Article ID: 120008, created on Feb 6, 2014, last review on May 11, 2014

  • Applies to:
  • Virtuozzo 6.0
  • Virtuozzo containers for Linux 4.7
  • Virtuozzo hypervisor


IPsec/VPN connection from a PCS 6.0 host (as a client) to a container in bridged mode (as a server) on this PCS 6.0 host is not operable, because too many packets are lost.


The implementation of virtual networks and bridged mode in PCS 6.0 relies on the feature via_phys_dev, which keeps the MAC address of the bridge equal to the MAC address of the physical interface, with this option the server routes all traffic for unknown destination through the plugged physical interface, and this feature ensures that there is only one physical interface plugged into the bridge interface.

This reduces the amount of resources needed for traffic forwarding and it simplifies management of bridges for virtual environments, as there is no need to move all network configuration from a physical interface to a bridged interface upon attaching the physical interface to the bridge.

For this specific type of VPN connection, this feature results in packets being sent to a wrong direction most of time.


In the long-term perspective, the feature via_phys_dev is to be removed in the future versions.

From another point of view, there is no sense in securing connections between the host server and the environment running on the same host:

  1. connections via venet0 interface in routed mode are always secure - containers have no way to get traffic designated to other containers;
  2. promiscuous mode for virtual environments in bridged mode is disabled by default, and only broadcast packets can be captured in addition to the traffic designated to this virtual environment, as it is controlled by Linux bridge which acts as the network switch;
  3. there is very easy way to setup dedicated connection with a virtual environment - add an Ethernet interface and use appropriate interface from the host side to send packets to communicate with that environment (vethCTID.N for containers, vmeENVID.N for virtual machines).

c62e8726973f80975db0531f1ed5c6a2 2897d76d56d2010f4e3a28f864d69223 0dd5b9380c7d4884d77587f3eb0fa8ef a26b38f94253cdfbf1028d72cf3a498b e8e50b42231236b82df27684e7ec0beb d02f9caf3e11b191a38179103495106f 0c05f0c76fec3dd785e9feafce1099a9

Email subscription for changes to this article
Save as PDF