1

Right now, I'm trying a new cloud provider which facilitates private networking, this is a feature on which you can run multiple vlan's. Because the platform that we are going to build is a linux/windows platform and it has multiple env's we are going to separate them with a vlan construction. Until this point it is pretty basic.

The best way to use vlan tagging under windows is the "realtek ethernet diagnostic tool", in combination with the realtek 8139 card and it gives you the possibility to create a vlan interface.

The interface is coming up the right way I configure it, but now the fun starts. Another machine in the same vlan (10) receives netbios, arp and other UDP communication. I have noticed this with a simple tcpdump command:

19:32:44.247964 IP 10.0.10.30.netbios-ns > 10.0.10.255.netbios-ns: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
19:32:44.248057 IP 10.0.10.30.netbios-ns > 10.0.10.255.netbios-ns: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
19:32:44.310334 IP 10.0.10.30.netbios-ns > 10.0.10.255.netbios-ns: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
19:32:44.509278 IP6 fe80::a1dd:64c9:ae27:5659.60116 > ff02::1:3.hostmon: UDP, length 24
19:32:44.509955 IP 10.0.10.30.63646 > 224.0.0.252.hostmon: UDP, length 24
19:32:44.606923 IP6 fe80::a1dd:64c9:ae27:5659.60116 > ff02::1:3.hostmon: UDP, length 24

If I disable the windows firewall completely by stopping the service or adding the interface to the private group and allow everything, nothing happens. I used wireshark on the windows machine to see if my ICMP packages are accepted by the server but that isn't noticed in wireshark.

Another odd thing is that if I ping from the windows machine to the linux machine, the first timeout given is from the local IP and the other 3 timeouts are given from the external address (default GW). So it looks like windows can't handle the interface for package other then UDP.

Right now this question isn't really answered and keeps a problem that nobody solved or documented yet. So I would like to solve this with your help and create a detailed weblog post so everybody has a provide.

I hope some one can help me out, my goal is to have multiple vlan interfaces in Windows 2008R2 each with their own vlan tag.

Chida
  • 2,471
  • 1
  • 16
  • 29
Thijs
  • 11
  • 2
  • Hi - could you edit the question to make it clearer what you are asking? Hint - make the title a question. – dunxd Sep 19 '12 at 14:15

1 Answers1

3

First of all, you really need to use virtio_net and not e1000 or rtl, because the latter are both emulated, and that basically means slow. In Windows, since the OS itself has no ability to add vlan tags, you usually create a tagged interface on the host, add a bridge on top, and attach your VM to that bridge, that is already passing tagged traffic.

dyasny
  • 18,482
  • 6
  • 48
  • 63
  • Dyasny, i understand that that is the best case senario. But like i mentioned in the top post is that i'm using a service from a cloud provider. So i can't use that flexibility that you have with your own env. I know it is slow but still i would like to give it a go it will only host MGT traffic and other low performance data. – Thijs Aug 25 '12 at 06:09
  • You shouldn't be surprised if it fails then. e1000 and RTL are open specs, so qemu can emulate them, but there is no promise the original realtec or intel software will be able to work with them for every feature, which is probably why you are seeing the error you described – dyasny Aug 25 '12 at 06:35
  • Oke, fair enough. But which software do i need to use for VLAN tagging in Windows on a KVM host? I researched some options and i landed at the Realtek option, the intel ProSet isn't finding the ethernet card. And with VirtIO there is no tagging possibility. Hoping that you can give me another lead. – Thijs Aug 25 '12 at 07:00
  • As I said, the way to set vlans in KVM is not from inside windows. If you really need it, you can always invest some time and /or money into developing this functionality for virtio_net - the code is open after all. In any case, I would start trying to push the service provider into configuring tagged bridges on the virtualization host. Or forget about VLANs, and think of other ways to segregate my network – dyasny Aug 25 '12 at 10:52