waynesung wrote:From your Mar 02 post:
> I briefly disabled the 60-second ping on my webserver and, sure enough, after a few minutes it becomes inaccessable remotely.
When this host is inaccessible from the outside, can one of your inside machines reach it? It would be ideal if you can check using one machine that already has an arp in the webserver and another that does not have an arp.
I've tried this experiment and, yes, any machine on my side of the DSL line (either plugged into the LAN switch on the ZyXEL, or another VM on the same subnet) can access the webserver. My machines claim to have a 60 second ARP cache timeout (according to the value of gc_stale_time in /proc) but I notice the cache entries persist much longer than that (about 5 minutes). Anyway, after the magic timeout, my other machines can access the webserver just fine.
waynesung wrote:"A few minutes" still sounds like a layer 2 timeout to me. Don't some VM implementations have pseudo ethernet switches in them?
Yes, VMWare can emulate a virtual switch for a private subnet shared between VMs, but I'm not using that here. The VMs are bridged over the host systems ethernet interface which is physically plugged into the ZyXEL.. I'm doing my wireshark tracing using the hosts physical net device and thus I can see all packets to/from all VM's bridged on that interface. What I observe is that I'm not seeing any packets coming in from the DSL side of things after "a few minutes".
As for this being a layer-2 timeout, well, "whose" layer-2?. I still maintain this is happening across the line over in Sonic's neck of the woods. I just can't prove it.
I have one more test scenario to try which is to change the MAC address of the webserver VM to one from an old physical ethernet card I have on hand (but not plugged in). That should tell me if this is, perhaps, related to VMWare's MAC prefix, or, perhaps, someone else on the same DSLAM is using VMWare and happens to have the same MAC.
I'm still wondering about a comment one of the Sonic support people said to me about needing to do a ping every 2 minutes, like they knew about this problem, but could not explain to me why. I don't get that.
Anyway, more testing..