networking – Forward Port to localhost of host from VMWare VM

I have a server running at localhost:8081 on the host machine.

From a VM, I would like to be able to visit http://localhost:8081 from a browser running inside of my VM and have that request forwarded to the server running on the host.

The host machine is running macOS 10.15.7 (Catalina) and the VM is running Ubuntu 18.04.

Is this possible? If so, how?

networking – Dual WAN active-active for web server

I want publish web server (192.168.1.2) to both internet lines, so my clients can access web either both IP at same time.
I have configured nat on both fw but I can only access to the primary line (which have lower metric on router)
I think the prolem is routing on Router but I can’t solve it 🙁
Can anyone can advise how can I solve this problem?
My router on lab is virtual machine which running Debian 10
Thanks,
Diagram

networking – ip route keep changing after network restart

Every time I restart the server or “systemctl restart network” I have to add the static routes

Rhel 7.8

ip route add 192.168.1.1 dev ens192 proto static scope link metric 100
ip route add 192.168.2.0/24 dev ens192 proto kernel scope link src 192.168.2.11 metric 100
ip route add default via 192.168.1.1 dev ens192 proto static metric 100

Below is what get added:

# ip route
169.254.0.0/16 dev ens192 scope link metric 1002
172.16.2.0/24 dev ens192 proto kernel scope link src 172.16.2.11

How do I make the route static

# ip route
default via 172.16.1.1 dev ens192 proto static metric 100
172.16.1.1 dev ens192 proto static scope link metric 100
172.16.2.0/24 dev ens192 proto kernel scope link src 172.16.2.11 metric 100

networking – How to use IPv6 internet addresses on Linux with systemd-networkd

I haven’t found so far a simple example like this to understand the basics with reference to the sources. It’s more a prove of concept but it has taken me some effort, so I will share it with the community step by step.

Preparations

I use three virtual machines on KVM (Kernel-based Virtual Machine), all with Debian 11 (bullseye, at this time testing version) and using terminology from RFC 2460:
Node is an interface enabled for IPv6.
Router is any node that forwards IPv6 packets that are not expressly addressed to it.
Host is any node that’s not a router.

I use the IPv6 Address Prefix 2001:DB8::/32 Reserved for Documentation (RFC 3849) that is usable for valid global unicast addresses but not routed to the internet.

To have things by hand, here are some specifications:

There are some address types used (RFC 4291)

Unspecified          ::/128
Loopback             ::1/128
Multicast            FF00::/8
Link-Local unicast   FE80::/10
Global Unicast       (everything else)
Global Anycast       (same as Global Unicast)   not used in this example

Scope of Multicast addresses (RFC 4291):

FF00::  reserved
FF01::  Interface-Local scope
FF02::  Link-Local scope
FF03::  reserved
FF04::  Admin-Local scope
FF05::  Site-Local scope
FF06:: to FF07::  (unassigned)
FF08::  Organization-Local scope
FF09:: to FF0D::  (unassigned)
FF0E::  Global scope
FF0F::  reserved

Well-known IPv6 multicast addresses (extract – complete list at IANA):

ff02::1     all nodes
ff02::2     all routers
ff02::5     all OSPF (Open Shortest Path First) routers
ff02::6     all OSPF DRs (OSPF Designated Routers)
ff02::9     all RIP (Routing Information Protocol) routers
ff02::a     all EIGRP (Enhanced Interior Gateway Routing Protocol) routers
ff02::d     all PIM (Protocol Independent Multicast) routers
ff02::f     UPNP (Universal Plug and Play) devices
ff02::11    all homenet nodes
ff02::12    VRRP (Virtual Router Redundancy Protocol)
ff02::16    all MLDv2-capable routers
ff02::1a    all RPL (Routing Protocol for Low-Power and Lossy Networks) routers (used in Internet of Things (IoT) devices)
ff02::fb    multicast DNS IPv6
ff02::101   network time (NTP)
ff02::1:2   all DHCP agents
ff02::1:3   LLMNR (Link-Local Multicast Name Resolution)
ff02:0:0:0:0:1:ff00::/104   solicited node address
ff02:0:0:0:0:1-2:ff00::/104     node information query
ff05::1:3   all DHCP server (site)
ff05::101   all NTP server (site)

I will use tcpdump to look what’s going on on the network, so install it on the router. Then enable systemd-networkd by following

Section Quick Step at Use systemd-networkd for general networking, then come back here.

