Tengo 2 máquinas virtuales configuradas en qemu. 1 de las máquinas virtuales (VM1) tiene un enlace a Internet y un enlace a la otra máquina virtual (VM2). En VM1 obtengo buenos resultados en el rendimiento de la red (a wan):
Connecting to host iperf.xxx, port 5201
[ 5] local xxx port 40826 connected to xxx port 5201
[ 7] local xxx port 40828 connected to xxx port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-10.00 sec 353 MBytes 296 Mbits/sec 337 93.3 KBytes
[ 7] 0.00-10.00 sec 359 MBytes 301 Mbits/sec 339 122 KBytes
[SUM] 0.00-10.00 sec 712 MBytes 597 Mbits/sec 676
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 353 MBytes 296 Mbits/sec 337 sender
[ 5] 0.00-10.00 sec 353 MBytes 296 Mbits/sec receiver
[ 7] 0.00-10.00 sec 359 MBytes 301 Mbits/sec 339 sender
[ 7] 0.00-10.00 sec 358 MBytes 300 Mbits/sec receiver
[SUM] 0.00-10.00 sec 712 MBytes 597 Mbits/sec 676 sender
[SUM] 0.00-10.00 sec 711 MBytes 596 Mbits/sec receiver
En VM1 tengo IpForward habilitado en Sysctl y VM2 tiene una ruta predeterminada a VM1. Pero cuando ejecuto la misma prueba de iperf en VM2, obtengo el siguiente resultado:
Connecting to host iperf.xxx, port 5201
[ 5] local 10.5.5.2 port 53188 connected to xxx port 5201
[ 7] local 10.5.5.2 port 53190 connected to xxx port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-10.01 sec 631 KBytes 516 Kbits/sec 6 1.41 KBytes
[ 7] 0.00-10.01 sec 731 KBytes 598 Kbits/sec 20 1.41 KBytes
[SUM] 0.00-10.01 sec 1.33 MBytes 1.11 Mbits/sec 26
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.01 sec 631 KBytes 516 Kbits/sec 6 sender
[ 5] 0.00-10.01 sec 281 KBytes 230 Kbits/sec receiver
[ 7] 0.00-10.01 sec 731 KBytes 598 Kbits/sec 20 sender
[ 7] 0.00-10.01 sec 431 KBytes 353 Kbits/sec receiver
[SUM] 0.00-10.01 sec 1.33 MBytes 1.11 Mbits/sec 26 sender
[SUM] 0.00-10.01 sec 713 KBytes 583 Kbits/sec receiver
Como puedes ver, esta es una diferencia muy grande. Como reacción natural, inicié un iperf entre VM1 (servidor) y VM2 (cliente), con el siguiente resultado:
Connecting to host 10.5.5.1, port 5201
[ 5] local 10.5.5.2 port 49408 connected to 10.5.5.1 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 1.01 MBytes 8.46 Mbits/sec 31 1.41 KBytes
[ 5] 1.00-2.00 sec 0.00 Bytes 0.00 bits/sec 1 1.41 KBytes
[ 5] 2.00-3.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes
[ 5] 3.00-4.00 sec 0.00 Bytes 0.00 bits/sec 1 1.41 KBytes
[ 5] 4.00-5.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes
[ 5] 5.00-6.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes
[ 5] 6.00-7.00 sec 0.00 Bytes 0.00 bits/sec 1 1.41 KBytes
[ 5] 7.00-8.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes
[ 5] 8.00-9.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes
[ 5] 9.00-10.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 1.01 MBytes 847 Kbits/sec 34 sender
[ 5] 0.00-10.00 sec 523 KBytes 429 Kbits/sec receiver
Parece que los paquetes se descartan después de establecerse (?), porque el primer segundo. Todo está bien, pero luego la conexión parece estar muerta.
Actualmente no tengo opciones e incluso acepté todo el tráfico en el firewall en VM1. Salida de iptables -nvL --line-numbersen VM1:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 602K 34M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
2 2428K 275M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3 1 84 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 6 360 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5201
5 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 ctstate NEW
6 5 308 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x17/0x02 ctstate NEW
7 3 140 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 flags:0x17/0x02 ctstate NEW
8 132 5288 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
9 593 24128 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp reject-with tcp-reset
10 81 24010 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
11 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5201
12 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5201
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 137K 298M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
2 1758 106K ACCEPT tcp -- * * 0.0.0.0/0 10.5.5.2 tcp dpt:22
3 97425 322M ACCEPT all -- * enp1s5 0.0.0.0/0 10.5.5.0/24 ctstate RELATED,ESTABLISHED
4 41400 6022K ACCEPT all -- enp1s5 * 10.5.5.0/24 0.0.0.0/0
5 0 0 ACCEPT all -- enp1s5 enp1s5 0.0.0.0/0 0.0.0.0/0
6 0 0 REJECT all -- enp1s5 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
7 0 0 REJECT all -- * enp1s5 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 383K 2483M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Y la mesa nat iptables -t nat -nvL --line-numbers:
Chain PREROUTING (policy ACCEPT 2246 packets, 141K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DNAT tcp -- * * 0.0.0.0/0 xxx tcp dpt:2243 to:10.5.5.2:22
2 1 64 DNAT tcp -- * * 0.0.0.0/0 xxx tcp dpt:2246 to:10.5.5.2:22
Chain INPUT (policy ACCEPT 1330 packets, 77280 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 355 packets, 18693 bytes)
num pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 949 packets, 42477 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 RETURN all -- * * 10.5.5.0/24 224.0.0.0/24
2 0 0 RETURN all -- * * 10.5.5.0/24 255.255.255.255
3 242 15138 MASQUERADE all -- * * 10.5.5.0/24 !10.5.5.0/24
(Esto es con 2 reenvíos de puertos habilitados en vm1 al puerto 22 en vm2 por cierto)
Como dije, no tengo opciones. ¿Tiene alguna sugerencia sobre cómo continuar solucionando problemas?