{"id":149,"date":"2017-03-31T18:08:23","date_gmt":"2017-03-31T18:08:23","guid":{"rendered":"https:\/\/www.unsafehex.com\/?p=149"},"modified":"2024-09-27T17:29:20","modified_gmt":"2024-09-27T17:29:20","slug":"bonding-rituals","status":"publish","type":"post","link":"https:\/\/www.unsafehex.com\/index.php\/2017\/03\/31\/bonding-rituals\/","title":{"rendered":"Bonding rituals"},"content":{"rendered":"<p>I may have been quiet on here but not because I haven&#8217;t been doing lots of fun nerdy stuff. Unfortunately, there&#8217;s a fair amount of it that can&#8217;t be blogged about, hence the lack of new material here, but a problem came up the other day that was <del>a royal pain in the ass<\/del> pretty fun and interesting, and maybe some folks out there might be scratching their heads over it and appreciate there being something in the depths of t&#8217;interwebs to explain it.<\/p>\n<p>Bonding is a pretty damn useful thing, especially to us NSM folks. Take a 1&#215;1 tap and run the output cables up to a nice bit of tin running $distro_of_choice, a few minutes of tweaking interface config files, and hey presto! a bonded interface with both directions of traffic for Snort\/Suricata\/Bro\/whatever to listen to, and your kit is safely out of line where the sysadmins can&#8217;t blame you when something breaks and takes out the internet (they&#8217;ll probably still try though).<\/p>\n<p>So far, so standard. The other day I needed to do this in a VM &#8211; no problem, I thought. VMWare will let you pass traffic through to the guest; you need to put the switch into promiscuous mode because the interface in your guest\/sniffer won&#8217;t have an IP assigned, which you can do in the vSwitch Security Policy.<\/p>\n<p><a href=\"https:\/\/www.unsafehex.com\/wp-content\/uploads\/2017\/03\/vSwitch-security-2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-157 size-medium\" src=\"https:\/\/www.unsafehex.com\/wp-content\/uploads\/2017\/03\/vSwitch-security-2-300x107.png\" alt=\"\" width=\"300\" height=\"107\" srcset=\"https:\/\/www.unsafehex.com\/wp-content\/uploads\/2017\/03\/vSwitch-security-2-300x107.png 300w, https:\/\/www.unsafehex.com\/wp-content\/uploads\/2017\/03\/vSwitch-security-2-768x274.png 768w, https:\/\/www.unsafehex.com\/wp-content\/uploads\/2017\/03\/vSwitch-security-2-624x223.png 624w, https:\/\/www.unsafehex.com\/wp-content\/uploads\/2017\/03\/vSwitch-security-2.png 806w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>With each output of the tap assigned its own vSwitch which was attached to an individual interface on the guest, I created a bond interface to combine the two. In the very best tradition of here&#8217;s one I <del>made earlier<\/del> let someone else make and plagiarised shamelessly, you can read a good guide <a href=\"https:\/\/www.unixmen.com\/linux-basics-create-network-bonding-on-centos-76-5\/\">here<\/a>. \u00a0One notable exception &#8211; use mode 0 (round robin) and\u00a0<strong>not\u00a0<\/strong> active\/passive &#8211; we want to combine the outputs, instead of having the second only work if the first fails.<\/p>\n<p>So, having done that,\u00a0I brought up the bond0 interface and&#8230; weirdness happened. I\u00a0was only seeing one side of the traffic. tcpdump on the bond0 interface was\u00a0only showing the responses, not the requests. The slaved interfaces told a similar story, one had traffic (inbound), and the other was silent. Odd. Next check, was\u00a0the ESXi host seeing the traffic but not passing it through? Checking this requires the use of <a href=\"https:\/\/kb.vmware.com\/selfservice\/microsites\/search.do?language=en_US&amp;cmd=displayKC&amp;externalId=2051814\">pktcap-uw<\/a>\u00a0rather than VMWare&#8217;s implementation of tcpdump, which will not let you look at traffic on individual vSwitches. This showed the traffic was indeed present.<\/p>\n<p>Proper head-scratching time now. The interface settings were all correct, the problem persisted through restarts of the interfaces, the networking service, even the OS.\u00a0Next step was bringing up each interface manually one at a time; now it got even weirder. eth1 showed responses as expected. eth2 showed requests &#8211; awesome! bond0 showed&#8230; just the responses. Checked eth2 and it was now silent as the grave. Curses! This didn&#8217;t change when bond0 was shut down again; outbound traffic would only reappear when eth2 was brought up without bond0. Enabling bond0 killed it again until it was started without bond0 running. What the hell?