Solved: Routing with Vyatta

elihuj · ‎07-27-2015

I have a physical host running ESXi 5.5 with 2 NIC's connected to an unmanaged switch. I'd like to setup some additional VLANs with Vyatta to simulate different scenarios. Here is my current setup:

Port group 1:

1 NIC, Management traffic only (192.168.10.0/24 subnet)

Port group 2:

1 NIC, VM traffic (192.168.10.0/24 subnet)

Port group 3:

0 NIC's, Used for Vyatta

I have two VM's in port group 3. VM1 has a vNIC in port group 2, and a vNIC in port group 3. VM2 has a vNIC in port group 3. Here is the IP configuration:

VM1: 192.168.10.200, 10.10.10.200

VM2: 10.10.10.202

VM1 is my Vyatta VM. In this configuration, I am successfully able to ping between the 2 VM's on the 10.x network. I am unable to ping from my workstation to VM2, however. I added a static route on my workstation to the 10.10.10.0/24 network via 192.168.10.200. Afterwards, I am able to ping the Vyatta VM on the 10.x network. I cannot ping VM2 on the 10.x network though. I feel as though I'm missing something.. probably something simple.

grasshopper · ‎07-28-2015

Hi elihuj,

Can you confirm that Promiscuous Mode has been enabled on the vRouter portgroup? This can be set at either the vSwitch level or can be over-ridden within the desired portgroup. The default setting for Promiscuous Mode is "Reject". It will need to be set to "Accept" to prevent frames destined for VMs behind your vRouter from being dropped by the vSwitch.

Additionally, only the vRouter should have 2 portgroups. The consumer VMs using this routing solution should only have one vNIC. Also, please remove the static routes you've created while troubleshooting. Finally, clear the arp cache on the client/laptop you are testing from (or simply reboot).

Let us know how things proceed.

View solution in original post

abhilashhb · ‎07-27-2015

You have a vNIC in port group 3 which has no uplink. How will your workstation ping the machine? It can only ping the 192 series which will again not work as they are on different subnet.

Your static route is working coz the 10.x packet is getting routed through 192.x series and reaching the VM1 on the uplink that has been provided to VM1.

Since VM2 has no uplink at all and also no route, you will not be able to ping it AFAIK. Hope i'm not wrong

Abhilash B
LinkedIn : https://www.linkedin.com/in/abhilashhb/

elihuj · ‎07-27-2015

This is where I was thinking that Vyatta would take over...

With the Vyatta VM, eth1 has a direct connection to the 10.x network. So when I ping 10.10.10.200 (Vyatta) from my workstation it works (via my static workstation route). When I ping VM2 (10.10.10.202) from my workstation, wouldn't it go to the Vyatta and be routed accordingly? Despite there being no physical uplink, wouldn't it use the connected interface (192.x) and route it? Apparently not!

grasshopper · ‎07-27-2015

Hi elihuj,

Looks like a fun lab project. Just curious, are you using the Brocade 5400 vRouter or the community fork VyOS?

PS - Are you setting VM2 and VM3 to use the IP Address of VM1 (router) as their default gateway?

elihuj · ‎07-27-2015

Hey grasshopper.. hoping to make it a fun lab. I thought having some additional VLANs to play with might make things a little more exciting. A lot of the how-to's I've read on it though do use L3 switches and such. I was hoping to go with the poor man's approach!

This is the community fork of VyOS. And yes, I have both VM's using the eth0 (192.168.10.200) as their default gateway. Still no joy.

abhilashhb · ‎07-27-2015

I totally forgot the Vyatta bit. I just saw the two VMs as normal VMs and gave that analogy.

It should technically work like you mentioned. Now you have to troubleshoot and see why it isn't happening. I too agree this is a fun setup!

Abhilash B
LinkedIn : https://www.linkedin.com/in/abhilashhb/

elihuj · ‎07-28-2015

Well.. some progress. VM2 is an Openfiler server with two interfaces. vNIC1 is on the 192.168.10.x subnet, and vNIC2 is on the 10.10.10.x subnet. After adding a route to the 10 network on my workstation, I can ping the 10 address on VM1 (Vyatta).. but as I said, I still cannot ping the 10 address on VM2. So for ha ha's, I decided to use another VM to test. I configured VM3 with a 10.10.10.x address and put it in the same port group as the others... no joy.

Then I thought about what abhilashhb‌ said in regards to no physical interfaces, so I added a physical NIC to the port group. Once I did that, pings from my workstation to VM3 worked! I'm still puzzled as to why VM2 still doesn't ping from my workstation. I'm thinking maybe a firewall rule or something on the VM. More troubleshooting!

elihuj · ‎07-28-2015

EDIT: Pings on VM2 are working now. I thought I set the default gateway correctly, but when I checked again it was still using the 192.x address. I changed it to the correct Vyatta IP (10.10.10.252) and pings immediately started. Good stuff.

I'm still wondering why a physical interface is needed. If the Vyatta VM is configured with two vNIC's; one with a physical interface and the other without one, shouldn't it still be able to route packets on the interface without a physical NIC?

grasshopper · ‎07-28-2015

Hi elihuj,

Can you confirm that Promiscuous Mode has been enabled on the vRouter portgroup? This can be set at either the vSwitch level or can be over-ridden within the desired portgroup. The default setting for Promiscuous Mode is "Reject". It will need to be set to "Accept" to prevent frames destined for VMs behind your vRouter from being dropped by the vSwitch.

Additionally, only the vRouter should have 2 portgroups. The consumer VMs using this routing solution should only have one vNIC. Also, please remove the static routes you've created while troubleshooting. Finally, clear the arp cache on the client/laptop you are testing from (or simply reboot).

Let us know how things proceed.

elihuj · ‎07-28-2015

Promiscuous Mode! Thank you grasshopper‌, that was it. Enabled it at the port group level, and pings started working.

All

Routing with Vyatta