VMs in "bridged" mode don't surf the internet

lollapalooza · Post by **lollapalooza** » Mon Apr 20, 2020 10:58 am

A couple of days ago I had to re-install Gargoyle 1.10.0 on my router because for some reason it started to continuously reboot.

After re-installation (from scratch ... I did not restore from backup), the VMs running on my laptop don't surf the internet anymore, when the NIC is set in "bridged".

They get the IP address from DHCP, they can ping the router, but that's the last hop they can reach.

If I set the NIC in "NAT", everything works.

Any idea why the router blocks the VMs, or a suggestion on where to look?

Edit: Gargoyle is working as "Gateway".
WAN side is using DHCP (wired)
On LAN side Gargoyle runs as DHCP and DNS server.

Post by **Lantis** » Mon Apr 20, 2020 5:16 pm

Do you have enforce DHCP assignments checked?

lollapalooza · Post by **lollapalooza** » Tue Apr 21, 2020 11:41 am

Yes, I have 3 static IP addresses, but they are out of the DHCP range.

Let me explain.
DHCP range is 192.168.0.100 to 200
DHCP statically assigned IP addresses are set to 192.168.0.10, 11, 12.

The VM (I tried both with Windows and Linux) take the IP address from the DHCP range.

From within the VM I can ping the router (192.168.0.1), but I can't ping the next hop.

Post by **Lantis** » Tue Apr 21, 2020 5:49 pm

Turn off enforce DHCP and try that. They can still have static IPs, just disable that checkbox.

lollapalooza · Post by **lollapalooza** » Wed Apr 22, 2020 1:51 am

Yes, it worked.
After disabling the checkbox, both VM started to work correctly

lollapalooza · Post by **lollapalooza** » Thu Apr 23, 2020 4:24 am

Why is that happening?
Is there any way to fix this issue?

Post by **Lantis** » Thu Apr 23, 2020 6:17 am

Depends how your NIC and the bridge are handling the virtual NICs.
If the packets look like they're all coming from the same MAC address, then you're going to get an IP to MAC mismatch and it will be blocked.

Unless you're dealing with rogue or unfriendly devices on your network, that option is not useful or necessary.

lollapalooza · Post by **lollapalooza** » Thu Apr 23, 2020 7:00 am

Well... this is quite strange.
Before re-installation of Gargoyle on my 3700v2, everything was working fine.

After I re-installed, this strange behaviour has started.

And the VMs are always the same, Vmware Player is the same, the physical PC is the same.

Anyway, on the "connected devices" page I see that each VM has its own MAC address (different from the host where they run on) and its own IP.

Any suggestion?

Post by **Lantis** » Thu Apr 23, 2020 8:11 am

Try enabling it and posting the output of

Code: Select all

iptables -t filter -L lease_mismatch_check

lollapalooza · Post by **lollapalooza** » Thu Apr 23, 2020 10:07 am

Here's the output:

