Discussion:
I can’t get veb/vport to work with vmd.
Luke Small
2021-05-06 02:04:04 UTC
Permalink
There seems to be ZERO examples of using veb/vport vs bridge/vether. I am
running 6.9 now and I substituted the bridge0 usage in vm.conf and I copied
the hostname.vether0 into hostname.vport0 and hostname.bridge0 uses vether0
so I used vport0 in hostname.veb0 . I used ifconfig … down for bridge0 and
vether0 and ifconfig … up for vport0 and veb0 and ran “sh /etc/netstart
veb0 then ran the vm of choice and it gets no internet. I reverted
everything back and I get internet.

What am I missing?
--
-Luke
Mike Larkin
2021-05-06 02:15:55 UTC
Permalink
Post by Luke Small
There seems to be ZERO examples of using veb/vport vs bridge/vether. I am
running 6.9 now and I substituted the bridge0 usage in vm.conf and I copied
the hostname.vether0 into hostname.vport0 and hostname.bridge0 uses vether0
so I used vport0 in hostname.veb0 . I used ifconfig … down for bridge0 and
vether0 and ifconfig … up for vport0 and veb0 and ran “sh /etc/netstart
veb0 then ran the vm of choice and it gets no internet. I reverted
everything back and I get internet.
What am I missing?
--
-Luke
a tcpdump and what's in your pf.conf
Mischa
2021-05-06 08:36:04 UTC
Permalink
Post by Luke Small
There seems to be ZERO examples of using veb/vport vs bridge/vether. I am
running 6.9 now and I substituted the bridge0 usage in vm.conf and I copied
the hostname.vether0 into hostname.vport0 and hostname.bridge0 uses vether0
so I used vport0 in hostname.veb0 . I used ifconfig … down for bridge0 and
vether0 and ifconfig … up for vport0 and veb0 and ran “sh /etc/netstart
veb0 then ran the vm of choice and it gets no internet. I reverted
everything back and I get internet.
What am I missing?
Can you share your config?

I have it working with like:

***@server14:~ # ls /etc/hostname.* | xargs -n1 -t head -n5
head -n5 /etc/hostname.em0
up
head -n5 /etc/hostname.veb911
add vport911
up
head -n5 /etc/hostname.vlan910
vnetid 910 parent em0
inet 46.23.91.24 255.255.255.192
inet6 2a03:6000:910::24 64
up
head -n5 /etc/hostname.vport911
inet 46.23.91.65 255.255.255.192

***@server14:~ # cat /etc/vm.conf
switch "uplink_veb911" {
interface veb911
}

vm "vm01" {
disable
owner runbsd
memory 1G
disk "/var/vmm/vm01.qcow2" format qcow2
interface tap {
switch "uplink_veb911"
lladdr fe:e1:bb:d4:d4:01
}
}

Mischa
Luke Small
2021-05-06 21:47:06 UTC
Permalink
I got it working. I have a pretty hefty amount of vether0 and
vether0:network in my pf.conf that I changed to vport0 and vport0:network.

That fixed every single thing!

I somehow completely forgot about all the vether0 pf rules which isolates
the the various local systems so VMs are isolated from being able to do
anything malicious to any local systems.

I silently redirect the VMs' dns and ntp calls to my OpenBSD services to
harden them a bit too.

-Luke
Stuart Henderson
2021-05-07 08:46:52 UTC
Permalink
Post by Luke Small
I got it working. I have a pretty hefty amount of vether0 and
vether0:network in my pf.conf that I changed to vport0 and vport0:network.
That fixed every single thing!
I somehow completely forgot about all the vether0 pf rules which isolates
the the various local systems so VMs are isolated from being able to do
anything malicious to any local systems.
I silently redirect the VMs' dns and ntp calls to my OpenBSD services to
harden them a bit too.
-Luke
Make sure you remember you've done this when you try to debug a DNS
problem on the VMs. Recursive and authoritative DNS lookups aren't
interchangeable...

If you want to force a specific DNS server I recommend blocking others,
not silently redirecting.

Loading...