<\/p>\n<p>Having pretty much run out of ideas, a bit of experimentation was on the cards, starting with the ESXi config settings. This was clearly a stroke of genius, because upon setting\u00a0<a href=\"http:\/\/pubs.vmware.com\/vsphere-65\/index.jsp#com.vmware.vsphere.security.doc\/GUID-942BD3AA-731B-4A05-8196-66F2B4BF1ACB.html#GUID-942BD3AA-731B-4A05-8196-66F2B4BF1ACB\">MAC address changes<\/a>\u00a0to &#8216;accept&#8217;, it instantly started working. Why would this be?<\/p>\n<p>One of the things that enabling bonding does is that the bond0 interface defaults to starting with the MAC of the first interface to join the bond. In round-robin mode, it then <a href=\"http:\/\/www.cloudibee.com\/network-bonding-modes\/\">shuttles its MAC address around each interface to receive frames<\/a>; VMWare&#8217;s (sensible) default is to ignore changes like this, and as a result, will stop transmitting traffic to the interface it sees as having violated the restriction until the interface is bounced. Thus, the first slave to join will receive traffic because its MAC stays the same, and the second stops being sent data because the vSwitch has seen its MAC change. Permitting changes on the vSwitch\u00a0means the MAC can be assigned as necessary.<\/p>\n<p><strong>TLDR<\/strong>: If you want to use a bonded interface in an ESXi guest like this, you must set &#8216;Allow MAC address changes&#8217; to <strong>accept<\/strong>\u00a0on the vSwitches the slave interfaces connect to.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I may have been quiet on here but not because I haven&#8217;t been doing lots of fun nerdy stuff. Unfortunately, there&#8217;s a fair amount of it that can&#8217;t be blogged about, hence the lack of new material here, but a problem came up the other day that was a royal pain in the ass pretty [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[47,49,50,48,51],"class_list":["post-149","post","type-post","status-publish","format-standard","hentry","category-tutorials-and-guides","tag-bonding","tag-suricata","tag-tap","tag-vmware","tag-vswitch"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v21.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Bonding rituals &#8211; unsafehex<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.unsafehex.com\/index.php\/2017\/03\/31\/bonding-rituals\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Bonding rituals &#8211; unsafehex\" \/>\n<meta property=\"og:description\" content=\"I may have been quiet on here but not because I haven&#8217;t been doing lots of fun nerdy stuff. Unfortunately, there&#8217;s a fair amount of it that can&#8217;t be blogged about, hence the lack of new material here, but a problem came up the other day that was a royal pain in the ass pretty [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.unsafehex.com\/index.php\/2017\/03\/31\/bonding-rituals\/\" \/>\n<meta property=\"og:site_name\" content=\"unsafehex\" \/>\n<meta property=\"article:published_time\" content=\"2017-03-31T18:08:23+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-09-27T17:29:20+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.unsafehex.com\/wp-content\/uploads\/2017\/03\/vSwitch-security-2-300x107.png\" \/>\n<meta name=\"author\" content=\"http_error_418\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@http_error_418\" \/>\n<meta name=\"twitter:site\" content=\"@http_error_418\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"http_error_418\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.unsafehex.com\/index.php\/2017\/03\/31\/bonding-rituals\/\",\"url\":\"https:\/\/www.unsafehex.com\/index.php\/2017\/03\/31\/bonding-rituals\/\",\"name\":\"Bonding rituals &#8211; unsafehex\",\"isPartOf\":{\"@id\":\"https:\/\/www.unsafehex.com\/#website\"},\"datePublished\":\"2017-03-31T18:08:23+00:00\",\"dateModified\":\"2024-09-27T17:29:20+00:00\",\"author\":{\"@id\":\"https:\/\/www.unsafehex.com\/#\/schema\/person\/69a7fc817171b5a3c4770875a1918652\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.unsafehex.com\/index.php\/2017\/03\/31\/bonding-rituals\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.unsafehex.com\/index.php\/2017\/03\/31\/bonding-rituals\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.unsafehex.com\/index.php\/2017\/03\/31\/bonding-rituals\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.unsafehex.