Hi,
I just wanted to inform the Proxmox team about an issue with the virtio network drivers. My setup consists of:
- 1 Proxmox Hypervisor (Debian 9.11 with all updates, including those from Proxmox). 3 bridge interfaces.
- 1 application proxy (apache with http_proxy) with 2 if's (1 external, 1 'left side IDS')
- 1 IDS (Snort) with 3 ifs (1 external, 1 'left side IDS', 1 'right side IDS'
- 1 Tomcat application server with 2 ifs (1 external, 1 'right side IDS'
The Snort application bridges 'left side IDS' with 'right side IDS' but can terminate TCP sessions by sending a reset if it finds something not okay.
When a requests comes from the Internet it hits the Application Proxy. The Application proxy proxies the request to 192.168.0.2, which resides on the Tomcat application server. This network traffic goes through the IDS Snort VM. It then comes out in the Tomcat application server VM, which sends a response back to the application proxy.
When I use 'virtio' network drivers on the IDS VM, I can ping from Application Proxy to Tomcat. I can see ARP entries, etc. However, TCP traffic is not working for some reason. I see the SYN requests on the tomcat application server, but it doesn't send a response back.
When I switch the IDS machine from virtio drivers to 'e1000' drivers, everything suddenly works out of the box as I have designed it.
Apparantly the virtio drivers do some kind of filtering, but I dont know what it is.. Anybody has some advise? or ideas? I'd prefer to use virtio drivers.
I just wanted to inform the Proxmox team about an issue with the virtio network drivers. My setup consists of:
- 1 Proxmox Hypervisor (Debian 9.11 with all updates, including those from Proxmox). 3 bridge interfaces.
- 1 application proxy (apache with http_proxy) with 2 if's (1 external, 1 'left side IDS')
- 1 IDS (Snort) with 3 ifs (1 external, 1 'left side IDS', 1 'right side IDS'
- 1 Tomcat application server with 2 ifs (1 external, 1 'right side IDS'
The Snort application bridges 'left side IDS' with 'right side IDS' but can terminate TCP sessions by sending a reset if it finds something not okay.
When a requests comes from the Internet it hits the Application Proxy. The Application proxy proxies the request to 192.168.0.2, which resides on the Tomcat application server. This network traffic goes through the IDS Snort VM. It then comes out in the Tomcat application server VM, which sends a response back to the application proxy.
When I use 'virtio' network drivers on the IDS VM, I can ping from Application Proxy to Tomcat. I can see ARP entries, etc. However, TCP traffic is not working for some reason. I see the SYN requests on the tomcat application server, but it doesn't send a response back.
When I switch the IDS machine from virtio drivers to 'e1000' drivers, everything suddenly works out of the box as I have designed it.
Apparantly the virtio drivers do some kind of filtering, but I dont know what it is.. Anybody has some advise? or ideas? I'd prefer to use virtio drivers.
