Cannot access bridged VM in LAN

Solaris · January 29, 2020, 4:57pm

I have VM (VMWARE) Windows HOST under IP 10.9.9.254, and in the same machine i also running a VM (CENTOS) bridged (10.9.9.253) to the interface that using 10.9.9.254, normally it works but somehow i cannot quite figuring out why my current setup doesnt work.

In winbox, i can ping both 10.9.9.254 and 10.9.9.253 perfectly fine. but in the CENTOS or Windows i cannot ping/access each other.

My config :

# jan/29/2020 23:52:29 by RouterOS 6.46.2
/interface ethernet
set [ find default-name=ether1 ] auto-negotiation=no
set [ find default-name=ether2 ] auto-negotiation=no
set [ find default-name=ether3 ] auto-negotiation=no
set [ find default-name=ether9 ] auto-negotiation=no
set [ find default-name=ether10 ] auto-negotiation=no
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether10 max-mru=1480 max-mtu=\
    1480 name=Biznet password=password use-peer-dns=yes user=username
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_hotspot ranges=10.8.8.2-10.8.8.254
add name=dhcp_monster ranges=10.9.9.2-10.9.9.254
add name=dhcp_guest ranges=10.7.7.2-10.7.7.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp_hotspot disabled=no interface=ether1 name=\
    Hotspot
add add-arp=yes address-pool=dhcp_monster disabled=no interface=ether2 name=\
    Monster
add add-arp=yes address-pool=dhcp_guest disabled=no interface=ether3 name=\
    Guest
/queue type
add kind=sfq name=sfq-default sfq-perturb=10
/queue simple
add max-limit=100M/97M name=sfq-default queue=sfq-default/sfq-default target=\
    Biznet
/ip settings
set route-cache=no tcp-syncookies=yes
/ip address
add address=10.8.8.1/24 interface=ether1 network=10.8.8.0
add address=10.9.9.1/24 interface=ether2 network=10.9.9.0
add address=10.7.7.1/24 interface=ether3 network=10.7.7.0
/ip dhcp-server network
add address=10.7.7.0/24 dns-server=10.7.7.1 gateway=10.7.7.1
add address=10.8.8.0/24 dns-server=10.8.8.1 gateway=10.8.8.1
add address=10.9.9.0/24 dns-server=10.9.9.1 gateway=10.9.9.1
/ip dns
set allow-remote-requests=yes cache-size=9086KiB max-concurrent-queries=10000 \
    max-concurrent-tcp-sessions=20000 servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=10.7.7.0/24 list=DNS_Accept
add address=10.8.8.0/24 list=DNS_Accept
add address=10.9.9.0/24 list=DNS_Accept
add address=172.16.0.0/12 list=DNS_Accept
add address=192.168.0.0/16 list=DNS_Accept
add address=8.8.8.8 comment="Add DNS Server to this List" list=DNS_Accept
add address=8.8.4.4 comment="Add DNS Server to this List" list=DNS_Accept
add address=4.2.2.1 comment="Add DNS Server to this List" list=DNS_Accept
add address=4.2.2.2 comment="Add DNS Server to this List" list=DNS_Accept
add address=203.142.82.222 comment="Add DNS Server to this List" list=\
    DNS_Accept
add address=203.142.84.222 comment="Add DNS Server to this List" list=\
    DNS_Accept
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=forward connection-state=established,related
add action=jump chain=input comment="Jump to DNS_DDoS Chain" jump-target=\
    DNS_DDoS
add action=accept chain=DNS_DDoS comment="Make exceptions for DNS" port=53 \
    protocol=udp src-address-list=DNS_Accept
add action=accept chain=DNS_DDoS comment="Make exceptions for DNS" \
    dst-address-list=DNS_Accept port=53 protocol=udp
add action=add-src-to-address-list address-list=DNS_DDoS \
    address-list-timeout=none-dynamic chain=DNS_DDoS comment=\
    "Add DNS_DDoS Offenders to Blacklist" port=53 protocol=udp \
    src-address-list=!DNS_Accept
add action=drop chain=DNS_DDoS comment="Drop DNS_DDoS Offenders" \
    src-address-list=DNS_DDoS
add action=return chain=DNS_DDoS comment="Return from DNS_DDoS Chain"
/ip firewall mangle
add action=jump chain=forward comment="tcp mss" disabled=yes jump-target=mss \
    protocol=tcp tcp-flags=syn
add action=change-mss chain=mss comment="tcp  mss fixation" disabled=yes \
    new-mss=1440 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!536-1460
add action=change-mss chain=mss comment="tcp  mss 1440 for mtu 1492" \
    disabled=yes new-mss=1440 passthrough=yes protocol=tcp tcp-flags=syn \
    tcp-mss=1453-65535
add action=change-mss chain=mss comment="TCP mss clamp-to-pmtu" disabled=yes \
    new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
add action=change-ttl chain=prerouting comment="TCP  mss ttl fix" disabled=\
    yes new-ttl=set:65 passthrough=yes
add action=change-mss chain=postrouting disabled=yes new-mss=1436 \
    out-interface=Biznet passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=\
    !0-1436
/ip firewall nat
add action=masquerade chain=srcnat out-interface=Biznet src-address=\
    10.9.9.0/24
add action=masquerade chain=srcnat out-interface=Biznet src-address=\
    10.8.8.0/24
add action=masquerade chain=srcnat out-interface=Biznet src-address=\
    10.9.9.0/24
add action=masquerade chain=srcnat out-interface=Biznet src-address=\
    10.10.10.0/24
add action=masquerade chain=srcnat out-interface=Biznet src-address=\
    10.7.7.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=Biznet type=external
add interface=ether1 type=internal
add interface=ether2 type=internal
add interface=ether3 type=internal
/system clock
set time-zone-name=Asia/Jakarta
/system identity
set name=Sentinel
/system logging
add topics=pppoe
add topics=debug

mkx · January 29, 2020, 6:38pm

Probably the reason lies within configuration of VM network bridge.

Here are switching/bridging basics (I’ll use word switch, but same applies to bridge): when a switch receives ethernet frame, it’ll forward it either to single destination port (if it already knows that dst MAC address is behing certain port) or to all ports (if it still needs to learn which port serves dst MAC). But it will never forward ethernet frame back to same port because if all switches/bridges do their job properly, some other switch conbected to that port (which obviously forwarded frame to all ports) already delivered that frame to tge destination (or at least in the right direction).

A true story: HPE produces fine servers and all feature a Board Management Computer, in HPE language it’s called iLO. It can either use dedicated ethernet port or it can share ethernet interface with “normal” server. If the combined connection is used, then host can not connect to its own iLO card … because the internal connection is not a proper switch … hence frames originating host OS and targeting iLO leave server via ethernet cable and never return via same cable because switch won’t return them.

Solaris · January 31, 2020, 7:23am

@mkx
You are correct in a way, it wasn’t a router or adapter fault, i have Cfosspeed installed in the VM Host, somehow it doesn’t supporting VMWare bridge driver, so disabling Cfosspeed driver in the network adapter properties makes the traffic flowing again to the VM client (CENTOS).