I have generated traffic via pktgen dpdk on one VM and L2fwd on another VM. Two ports which are virtio-net are attached via internal network. I wanted to confirm If I am getting right results for L2 forwarding being done when traffic is generated.L2fwd result 1 L2fwd result 2 L2fwd result 3
since virtual box is used on host linux machine, the configuration need to be correct in network settings to allows packet flow from host to guest. By changing host only mode in the adapter settings one can send packet to and fro from the desired NIC.
Related
I am trying to configure l3ACL application for gateway.l3fwd ACL Dpdk application is running in Mellanox NIC.using dpdk (dpdk-stable-20.11) as a shared library.
Edit:
Earlier scenario of Connection setup of l3fwd acl testing using Trex Traffic generator
enter image description here
In this scenario the packets are forwarded by the L3fwd ACL application of DPDK in the direction from Port 1 to Port 0 of the Trex traffic generator. This was made possible by including the MAC address in the --eth-dest flag with the MAC address indicated by the Trex at initialization. On including this MAC address the packets were detected by the Rx side of the traffic generator i.e Port 0.
Current scenario
This setup was modified to mimic gateway level deployment to test L3fwd ACL as shown in the connection diagram attached below.
Connection Diagram attached
enter image description here
In this setup the ports connected to the traffic generator are replaced by two machines that mimic the external network and internal LAN network as shown. We have tried to ping the external and internal network without running DPDK application. The ping in the network is working without enabling DPDK. The L3fwd ACL application was subsequently started with the command given below with the physical MAC address of the machine which was replaced at the port 0 side which was earlier connected to the traffic generator. Port 0 received the traffic from the L3fwd ACL application in the case of the traffic generator. The main difference is that we are including a physical MAC address with the --eth-dest flag in the gateway scenario whereas an emulated MAC indicated by the traffic generator was used with --eth-dest flag to forward the packets in the working setup for L3fwd ACL using traffic generator in a loopback manner.
The physical MAC address of the interface of the Rx side of external network machine connected at Port 0 is not receiving the traffic destined out from the L3fwd ACL application. The configured Route entry in rule_ipv4.db is R0.0.0.0/0 0.0.0.0/0 0 : 65535 0 : 65535 0/0xff 0.
Not able to trace the packet at the interface with Mac address given in –eth_dest parameter.After starting l3fwd acl destination host is unreachable.
Command used for L3FWD ACL
./dpdk-l3fwd-acl –l 1-7 –n 4 -- -p 0x3
--config=”(0,0,1),(1,0,2),(0,1,3),(1,1,4),(0,2,5),(1,2,6),(0,3,7)” --rule_ipv4=”/root/rule_ipv4.db” –rule_ipv6=”/root/rule_ipv6.db” –eth-dest=0,next-hop-MAC-here
How to configure the l3ACl dpdk sample application for gateway?
DPDK example code l3fwd-acl works on IP packets only. For non-ip it is dropped in the function process_one_packet. While using external packet generator like TREX, DPDK_PKTGEN, SCAPY, PACKETH, PCAP replay with IP packets are not dropped and ACL lookup is performed. Packets matching with the condition are forwarded through DPDK ports while no match are dropped.
In your current scenario, connecting to the interface to actual network could lead to
ARP or RARP packets to be generated
LDAP packets to be generated
If connected over managed switch VLAN packets are generated.
In all above cases these are treated as non-IP packets leading to drop of the same. Hence the recommended way is to use by adding static ARP entry to end machines or switch. This will eliminate the ARP and RARP packets.
Note: If the external devices are not configured with promiscious mode, please use --eth-macaddress to help l3fwd-acl to update the MAC address too.
I'm using VMWare Workstation 12, and have moved a vm from one drive to another. Up restarting the machine, I lost all of the networking (there are two network devices connected, one for a NAT connection, and the other is host-only), so after removing and re-adding the two network devices, I have a working NAT connection, but the host-only connection doesn't auto-connect.
I've tried if config eth1 up which show the device as active but with no inet address (only an ip6 address). I've tried everything but restarting the host (which I can't do as I have a long-running process occurring).
