This discussion is archived
5 Replies Latest reply: Feb 27, 2012 12:58 PM by 919644 RSS

cant connect from zone to outer world

919644 Newbie
Currently Being Moderated
Hi,
I am rather new to Solaris.
I installed a zone with default settings (ip-type exclusive) . From this zone I can ping the global zone
and reverse. But I cant connect or ping anything outside the machine.
Is this the intention of zones in Solaris 11 , or did I forget some (security) setting?

greetings
Rob
  • 1. Re: cant connect from zone to outer world
    bigdelboy Pro
    Currently Being Moderated
    916641 wrote:
    Hi,
    I am rather new to Solaris.
    I installed a zone with default settings (ip-type exclusive) . From this zone I can ping the global zone
    and reverse. But I cant connect or ping anything outside the machine.
    Is this the intention of zones in Solaris 11 , or did I forget some (security) setting?

    greetings
    Rob
    Please be aware I could say something stupid in my explanations.

    This all really depends on how your networking is set up.

    In a native solaris 10 zone than with an exclusive ip adress one would have a dedicated real interface connecting to the outside world

    In a solaris 11 machine there are more options available ...

    .... and you may (not may not) need to be using dladm ; ipadm ;

    A assume you may then need to use routeadm to sort out routing; or perhaps ou do not have a default route set up. ( I have a tendendency to blunder around like a bull in a china show with notworking)

    Refs:

    http://docs.oracle.com/cd/E23824_01/html/821-1453/ipconfig-63.html#gcvjx


    Hope this post contains a couple of pointers and not too many wrong directions ... however with no other replies i thought i'd blunder in.

    and particularly:

    http://docs.oracle.com/cd/E23824_01/html/821-1460/z.config.ov-3.html#z.config.ov-6

    ......
  • 2. Re: cant connect from zone to outer world
    919644 Newbie
    Currently Being Moderated
    Hi ,

    I think I found part of the problem.
    When a snoop is sniffing on net0: in the global zone then the sub-zone can
    communicate with the ouside world.
    The snoop puts the interface in promiscuous mode en then it accepts/passes
    the packets for the sub-zone.
    So probably some extra settings (bridging>) are necessarry when using
    zones.

    I think I first have read more manuals ....
    But is someone has a quick hint I would like to hear.

    greetings
    Rob
  • 3. Re: cant connect from zone to outer world
    836014 Journeyer
    Currently Being Moderated
    Check that the interfaces are configured, UP and running.

    ifconfig -a

    output should be something like this

    lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
    inet 127.0.0.1 netmask ff000000
    igb0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
    inet xx.xx.xx.xx netmask ffffff00 broadcast 10.1.5.255
    ether

    then, check the routing table by

    netstat -nr, the output should look like,

    Routing Table: IPv4
    Destination Gateway Flags Ref Use Interface
    -------------------- -------------------- ----- ----- ---------- ---------
    default nn.nn.nn.nn UG 1 11191904
    nn.nn.nn.0 nn.nn.nn.nn U 1 8590 igb0
    nn.0.0.0 nn.nn.nn.nn U 1 0 igb0
    nn.0.0.1 nn.0.0.1 UH 13 82102433 lo0

    If the route table is not showing default route, then run the following command sequence to add one

    route add default your.route.ip.address

    in /etc/defaultrouter make entry of the your.route.ip.address

    make sure that switch ports are activated at network level and network cable are pluged in.
  • 4. Re: cant connect from zone to outer world
    919644 Newbie
    Currently Being Moderated
    Hi,

    In my first post I should have told the Solaris machine is running in ESXi (4.1).
    Probably ESX will set the mac address on the virtual interface and will not accept traffic
    arriving on the interface with another dest mac address.
    When I run snoop in the global zone this will put the virtual interface in promiscuous mode,
    this will signal ESX to pass all ethernet traffic coming from the outside world to this
    virtual interface.

    Packets coming from the Solaris sub-zone do get out of the net0 interface.
    This is because I enabled mac-address spoofing at esx level.

    The solution is to put the global zone interface in briding mode:
    dladm create-bridge esxbridge -l net0
    Then packets coming from the outside with the dest mac address of the
    sub-zone will be passed.

    We use a number of Solaris 10 machines inside ESX without problems, but in this case a shared ip
    stack is used where probably 1 mac address is shared among multiple ip addresses.


    greetings
    Rob

    Edited by: 916641 on 27-Feb-2012 12:52
  • 5. Re: cant connect from zone to outer world
    919644 Newbie
    Currently Being Moderated
    In case of running Solaris 11 with
    zones with own ip-stack,
    set global zone interface in briding mode:

    dladm create-bridge esxbridge -l net0

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points