Skip to main content

linux - Howto setup a `veth` virtual network


I'd like to setup three virtual network interfaces (veth) which can communicate with each other. To simulate a three node cluster, each program then binds to one veth interface. I'd like to do it without LXC if possible.


I tried using:



  • Created three veth pairs: sudo ip link add type veth

  • Created a bridge sudo brctl addbr br0

  • Added one of each pair to the bridge:

    • sudo brctl addif br0 veth1

    • sudo brctl addif br0 veth3

    • sudo brctl addif br0 veth5



  • Configured the interfaces:

    • sudo ifconfig veth0 10.0.0.201 netmask 255.255.255.0 up

    • sudo ifconfig veth2 10.0.0.202 netmask 255.255.255.0 up

    • sudo ifconfig veth4 10.0.0.203 netmask 255.255.255.0 up




Then I verified if is works using: ping -I veth0 10.0.0.202 but it doesn't :(


The I added IP addresses to the veth1,veth3,veth5 and br0 interfaces in the 10.0.1.x/24 range. But that doesn't help.


Any ideas? or a guide, all I find in how to use it with LXC. Or am I trying something that isn't possible?



Answer



For veth to work, one end of the tunnel must be bridged with another interface. Since you want to keep this all virtual, you may bridge the vm1 end of the tunnel (vm2 is the other end of the tunnel) with a tap-type virtual interface, in a bridge called brm. Now you give IP addresses to brm and to vm2 (10.0.0.1 and 10.0.0.2, respectively), enable IPv4 forwarding by means of


echo 1 > /proc/sys/net/ipv4/ip_forward

bring all interfaces up, and add a route instructing the kernel how to reach IP addresses 10.0.0.0/24. That's all.


If you want to create more pairs, repeat the steps below with different subnets, for instance 10.0.1.0/24, 10.0.2.0/24, and so on. Since you enabled IPv4 forwarding and added appropriate routes to the kernel routing table, they will be able to talk to each other right away.


Also, remember that most of the commands you are using (brctl, ifconfig,...) are obsolete: the iproute2 suite has commands to do all of this, see below my use of the ip command.


This is a correct sequence of commands for the use of interfaces of type veth:


first create all required interfaces,


ip link add dev vm1 type veth peer name vm2
ip link set dev vm1 up
ip tuntap add tapm mode tap
ip link set dev tapm up
ip link add brm type bridge

Notice we did not bring up brm and vm2 because we have to assign them IP addresses, but we did bring up tapm and vm1, which is necessary to include them into the bridge brm. Now enslave the interfaces tapm and vm1 to the bridge brm,


ip link set tapm master brm
ip link set vm1 master brm

now give addresses to the bridge and to the remaining veth interface vm2,


ip addr add 10.0.0.1/24 dev brm
ip addr add 10.0.0.2/24 dev vm2

now bring vm2 and brm up,


ip link set brm up
ip link set vm2 up

There is no need to add the route to the subnet 10.0.0.0/24 explicitly, it is automatically generated,, you may check with ip route show. This results in


ping -c1 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.035 m

--- 10.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.035/0.035/0.035/0.000 ms

You can also do it backwards, i.e. from vm2 back to brm:


ping -I 10.0.0.2 -c1 10.0.0.1
PING 10.0.0.1 (10.0.0.1) from 10.0.0.2 : 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.045 ms

--- 10.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.045/0.045/0.045/0.000 ms

The most useful application of NICs of the veth kind is a network namespace, which is what is used in Linux containers (LXC). You start one called nnsm as follows


ip netns add nnsm

then we transfer vm2 to it,


ip link set vm2 netns nnsm

we endow the new network namespace with a lo interface (absolutely necessary),


ip netns exec nnsm  ip link set dev lo up

we allow NATting in the main machine,


iptables -t nat -A POSTROUTING -o brm -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

(if you are connected to the Internet via eth0, otherwise change accordingly), start a shell in the new network namespace,


ip netns exec nnsm xterm &

and now, if you start typing in the new xterm, you will find you are in a separate virtual machine with IP address 10.0.0.2, but you can reach the Internet. The advantage of this is that the new network namespace has its own stack, which means, for instance, you can start a VPN in it while the rest of your pc is not on the VPN. This is the contraption LXCs are based on.