I will have everything disabled so we can see what is needed and enable it step by step. On host-a and host-b use this network file:

host-? ~$ sudo -Es   # if not already done
host-? ~# cat > /etc/systemd/network/04-wired.network <<EOF
(Match)
Name=eth0

(Network)
# on host-a uncomment
#Address=2001:db8:0:10::2/64
# on host-b uncomment
#Address=2001:db8:0:20::2/64
IPv6AcceptRA=no
LinkLocalAddressing=no
EOF

On the router use these ones:

router ~$ sudo -Es   # if not already done
router ~# cat > /etc/systemd/network/04-eth0.network <<EOF
(Match)
Name=eth0

(Network)
Address=2001:db8:0:10::1/64
IPv6AcceptRA=no
LinkLocalAddressing=no
EOF

router ~# cat > /etc/systemd/network/06-eth1.network <<EOF
(Match)
Name=eth1

(Network)
Address=2001:db8:0:20::1/64
IPv6AcceptRA=no
LinkLocalAddressing=no
EOF

Simple link-local connection

First I will have a look at the direct connection between host-a and the router. The router is UP and I start host-a. Tcpdump shows me on subnet 2001:db8:0:10/64:

host-a ~$ sudo tcpdump -n --number --interface=eth0 ip6 2>/dev/null
    1  23:25:28.211331 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
    2  23:25:28.227326 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
    3  23:25:28.671386 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
    4  23:25:28.735354 IP6 :: > ff02::1:ff00:2: ICMP6, neighbor solicitation, who has 2001:db8:0:10::2, length 32
  • With package 1-3 host-a joins as listener to the multicast group ff02::16 – all MLDv2-capable routers. Router know now that it want to receive routing messages.
  • With package 4 it asked if there is another node with ip address 2001:db8:0:10::2. It isn’t because there is no reply. host-a can use the address.

Ping to router works:

host-a ~$ ping6 -n 2001:db8:0:10::1
PING 2001:db8:0:10::1(2001:db8:0:10::1) 56 data bytes
64 bytes from 2001:db8:0:10::1: icmp_seq=1 ttl=64 time=0.829 ms
64 bytes from 2001:db8:0:10::1: icmp_seq=2 ttl=64 time=0.863 ms
64 bytes from 2001:db8:0:10::1: icmp_seq=3 ttl=64 time=0.858 ms
--- snip ---

Link-local unicast addresses

In the next step I want to connect to the second interface eth1 on router. For this we need a static route:

host-a ~$ sudo ip -6 route add 2001:db8:0:20::/64 via 2001:db8:0:10::1

But ping6 -nc3 2001:db8:0:20::1 does not work. I don’t get any replies. Curiously it works if I first ping the gateway 2001:db8:0:10:1:

host-a 12:32:26 ~$ ping6 -nc1 2001:db8:0:10::1
PING 2001:db8:0:10::1(2001:db8:0:10::1) 56 data bytes
64 bytes from 2001:db8:0:10::1: icmp_seq=1 ttl=64 time=1.37 ms

--- 2001:db8:0:10::1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.373/1.373/1.373/0.000 ms

host-a 12:32:39 ~$ ping6 -nc3 2001:db8:0:20::1
PING 2001:db8:0:20::1(2001:db8:0:20::1) 56 data bytes
64 bytes from 2001:db8:0:20::1: icmp_seq=1 ttl=64 time=0.629 ms
64 bytes from 2001:db8:0:20::1: icmp_seq=2 ttl=64 time=0.744 ms
64 bytes from 2001:db8:0:20::1: icmp_seq=3 ttl=64 time=0.743 ms

--- 2001:db8:0:20::1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2008ms
rtt min/avg/max/mdev = 0.629/0.705/0.744/0.053 ms

host-a 12:33:01 ~$ ping6 -nc3 2001:db8:0:20::1
PING 2001:db8:0:20::1(2001:db8:0:20::1) 56 data bytes

--- 2001:db8:0:20::1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2027ms

host-a 12:33:28 ~$

Have a look at the timestamp on the prompt. I only get replies some seconds after pinging the gateway. I do not really understand it but it’s good to know about this behavior when looking for troubleshooting. Anyway, it’s out of specification because for connections on the link (2001:db8:0:10:2 to 2001:db8:0:10:1) there must be used link-local addresses as specified at RFC 4291 – Link-Local IPv6 Unicast Addresses:

Link-Local addresses are designed to be used for addressing on a single link for purposes such as automatic address configuration, neighbor discovery, or when no routers are present.