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Bonding rituals\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.unsafehex.com\/#website\",\"url\":\"https:\/\/www.unsafehex.com\/\",\"name\":\"unsafehex\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.unsafehex.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.unsafehex.com\/#\/schema\/person\/69a7fc817171b5a3c4770875a1918652\",\"name\":\"http_error_418\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/www.unsafehex.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/fe9a4cdd9d9f058529884ce588767baf?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/fe9a4cdd9d9f058529884ce588767baf?s=96&d=mm&r=g\",\"caption\":\"http_error_418\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Bonding rituals &#8211; unsafehex","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.unsafehex.com\/index.php\/2017\/03\/31\/bonding-rituals\/","og_locale":"en_GB","og_type":"article","og_title":"Bonding rituals &#8211; unsafehex","og_description":"I may have been quiet on here but not because I haven&#8217;t been doing lots of fun nerdy stuff. Unfortunately, there&#8217;s a fair amount of it that can&#8217;t be blogged about, hence the lack of new material here, but a problem came up the other day that was a royal pain in the ass pretty [&hellip;]","og_url":"https:\/\/www.unsafehex.com\/index.php\/2017\/03\/31\/bonding-rituals\/","og_site_name":"unsafehex","article_published_time":"2017-03-31T18:08:23+00:00","article_modified_time":"2024-09-27T17:29:20+00:00","og_image":[{"url":"https:\/\/www.unsafehex.com\/wp-content\/uploads\/2017\/03\/vSwitch-security-2-300x107.png"}],"author":"http_error_418","twitter_card":"summary_large_image","twitter_creator":"@http_error_418","twitter_site":"@http_error_418","twitter_misc":{"Written by":"http_error_418","Estimated reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.unsafehex.com\/index.php\/2017\/03\/31\/bonding-rituals\/","url":"https:\/\/www.unsafehex.com\/index.php\/2017\/03\/31\/bonding-rituals\/","name":"Bonding rituals &#8211; unsafehex","isPartOf":{"@id":"https:\/\/www.unsafehex.com\/#website"},"datePublished":"2017-03-31T18:08:23+00:00","dateModified":"2024-09-27T17:29:20+00:00","author":{"@id":"https:\/\/www.unsafehex.com\/#\/schema\/person\/69a7fc817171b5a3c4770875a1918652"},"breadcrumb":{"@id":"https:\/\/www.unsafehex.com\/index.php\/2017\/03\/31\/bonding-rituals\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.unsafehex.com\/index.php\/2017\/03\/31\/bonding-rituals\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.unsafehex.com\/index.php\/2017\/03\/31\/bonding-rituals\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.unsafehex.com\/"},{"@type":"ListItem","position":2,"name":"Bonding rituals"}]},{"@type":"WebSite","@id":"https:\/\/www.unsafehex.com\/#website","url":"https:\/\/www.unsafehex.com\/","name":"unsafehex","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.unsafehex.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-GB"},{"@type":"Person","@id":"https:\/\/www.unsafehex.com\/#\/schema\/person\/69a7fc817171b5a3c4770875a1918652","name":"http_error_418","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/www.unsafehex.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/fe9a4cdd9d9f058529884ce588767baf?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/fe9a4cdd9d9f058529884ce588767baf?s=96&d=mm&r=g","caption":"http_error_418"}}]}},"_links":{"self":[{"href":"https:\/\/www.unsafehex.com\/index.php\/wp-json\/wp\/v2\/posts\/149"}],"collection":[{"href":"https:\/\/www.unsafehex.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.unsafehex.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.unsafehex.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.unsafehex.com\/index.php\/wp-json\/wp\/v2\/comments?post=149"}],"version-history":[{"count":6,"href":"https:\/\/www.unsafehex.com\/index.php\/wp-json\/wp\/v2\/posts\/149\/revisions"}],"predecessor-version":[{"id":158,"href":"https:\/\/www.unsafehex.com\/index.php\/wp-json\/wp\/v2\/posts\/149\/revisions\/158"}],"wp:attachment":[{"href":"https:\/\/www.unsafehex.com\/index.php\/wp-json\/wp\/v2\/media?parent=149"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.unsafehex.com\/index.php\/wp-json\/wp\/v2\/categories?post=149"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.unsafehex.com\/index.php\/wp-json\/wp\/v2\/tags?post=149"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}