packetville

Know the why

  • What is a First Hop Redundancy Protocol (FHRP)

    The gateway is the first stop or “hop” your packets take when leaving your local network to reach the internet. If it ever goes down, you instantly lose access to anything outside your local network. FHRP solves that problem by letting a backup router take over the gateway.

    How do I use FHRP?

    FHRP is a category of protocols, similar to how “soft drink” refers to a whole group of beverages. The three commonly used FHRP protocols are HSRP, VRRP, and GLBP (which also adds load balancing).

    How does it work?

    Let’s use VRRP as the example.

    VRRP uses a virtual IP and MAC address. Clients use this as their gateway. The master router forwards traffic with this virtual address. If the master router goes down, the backup takes over the same virtual IP and MAC address and becomes the master router.

    Picture a company with two employees but only one published phone number. The phone number is the virtual IP and MAC. Let’s say the first employee answers all calls. If they become unavailable, the second employee can immediately take over the same phone number. Callers still dial the same number and they never notice the switch.

    Let’s take it a step further. If you have hundreds or thousands of callers, you wouldn’t send every call to one employee. You’d spread the calls across the whole team. With more employees, you can handle more calls. GLBP works the same way. It distributes traffic across multiple gateways. As a side effect, you also get redundancy because several routers are active and forwarding traffic, which is an improvement over having a single gateway with only a backup.

    What is a virtual IP address (VIP)?

    Each router still has its own unique IP and MAC address so they can talk to each other and exchange status messages. The VIP is real address, but it isn’t locked to one router. The VIP will move to whichever gateway is active. If Router A fails, Router B will take over the VIP. From the client’s point of view, they keep using the same gateway address.


    Example:
    Router A: 192.168.0.2
    Router B: 192.168.0.3
    VIP: 192.168.0.1

  • Understanding VirtualBox Internal Network Adapters

    When you create an “Internal Network” in VirutalBox, three things happen behind the scenes.

    1. VirtualBox creates a virtual switch
    2. The VM gets a virtual network adapter, just like a real NIC.
    3. A virtual network cable connects the VM’s adapter to the virtual switch.

    Think of it like the image below, where computers connect their network ports to the switch using CAT6 cables.

    You can see I created a switch with the name of “mynetwork”. You attach any other VMs to the same switch by using the same name. Ensure the spelling is correct or you’ll be creating a different switch.

    To figure out which interface it is, match the MAC address. In Virtualbox, my network adapter’s MAC is 0800279424E8.

    In your Linux VM, run the command ip link. 

    owner@host:~$ ip link
1: lo: <LOOPBACK, UP, LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc FQ_CODEL state up mode DEFAULT group default qlen 1000 link/ether 08:00:27:94:24:e8 brd ff:ff:ff:ff:ff:ff
owner@host:~$

    In this example, the interface enp0s3 has that MAC, so this is the one you would assign an IP address to.

    Pro tip:

    A physical network card has a hardware MAC filter. Your network card only accepts frames addressed to its own MAC address, broadcasts, and multicasts it subscribes to. Any other frame it sees on the wire gets dropped. In VirtualBox this is “deny all” under promiscuous mode, which is the default. This is correct and how a network should operate.

    In certain situations, you may need to turn off this hardware MAC filter. In VirutalBox, you would set promiscuous mode to “Allow All”. Now when your virtual network card sees a frame on the wire from the switch, it will send it up the stack without filtering it.

    Examples:

    • Packing sniffing with Wireshark for traffic not destined to your own system.
    • The VXLAN tunnel endpoints (VTEP) are accepting frames for devices across the network. The destination MAC won’t match the VTEP so unless you set “Allow All” your network card will drop the frame.