vspherization wrote:
Analizing traffic with Wireshark on the VM2 I've noticed that an ARP request leaves from the remote client MAC to the destination host interface of VM2 (broadcast ARP request).
The host VM2 sends an ARP reply directly to the MAC address of the remote client.
This last packet doesn't pass the vSwitch, so it isn't received by the remote client and the ping fails.
I think this occurs because the vSwitch only knows all the MACs of virtual machines within the ESX environment, it doesn't learn MAC addresses like a physical real switch and it discards packets sent to unknown unicast MAC addresses (broadcast traffic instead is passed). Am I wrong?
I think you are most likely right. The vSwitch does not learn MAC address like a physical switch, and normally this is not a problem since it means that all unknown unicast MAC addresses are "outside" the vSwitch and should be delivered to the physical network.
Your ARP request (with Broadcast destination) is sent to all ports on the layer two network, but the vSwitch does not "know" that the remote MAC is reachable through VM1. If you would have layer 3 routing in VM1 then it would work, but I guess this VPN software you use does not work that way?
Another possible workaround would be if VM1 would change the SRC MAC of the ARP request when passing it through, and set the internal vNIC MAC address as source instead. That way it would look correct from the vSwitch, however it might of course not be possible.