Check for a link-local address on the interface. There is no one:

host-a ~$ ip -6 -br addr
lo               UNKNOWN        ::1/128
eth0             UP             2001:db8:0:10::2/64

I enable it with setting LinkLocalAddressing=ipv6 in all /etc/systemd/network/*.network files on all nodes, reboot, check and ping:

host-a ~$ ip -6 -br addr
lo               UNKNOWN        ::1/128
eth0             UP             2001:db8:0:10::2/64 fe80::5054:ff:febc:adbe/64

router ~$ ip -6 -br addr
lo               UNKNOWN        ::1/128
eth0             UP             2001:db8:0:10::1/64 fe80::5054:ff:fe0f:194e/64
eth1             UP             2001:db8:0:20::1/64 fe80::5054:ff:fe0f:194e/64

host-b ~$ ip -6 -br addr
lo               UNKNOWN        ::1/128
eth0             UP             2001:db8:0:20::2/64 fe80::5054:ff:fe9b:34b9/64

host-a ~$ sudo ip -6 route add 2001:db8:0:20::/64 via 2001:db8:0:10::1
host-a ~$ ping6 -n 2001:db8:0:20::1
PING 2001:db8:0:20::1(2001:db8:0:20::1) 56 data bytes
64 bytes from 2001:db8:0:20::1: icmp_seq=9 ttl=64 time=2.08 ms
64 bytes from 2001:db8:0:20::1: icmp_seq=10 ttl=64 time=0.780 ms
64 bytes from 2001:db8:0:20::1: icmp_seq=11 ttl=64 time=0.783 ms
--- snip ---

Works.

Static Routing

If I try to connect from host-a to host-b then ping6 -n 2001:db8:0:20::2 fails. That is why the router does not forward packages between its interfaces. We have to enable it. Just append IPForward=ipv6 to a *.network file. We also need a static route on host-b so it knows where to send the replies to host-a. We will do it persistent now. So you will get following .network files:

host-a

host-a ~$ cat /etc/systemd/network/04-wired.network
(Match)
Name=eth0

(Network)
Address=2001:db8:0:10::2/64
IPv6AcceptRA=no
LinkLocalAddressing=ipv6

(Route)
Destination=2001:db8:0:20::/64
Gateway=2001:db8:0:10::1

router

router ~$ cat /etc/systemd/network/04-eth0.network
(Match)
Name=eth0

(Network)
Address=2001:0DB8:0:10::1/64
IPv6AcceptRA=no
LinkLocalAddressing=ipv6
IPForward=ipv6

router ~$ cat /etc/systemd/network/06-eth1.network
(Match)
Name=eth1

(Network)
Address=2001:0DB8:0:20::1/64
IPv6AcceptRA=no
LinkLocalAddressing=ipv6

host-b

host-b ~$ cat /etc/systemd/network/04-wired.network
(Match)
Name=eth0

(Network)
Address=2001:db8:0:20::2/64
IPv6AcceptRA=no
LinkLocalAddressing=ipv6

(Route)
Destination=2001:db8:0:10::/64
Gateway=2001:db8:0:20::1

That’s it.
(Will be continued with Router Advertisement)

networking – “Network cable unplugged” after reboot of windows computer

I have a weird behavior with my windows machine:

I recently upgraded to a new computer (namely new mainboard and cpu). In general everything is working fine but sometimes after a reboot, The computer does not have internet connection.

The cable is plugged in properly and routed in cable channels. There is no way of stepping over it or moving it by accident.

Unplugging and relugging the cable helps in some instances, in others it doesnt. Not replugging and resetting the network adapter helps though.

Any Ideas, what the issue could be?

I have around 7 Computers in my network, none of them show any issue with the Wired connection.

networking – Can you suffer bufferbloat when using only 1/4th of your bandwidth?

As the title suggests, is it possible to have bufferbloat without hitting your max download or upload speeds? I have recently moved into a new house and asked for the internet to be upgraded to 250/40 package which speedtest shows is realistically reaching 270/45 sometimes 280/50 (download/upload).

The problem is that I’m experiencing what feels like bufferbloat even when I am uploading at only 10-12 Mbps or 1/4th of the upload bandwidth (Streaming to Twitch.tv). Here are the signs of it:

  • My main game shows a “Packet Burst” icon often – unsure about the meaning, just know its name from the internet
  • My main game’s metrics for latency and packet loss are normal – 0% packet loss, <30ms latency.
  • Websites load quite a bit slower, sometimes seconds slower
  • Housemates reporting slowdowns and poor performance in general
  • http://www.dslreports.com/speedtest gives me a grade of B for bufferbloat

The above issues disappear when I am not streaming, even though the stream is only 1/4 of the total bandwidth. Is this normal? As far as I understand, bufferbloat is supposed to happen only when maxing out the connection. Is it possible my ISP’s network is so bad, that this is happening anyway?