EDIT:


I made a mistake, bringing the vm2 interface brings it down and clears its address. Thus you need to add these commands, from within the xterm:


ip addr add 10.0.0.2/24 dev vm2
ip link set dev  vm2 up
ip route add default via 10.0.0.1
echo "nameserver 8.8.8.8" >> /etc/resolv.conf
echo "nameserver 8.8.4.4" >> /etc/resolv.conf

and now you can navigate from within xterm.


The ip commands can also be done before the xterm with


ip -netns nnsm addr add 10.0.0.2/24 dev vm2
ip -netns nnsm link set dev vm2 up
ip -netns nnsm route add default via 10.0.0.1

Comments

Post a Comment

Popular Posts

Use Google instead of Bing with Windows 10 search

I want to use Google Chrome and Google search instead of Bing when I search in Windows 10. Google Chrome is launched when I click on web, but it's Bing search. (My default search engine on Google and Edge is http://www.google.com ) I haven't found how to configure that. Someone can help me ? Answer There is no way to change the default in Cortana itself but you can redirect it in Chrome. You said that it opens the results in the Chrome browser but it used Bing search right? There's a Chrome extension now that will redirect Bing to Google, DuckDuckGo, or Yahoo , whichever you prefer. More information on that in the second link.
Post a Comment
Read more

linux - Using an index to make grep faster?

I find myself grepping the same codebase over and over. While it works great, each command takes about 10 seconds, so I am thinking about ways to make it faster. So can grep use some sort of index? I understand an index probably won't help for complicated regexps, but I use mostly very simple patters. Does an indexer exist for this case? EDIT: I know about ctags and the like, but I would like to do full-text search. Answer what about cscope , does this match your shoes? Allows searching code for: all references to a symbol global definitions functions called by a function functions calling a function text string regular expression pattern a file files including a file
Post a Comment
Read more

How do I transmit a single hexadecimal value serial data in PuTTY using an Alt code?

I am trying to sent a specific hexadecimal value across a serial COM port using PuTTY. Specifically, I want to send the hex codes 9C, B6, FC, and 8B. I have looked up the Alt codes for these and they are 156, 182, 252, and 139 respectively. However, whenever I input the Alt codes, a preceding hex value of C2 is sent before 9C, B6, and 8B so the values that are sent are C2 9C, C2 B6, and C2 8B. The value for FC is changed to C3 FC. Why are these values being placed before the hex value and why is FC being changed altogether? To me, it seems like there is a problem internally converting the Alt code to hex. Is there a way to directly input hex values without using Alt codes in PuTTY? Answer What you're seeing is just ordinary text character set conversion. As far as PuTTY is concerned, you are typing (and reading) text , not raw binary data, therefore it has to convert the text to bytes in whatever configured character set before sending it over the wire. In other words, when y
Post a Comment
Read more

networking - Windows 10, can ping other PC but cannot access shared folders! What gives?

I have a computer running Windows 7 that shares a Git repo on drive D. Let's call this PC " win7 ". This repo is the origin of a project that we push to and pull from. The network is a wireless network. One PC on this network is running on Windows 10. Let's call this PC " win10 ". Win10 can ping every other PC on the network including win7 . Win7 can ping win10 . Win7 can access all shared files on win10 . Neither of the PCs have passwords. Problem : Win10 cannot access any shared files on win7 , not from Explorer, nor from Git Bash or any other Git management system (E-Git on Eclipse or Visual Studio). So, win10 cannot pull/push. Every other PC on the network can access win7 shared files and push/pull to/from the shared Git origin. What's wrong with Windows 10? I have tried these: Control Panel\All Control Panel Items\Network and Sharing Center\Advanced sharing settings\ File sharing is on, Discovery is on, Password protected sharing is off Adapte
Post a Comment
Read more