For myself and everybody elses future reference (and many hours of frustrating searching, and reading) - I have to add the eth1 to the /ect/network/interfaces for some reason. eth0 was already defined, but not eth1. After adding and restarting, the device appeared on the network with an IP address.
I've installed pfsense 2.3 x64 in virtualbox with 2 adapters; One is bridged to my wifi adapter (adsl modem) (WAN) and the other one set as'Internal network' ('intnet') (Lan);
The problem is that although pfsense can automatically detect dhcp over first adapter and get an IP but my system (the host) can not ping the pfsense server (pfsense can ping both adsl modem gateway and the host).
Note1: Disabling the antivirus and firewall (kaspersky internet security 2016) has no effect.
Note2: I know that this setup works because I use the exact same network configurations for a Kerio Control server (v9.0.2, installed in virtualbox)
Note3: If I constantly ping pfsense server in my host (ping 192.168.1.102 -t) and at the same time restart pfsense server, during the booting phase of pfsense I can get two pings!
After contacting the pfsense official forum, it turned out that the WAN interface blocks everything by default. Therefore, either a rule should be defined to allow WAN to accept traffic or access server from LAN side.
I figured this out without having to go through the WAN interface, answer is on the pfsense forum
Configure host-only network "vboxnet1" (or any of the other host-only networks if you're already using vboxnet1 for other VMs) with the following:
192.168.1.77 (or whatever IP you want your host to appear as on the network)
255.255.255.0
DHCP Disabled
The make sure that the LAN adapter on your pfSense VM is a "Host-only Adapter" and that it's using "vboxnet1" (or whatever network you configured above)
Reboot/re-install and http://192.168.1.1 should work now
I am currently attempting to configure iptables to only allow certain mac addresses to connect to port: 3690 (svn).
Step 1 - On EC2 Management Console > Security Groups (group name: default) I opened port: 3690 for all subnet.
Step 2 - On my linux server (Amazon Linux AMI 64-bit), I configured iptables:
2.1 Allow my mac address (port 3690)
2.2 Drop from all (port 3690)
[ec2-user#ip-172-31-7-2 ~]$ sudo iptables -n -L -v --line-numbers
Chain INPUT (policy ACCEPT 1974 packets, 206K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3690 MAC 50:46:5D:C7:63:C1
2 5 272 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3690
But the firewall cannot work correctly. I cannot telnet port 3690 from the mac address. If I delete the iptables, all client can access this port.
Could anyone help me???
If the client and the server are not on the same IP subnet, then by definition there must be at least one router between them, so again by definition the two systems are not going to be able to detect each other's MAC address.
MAC addresses identify devices at layer 2 on their local, physical network only... while routers operate at layer 3, stripping off the incoming layer 2 address and using their own layer 2 address when sending the packet to the next router or host on the way to the destination. An incoming packet from a device on a different subnet always arrives with the MAC address of the router that delivers the packet.
What you are trying to do is not possible for machines on different subnets, and it's just as well, because MAC addresses are absolutely trivial to "spoof," making MAC address-based security nothing more than security by obscurity, which is not a meaningful level of security.
You should probably not even consider running svnserve listening on an Internet-connected machine like this. The svn+ssh:// mechanism supported by subversion does not require the server to have an always-open port listening for connections... it works with your existing ssh keys, which, assuming you haven't careleslly configured sshd to allow logins with only a password (instead of keys) are a phenomenally more secure mechanism for controlling access, not to mention automatically encrypting your traffic as it traverses the Internet.
http://svnbook.red-bean.com/en/1.7/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.sshauth
Although Michael's answer is great, I would like to add a 'practical' solution.
Dome9 can automate your Firewalls and allow on-demand access to your server while 'cloaking' it from the rest of the internet. It can do so by dynamically managing your AWS security groups or by managing your iptables.
Disclaimer - I'm a proud Dome9er ;)
I have a NAT configured to run when loading up my favorite Linux distribution in VitualBox. This allows outgoing connections to work successfully.
How do I allow incoming connections to this box, like, say, Web traffic? The IP address is 10.0.2.15. A ping request from my main box results in a Timeout.
VirtualBox (after version 1.3.8, anyway) will let you map incoming connections in the NAT configuration. There's an excellent tutorial on Aviran's Place that describes the steps to configure port mapping.