What tests can I perform to determine whether this is bufferbloat or something else?

Thanks

networking – How to measure TCP/IP packet loss/packet checksum failure on Windows?

(Windows 10, or Server 2016 or later)

I’m sure there are performance counters that can do this – but the ones I’ve looked at e.g., here at Microsoft’s documentation don’t really name/describe the counters in a way that directly maps to what I want. (For example: “segments retransmitted” sounds like outbound segments only, or is it both inbound and outbound?) Or maybe it’s some monitoring tool I could use.

Here’s my purpose: Having read about QUIC—HTTP/3, I see that one (of several) reasons for moving the protocol to be on top of UDP instead of TCP is that previous improvements – especially multiple streams over one TCP connection – exposed the problem that if any packet is lost all streams are impacted, not just the one victimized by the lost packet. So I just wanted to know, in practice (for me anyway that is) how much of a problem is it? (Not looking for general surveys, you see, just using myself and my setup here as a single (but interesting!) data point.)

Anyway, what I want to count is: Given say my torrent client which runs several dozen TCP streams simultaneously and continually over the day, how many times a day is there a packet lost that leads to a stream being delayed?

There’s gotta be a Windows utility for this …

networking – how to save static routes permanently in ubuntu

The current configuration:

server1:    
sudo route add -host 10.0.1.2 dev enp131s0f0
sudo route add -host 10.0.1.3 dev enp131s0f1

server2:    
sudo route add -host 10.0.1.1 dev enp131s0f0
sudo route add -host 10.0.1.3 dev enp131s0f1

server3:    
sudo route add -host 10.0.1.1 dev enp131s0f0
sudo route add -host 10.0.1.2 dev enp131s0f1

This configuration on both sides will be lost if any server is rebooted or the cable is unplugged and replugged.

Saving them in /etc/rc.local does not work for the above situations.

So, how to save them permanently for both netplan and NetworkManager. I have both Ubuntu desktop and Ubuntu server installed.

linux networking – Access denied while accessing a public samba share on windows 10

I’m trying to configure samba to share folders on my network publicly, however I also want private folders. I have ran into a problem where when I create the samba account access to all the shares are denied if your login as a samba user.
I’m connecting from a windows 10 PC
The file system is running Devuan 2.0.0 (a fork of Debian)

Here is what is contained in the samba.conf

(global)
    workgroup = WORKGROUP 
    dns proxy = no
    map to guest = Bad User
    log file = /var/log/samba/log.%m
    max log size = 100
    server role = standalone server
    passdb backend = tdbsam
    obey pam restrictions = yes
    unix password sync = yes
    passwd program = /usr/bin/passwd %u
    pam password change = yes
    map to guest = bad user
    usershare allow guests = yes
    unix extensions = no
    
(Public)
    comment = pubic share
    hosts allow = 1.1.1.100/24, 127.0.0.1
    hosts deny = 0.0.0.0/0
    path = /mnt/Niflheim/Public
    public = yes
    read only = yes
    guest ok = yes
    guest only = no
    
(Private)    
    comment = home share
    hosts allow = 1.1.1.100/24, 127.0.0.1
    hosts deny = 0.0.0.0/0
    path = /mnt/Niflheim/Home
    valid users = USER, @USERGROUP
    read only = no
    browsable = no
    writeable = yes
    writeable list = USER

As an example if I create a samba account called USER and login as that then I can’t access any shares but if I don’t login all public shares are available.

networking – Meraki Wireless Repeaters not allowing connected clients to access LAN devices but Gateways are?

I am trying to set up a Meraki Mesh network(Mesh1) at a small remote office. I have 1 MX65W and 3 MR36’s, 1 acting as the gateway and the other 2 as repeaters. The SSID I’m broadcasting is set to operate in bridge mode, and it’s connected to a VLAN that is connected to a VPN tunnel back to the main office network(Corp1). From my laptop on Corp1, I can ping devices that are connected directly to the MX65 via a wired connection, and I can ping devices that are connected wirelessly to the Gateway AP. However, I can’t ping devices that are connected to either of the 2 repeaters.

The 3 AP’s appear to have Meshed successfully and devices connected to the repeaters can still access the internet and are getting IP’s in the correct subnet, they just can’t seem to communicate with anything on Corp1. Is there some kind of security setting I’m missing? How do I get the repeaters to communicate with the corporate network like the Gateway is already doing?