the remote PC
supports tunneling as well), but may be impaired by the masquerading
that is automatically enabled when using tap interfaces. If you want,
you can disable it by running:
> iptables -t nat -D POSTROUTING -j MASQUERADE
However, be careful because the IP address of the virtual machine would
then become visible on the network!

As a reference in setting up the tunnel you may consider looking at:
http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/Linux+IPv6-HOWTO.html

Regards,
Massimo.

Cyrille OLIVIER wrote:
> Hi,
> Thanks these informations.
> I realized my misunderstanding of the "man vstart" content
> about tap interface. I thought the network interface to use in
> the host PC has to be a real and existing one. That's why I choose the
> all the IP in the same subnet :(
> Using a complete different subnet solves the issue. Thanks again.
>  
> Now, as I need to build a lab related to IPv6, I need to setup a v4/v6
> tunnel between eth0 inside r1 (so I will put a v6 IP) and the
> remote real PC:
>  
>  
> --------                                                                                     
> -------------
>   |  r1  |eth0              -----------------   ------------------  
> real ethernet cable   eth0 |           |
>   | (vm) |------------------|nk_tap_root dev|---| eth0 of host
> PC|------------------------------| remote PC | 
>   -------- v6 IP           
> -----------------   ------------------                        v6
> IP |           |
>          (------------------------------------------------------------------------------------)
> -------------
>          (                      IPv4/v6
> tunnel                                                )
>          (------------------------------------------------------------------------------------)
>  
> I hope it's possible. If it's seems interesting for the mailing list
> users, I will give feedback about my work.
>  
> Rgds,
> Cyrille
>
>  
> ------------------------------------------------------------------------
> Date: Thu, 9 Jul 2009 15:18:54 +0200
> From: rimondin a dia.uniroma3.it
> To: netkit.users a list.dia.uniroma3.it
> Subject: Re: [Netkit.users] TAP interface & masquerade
>
> Dear Cyrille,
>
>     vstart r1 --con0=this --eth0=tap,10.0.0.2,10.0.0.3 => OK, r1 boot
>     successfully.
>
>
> Ok, fine.
>
>     So, inside r1: eth0=10.0.0.3/24
>
>
> Wrong. When using tap interfaces, the default classful addressing is
> assumed. Therefore, eth0 is configured with 10.0.0.3/8.
>
>     The host PC has a real network-interface eth0=10.0.0.2/24
>     To reach internet, the next-hop is the 10.0.0.1/24 in another PC.
>
>
> This is likely the problem: since the same subnet (or better, in your
> case two overlapping subnets) is used for the tap interface and for
> connecting the host to the Internet, traffic directed to that subnet
> may be unpredictably routed to eth0 on your host or to the tap
> interface. Because of the subnetting plan (10.0.0.0/8 assigned to
> Netkit, 10.0.0.0/24 assigned to your host), it is likely that echo
> request packets correctly flow out of the virtual machine, while echo
> reply packets are incorrectly routed to your host (because of the best
> prefix match rule).
>
>      
>     In the host PC, ping 10.0.0.1 is OK. ping 10.0.0.3 is OK.
>     Inside r1 vm: ping 10.0.0.2 is OK. but ping 10.0.0.1 is NOK :(
>
>
> If my conjecture is correct, your ping should report a timeout.
>
>      
>     In the host PC, I check:
>     - /proc/sys/net/ip4/ip_forward is 1 : OK
>     - iptables -L does not display the masquerading in postrouting
>     chain(result of 'iptables -t nat -A POSTROUTING -j MASQUERADE')
>     but its seems OK.
>
>
> It does not show the entry because masquerading rules lie in a
> different table. The entry would show up if you used "iptables -t nat -L".
>
>      
>     Any idea why ping from VM to external gw is NOK ?
>
>
> At this point, I suggest using a different subnet for the tap
> interface. Note that any subnet is fine because it will be hidden by
> masquerading.
>
>      
>     Thanks,
>     Best regards to all,
>     Cyrille
>
>
> Regards,
> Massimo.
>
>      
>      
>      
>      
>
>     ------------------------------------------------------------------------
>     Souhaitez vous  « être au bureau sans y être » ? Oui je le veux !
>     <http://www.microsoft.com/france/windows/bts/default.mspx>
>
>     ------------------------------------------------------------------------
>
>     _______________________________________________
>     Netkit.users mailing list
>     Netkit.users a list.dia.uniroma3.it <mailto:Netkit.users a list.dia.uniroma3.it>
>     http://list.dia.uniroma3.it/mailman/listinfo/netkit.users
>       
>
>
> ------------------------------------------------------------------------
> Souhaitez vous  « être au bureau sans y être » ? Oui je le veux !
> <http://www.microsoft.com/france/windows/bts/default.mspx>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Netkit.users mailing list
> Netkit.users a list.dia.uniroma3.it
> http://list.dia.uniroma3.it/mailman/listinfo/netkit.users
>   
-------------- parte successiva --------------
Un allegato HTML ? stato rimosso...
URL: http://list.dia.uniroma3.it/pipermail/netkit.users/attachments/20090714/b4570549/attachment.htm

More information about the Netkit.users mailing list