[solved] how to correctly use qemu. Was: "Packet leakage on bridged vlan interfaces"

Ape · November 10, 2015, 8:54pm

Hi,

a RB2011 and a RB750GL are connected as following:

This is the config on the RB2011:

/interface export compact
/interface bridge
add comment=LAN mtu=1500 name=br_vlan100 protocol-mode=none
add comment=guests name=br_vlan200 protocol-mode=none
add comment=FFFr name=br_vlan300 protocol-mode=none
/interface ethernet
set [ find default-name=ether2 ] master-port=ether1
set [ find default-name=ether3 ] master-port=ether1 speed=1Gbps
set [ find default-name=ether7 ] master-port=ether6
set [ find default-name=ether10 ] master-port=ether6 poe-out=off
/interface vlan
add comment=LAN interface=ether5 l2mtu=1594 name=ether5.100 vlan-id=100
add comment=guests interface=ether5 l2mtu=1594 name=ether5.200 vlan-id=200
add comment="FFFr transfer" interface=ether5 l2mtu=1594 name=ether5.300 vlan-id=300
/interface bridge port
add bridge=br_vlan100 interface=wlan1
add bridge=br_vlan100 interface=ether6
add bridge=br_vlan100 interface=ether1
add bridge=br_vlan200 interface=ether5.200
add bridge=br_vlan300 interface=ether5.300
add bridge=br_vlan100 interface=ether5.100
add bridge=br_vlan300 interface=ether9
add bridge=br_vlan300 interface=ether8

And this the config on the RB750:

/interface export compact
/interface bridge
add l2mtu=1594 name=br_vlan100
add l2mtu=1594 name=br_vlan200
add l2mtu=1594 name=br_vlan300
/interface vlan
add interface=ether1 l2mtu=1594 name=ether1.100 vlan-id=100
add interface=ether1 l2mtu=1594 name=ether1.200 vlan-id=200
add interface=ether1 l2mtu=1594 name=ether1.300 vlan-id=300
/interface bridge port
add bridge=br_vlan100 interface=ether1.100
add bridge=br_vlan200 interface=ether1.200
add bridge=br_vlan300 interface=ether1.300
add bridge=br_vlan100 interface=ether2
add bridge=br_vlan200 interface=ether4
add bridge=br_vlan300 interface=ether5
add bridge=br_vlan100 interface=ether3

So basically, there is a VLAN trunk between the RB2011 (interface ether5) and the RB750 (interface ether1). On the RouterBoards, the VLAN interfaces are bridged to physical interfaces, so far no problem.

Now the packet leakage thing:

In VLAN 300 I’m using batman_adv (http://www.open-mesh.org/projects/batman-adv/wiki). This a mesh protocol which basically creates a virtual switch in the “cloud”. This protocol is using (braodcast) packets with the ethertype 0x4305. In my case, these packets are coming from VLAN 300 from the RB750 (departing from interface ether5 bridged to ether1.300) and going to the RB2011 (arriving at interface ether5.300 bridged to ether8 and ether9). Now the crazy thing: I can see these packets on all etherX interfaces on RB2011! This should not be the case.

After some research, I found out that the Mesh functionality in RouterOS is based on B.A.T.M.A.N. Is this conflicting with proper packet forwarding when they carry ethertype 0x4305? Apart from unnecessary traffic on the other ethernet ports, it is a bug with security implications. The bridge must not leak any traffic to other ports!

Just to clarify, I can observe this behavior with broadcast packets with ethertype 0x4305, “normal” broadcast traffic is handled correctly.

Did someone experience the same thing?

Thank you for any comments on this.

Ape

Ape · November 10, 2015, 10:13pm

Hi again,

sorry MikroTik…it’s not a bug in RouterOS, it’s a bug in my brain.

The described issue has nothing to do with RouterOS!
But, there is in fact a bridge, leaking packets from VLAN 100 to VLAN 300 in my network.

It’s completly unrelated to the described issue, but maybe it is helpful for someone else.

The chain of causality for my issue:

I’m running a virtual machine with two interfaces. One connected to VLAN 100 and one to VLAN 300.
I’m using qemu for this.
I didn’t read the qemu documentation as attentive as I probably should have…
So I used this command to start my VM:

COMMAND="qemu-system-x86_64 \
        -enable-kvm \
        -smp 2 \
        -cpu host \
        -hda $IMAGE \
        -name $VM \
        -m $MEMORY \
        -boot c \
        -net nic,model=virtio,macaddr=$LAN_MAC \
        -net tap,ifname=tap10,script=$LAN_IFUP,downscript=$LAN_IFDOWN \
        -net nic,model=virtio,macaddr=$FFFR_MAC \
        -net tap,ifname=tap20,script=$FFFR_IFUP,downscript=$FFFR_IFDOWN \
        -k de -monitor $MONITOR \
        -vnc :$VNCPORT"

Virtual interfaces in qemu work like this:
On the host you have a TAP interface receiving and transmitting all the traffic from and to the guest.
Interfaces can be grouped in qemu “VLANs”, which are basically virtual hubs.

You can use this grouping in qemu VLANs with “vlan=xx” in the “-net” parameter. If you don’t use any, all interfaces are on the same virtual hub, resulting in forwarding broadcasts between the two TAP interfaces on the host.
If you look at the command above you will notice, that’s exactly what’s happening there. Mea culpa!

So, the right thing to do is:

COMMAND="qemu-system-x86_64 \
        -enable-kvm \
        -smp 2 \
        -cpu host \
        -hda $IMAGE \
        -name $VM \
        -m $MEMORY \
        -boot c \
        -net nic,vlan=0,model=virtio,macaddr=$LAN_MAC \
        -net tap,vlan=0,ifname=tap10,script=$LAN_IFUP,downscript=$LAN_IFDOWN \
        -net nic,vlan=1,model=virtio,macaddr=$FFFR_MAC \
        -net tap,vlan=1,ifname=tap20,script=$FFFR_IFUP,downscript=$FFFR_IFDOWN \
        -k de -monitor $MONITOR \
        -vnc :$VNCPORT"

So, reasearch and thinking about the findings helped!
Sorry for all the confusion.

Ape