Bridge doesn't forward all traffic (Ubuntu Xenial)

networking ubuntu bridge

I'm quite new to this bridging world. I am experiencing an issue that broke my neck to fix but I failed.

I have a machine that has (Ubuntu xenial 16.04) installed that has a guest VM. I have created a bridge (virbr - that's tied to vnet1) to forward all traffic from host -> VM.

It seems that not all traffic are forwarded gracefully. We miss lots of traffic. For example Trace-1 reached the bridge but not seen on vnet1 (nothing forwarded) Trace-1 Traffic Sample of Trace-1 Any ideas please? In case of Trace-2, all packets seen on vnet0 (100% forwarded) enter image description here Traffic Sample of Trace-2

I haven't touched iptables

root@physc_host:/proc/sys/net/unix# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc
root@physc_host:/proc/sys/net/unix#

Solution 1:

I found the solution to my issue. Bridges need to learn which computers are connected to which LANs. More formally, they need to learn whether to forward to each address. To learn which addresses are in use, and which ports (interfaces on the bridge) theory are closest to, bridges observe the headers of received Ethernet frames. By examining the MAC source address of each received frame, and recording the port on which it was received, the bridge may learn which addresses belong to the computers connected via each port. This is called "learning". In the figure below, consider three computers X,Y,Z. Assume each sends frames to the other computers. The source addresses X,Y are observed to be on network A, while the address of computer Z will be observed to be on network B.

The learned addresses are stored in the an interface address table associated with each port (interface). Once this table has been setup, the bridge examines the destination address of all received frames, it then scans the interface tables to see if a frame has been received from the same address (i.e. a packet with a source address matching the current destination address). Three possibilities exist:

  1. If the address is not found, no frames have been received from the source. The source may not exist, or it may not have sent any frames using this address. (The address may also have been deleted by the bridge because the bridge software was recently restarted, ran short of address entries in the interface table, or deleted the address because it was too old). Since the bridge does not know which port to use to forward the frame, it will send it to all output ports, except that on which it was received. (It is clearly unnecessary to send it back to the same cable segment from which it was received, since any other computer/bridges on this cable must already have received the packet.) This is called flooding.

  2. If the address is found in an interface table and the address is associated with the port on which it was received, the frame is discarded. (It must already have been received by the destination.)

  3. If the address is found in an interface table and the address is not associated with the port on which it was received, the bridge forwards the frame to the port associated with the address.

Packets with a source of X and destination of Y are received and discarded, since the computer Y is directly connected to the LAN A, whereas packets from X with a destination of Z are forwarded to network B by the bridge.

To resolve this: Set the aging time to Zero by the command below $ brctl setageing br0 0

enter image description here

Related

Windows Server 2012 R2, IIS won't install, no errors shown
Modifying partitions in CentOS 6
haproxy tls hash algorithm
Issue when trying to run command "YUM Update" Cannot retrieve repository metadata (repomd.xml)
Use apache to strip off a URL param and add it as a custom HTTP header on a redirect
How to setup a CNAME to map a custom domain to an Apple Mobile Me site
Windows NLB detect dead IIS?
Problems with sudo in path
OpenVZ Host is the source IP address rather than actual web surfers?
Can I pull data from server to client with Iperf?
How to migrate KVM based VMs running in LVM setup to Vmdk images
Brightness issue in a Lenovo ThinkPad Edge LR236W5