Code: Select all

root@PF:~# iptables -t filter -L lease_mismatch_check
Chain lease_mismatch_check (1 references)
target     prot opt source               destination
REJECT     all  -- !amazon-ca6e4221f.lan  anywhere             MAC 18:74:2E:1C:C0:8D reject-with icmp-port-unreachable
REJECT     all  --  amazon-ca6e4221f.lan  anywhere             MAC ! 18:74:2E:1C:C0:8D reject-with icmp-port-unreachable
REJECT     all  -- !amazon-ddd7c3f2d.lan  anywhere             MAC 1C:4D:66:3C:A0:F6 reject-with icmp-port-unreachable
REJECT     all  --  amazon-ddd7c3f2d.lan  anywhere             MAC ! 1C:4D:66:3C:A0:F6 reject-with icmp-port-unreachable
REJECT     all  -- !HUAWEI_P20_Pro-a0a6ea84d6.lan  anywhere             MAC 34:2E:B6:8C:89:1A reject-with icmp-port-unreachable
REJECT     all  --  HUAWEI_P20_Pro-a0a6ea84d6.lan  anywhere             MAC ! 34:2E:B6:8C:89:1A reject-with icmp-port-unreachable
REJECT     all  -- !Honor_8.lan          anywhere             MAC 48:3C:0C:74:97:A6 reject-with icmp-port-unreachable
REJECT     all  --  Honor_8.lan          anywhere             MAC ! 48:3C:0C:74:97:A6 reject-with icmp-port-unreachable
REJECT     all  -- !amazon-61680fc67.lan  anywhere             MAC 68:DB:F5:7D:F1:8A reject-with icmp-port-unreachable
REJECT     all  --  amazon-61680fc67.lan  anywhere             MAC ! 68:DB:F5:7D:F1:8A reject-with icmp-port-unreachable
REJECT     all  -- !RBS40V               anywhere             MAC 78:D2:94:19:F3:08 reject-with icmp-port-unreachable
REJECT     all  --  RBS40V               anywhere             MAC ! 78:D2:94:19:F3:08 reject-with icmp-port-unreachable
REJECT     all  -- !iPhone-di-Paolo.lan  anywhere             MAC 84:8E:0C:33:DA:8E reject-with icmp-port-unreachable
REJECT     all  --  iPhone-di-Paolo.lan  anywhere             MAC ! 84:8E:0C:33:DA:8E reject-with icmp-port-unreachable
REJECT     all  -- !iPadAir2Paolo.lan    anywhere             MAC 90:8D:6C:52:53:81 reject-with icmp-port-unreachable
REJECT     all  --  iPadAir2Paolo.lan    anywhere             MAC ! 90:8D:6C:52:53:81 reject-with icmp-port-unreachable
REJECT     all  -- !Y520-Paolo.lan       anywhere             MAC 98:22:EF:CF:3E:79 reject-with icmp-port-unreachable
REJECT     all  --  Y520-Paolo.lan       anywhere             MAC ! 98:22:EF:CF:3E:79 reject-with icmp-port-unreachable
REJECT     all  -- !RBS40                anywhere             MAC B0:B9:8A:5E:51:93 reject-with icmp-port-unreachable
REJECT     all  --  RBS40                anywhere             MAC ! B0:B9:8A:5E:51:93 reject-with icmp-port-unreachable
REJECT     all  -- !RBR40                anywhere             MAC B0:B9:8A:5E:57:C4 reject-with icmp-port-unreachable
REJECT     all  --  RBR40                anywhere             MAC ! B0:B9:8A:5E:57:C4 reject-with icmp-port-unreachable
REJECT     all  -- !SonosZP.lan          anywhere             MAC B8:E9:37:B7:91:8E reject-with icmp-port-unreachable
REJECT     all  --  SonosZP.lan          anywhere             MAC ! B8:E9:37:B7:91:8E reject-with icmp-port-unreachable
REJECT     all  -- !ue55nu8000           anywhere             MAC C0:48:E6:2E:9B:EA reject-with icmp-port-unreachable
REJECT     all  --  ue55nu8000           anywhere             MAC ! C0:48:E6:2E:9B:EA reject-with icmp-port-unreachable
REJECT     all  -- !192.168.0.246        anywhere             MAC DC:4F:22:EE:97:6A reject-with icmp-port-unreachable
REJECT     all  --  192.168.0.246        anywhere             MAC ! DC:4F:22:EE:97:6A reject-with icmp-port-unreachable
REJECT     all  -- !192.168.0.193        anywhere             MAC F4:B8:5E:24:81:62 reject-with icmp-port-unreachable
REJECT     all  --  192.168.0.193        anywhere             MAC ! F4:B8:5E:24:81:62 reject-with icmp-port-unreachable

There's also something else of interest, perhaps.

Physical host is 192.168.0.207 / 98-22-EF-CF-3E-79
VM is 192.168.0.133 / 00:0C:29:3C:83:C5

This is arp from Gargoyle router (it sees same MAC both for host and PH):

Code: Select all

root@PF:~# arp | grep 98:22
192.168.0.207    0x1         0x2         98:22:ef:cf:3e:79     *        br-lan
192.168.0.133    0x1         0x2         98:22:ef:cf:3e:79     *        br-lan

This is logread from Gargoyle router (correct MAC shown for VM):

Code: Select all

Thu Apr 23 16:00:56 2020 daemon.info dnsmasq-dhcp[30665]: DHCPREQUEST(br-lan) 192.168.0.133 00:0c:29:3c:83:c5
Thu Apr 23 16:00:56 2020 daemon.info dnsmasq-dhcp[30665]: DHCPACK(br-lan) 192.168.0.133 00:0c:29:3c:83:c5 paolo-linux-vm

Gargoyle Forum

VMs in "bridged" mode don't surf the internet

VMs in "bridged" mode don't surf the internet

Re: VMs in "bridged" mode don't surf the internet

Re: VMs in "bridged" mode don't surf the internet

Re: VMs in "bridged" mode don't surf the internet

Re: VMs in "bridged" mode don't surf the internet

Re: VMs in "bridged" mode don't surf the internet

Re: VMs in "bridged" mode don't surf the internet

Re: VMs in "bridged" mode don't surf the internet

Re: VMs in "bridged" mode don't surf the internet

Re: VMs in "bridged" mode don't surf the internet