no internet access inside KVM guest

[sylverb]

Hello,

I'm facing a very strange situation with a KVM guest.

Inside the guest I can ping the gateway (my host) , my host can ping the guest, but the guest cannot ping or reach anything else .

This is the ip config in the host:
cat /etc/network/interfaces
# network interface settings
auto lo
iface lo inet loopback

iface eth0 inet manual

iface eth1 inet manual

auto vmbr0
iface vmbr0 inet static
address xx.118.27.62
netmask 255.255.255.128
gateway xx.118.27.1
bridge_ports eth0
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp

auto vmbr1
iface vmbr1 inet static
address xx.118.24.157
netmask 255.255.255.192
gateway xx.118.24.129
bridge_ports eth1
bridge_stp off
bridge_fd 0

From outside, I can ping xx.118.27.62 with no problem, but impossible to ping the guest which has IP: xx.118.27.75

This is the routing table on my host:
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
xx.118.27.75 0.0.0.0 255.255.255.255 UH 0 0 0 vmbr0
xx.118.24.128 0.0.0.0 255.255.255.192 U 0 0 0 vmbr1
xx.118.27.0 0.0.0.0 255.255.255.128 U 0 0 0 vmbr0
0.0.0.0 xx.118.27.1 0.0.0.0 UG 0 0 0 vmbr0

brctl show
bridge name bridge id STP enabled interfaces
vmbr0 8000.0040d0c04b69 no eth0
vmtab101i0
vmbr1 8000.0040d0c04b6a no eth1

My guest(freebsd) has a default route set as :
default xx.118.27.62

It's been few days I'm trying to solve this problem, but no luck so far.

I would highly appreciate some help on what might be wrong ...

Thanks
SB

 

[dietmar]

Please try to use tcpdump to see where packets gets lost.

 

[sylverb]

Hi Dietmar,

This is what i'm getting on the host when I run a ping 74.125.127.100 from the guest :

# tcpdump icmp -n -i any
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
07:55:24.973295 IP xx.118.27.62 > xx.118.27.75: ICMP host 74.125.127.100 unreachable, length 92
07:55:24.973305 IP xx.118.27.62 > xx.118.27.75: ICMP host 74.125.127.100 unreachable, length 92
07:55:24.974117 IP xx.118.27.75 > 74.125.127.100: ICMP echo request, id 47630, seq 35, length 64
07:55:24.974117 IP xx.118.27.75 > 74.125.127.100: ICMP echo request, id 47630, seq 35, length 64
07:55:27.976004 IP xx.118.27.62 > xx.118.27.75: ICMP host 74.125.127.100 unreachable, length 92


However :

# ping -I vmbr0 74.125.127.100
PING 74.125.127.100 (74.125.127.100) from xx.118.27.62 vmbr0: 56(84) bytes of data.
64 bytes from 74.125.127.100: icmp_seq=1 ttl=52 time=161 ms
64 bytes from 74.125.127.100: icmp_seq=2 ttl=52 time=163 ms

--- 74.125.127.100 ping statistics ---
4 packets transmitted, 3 received, 25% packet loss, time 3009ms
rtt min/avg/max/mdev = 161.887/163.173/163.845/1.022 ms


Looks like it's reaching the host but for some reasons .62 doesn't route the traffic if it's coming from .75 ...

 

[dietmar]

Hi Dietmar,

This is what i'm getting on the host when I run a ping 74.125.127.100 from the guest :

# tcpdump icmp -n -i any
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
07:55:24.973295 IP xx.118.27.62 > xx.118.27.75: ICMP host 74.125.127.100 unreachable, length 92
07:55:24.973305 IP xx.118.27.62 > xx.118.27.75: ICMP host 74.125.127.100 unreachable, length 92
07:55:24.974117 IP xx.118.27.75 > 74.125.127.100: ICMP echo request, id 47630, seq 35, length 64
07:55:24.974117 IP xx.118.27.75 > 74.125.127.100: ICMP echo request, id 47630, seq 35, length 64
07:55:27.976004 IP xx.118.27.62 > xx.118.27.75: ICMP host 74.125.127.100 unreachable, length 92

looks like 74.125.127.100 does not send a reply (at least is does not arrive)?

 

[sylverb]

That's google host ..

there is no reply if I initiate the ping from the guest .. getting the same when I ping any other internet host as well. looks like its dying on .62

 

[dietmar]

Please test with a host under your control. You can then use tcpdump on that host also.

 

[sylverb]

Please test with a host under your control. You can then use tcpdump on that host also.

I've made few more tests, the guest can't even ping the default gateway (xx.118.27.1) of .62 . But from the host, I can.

Everything is dying at .62.

I also tried bridged and routed configuration as described here :
http://pve.proxmox.com/wiki/Network_Model
but same result.

It's like vmbr0 doesnt know how to route traffic if it's coming from the guest

 

[dietmar]

It's like vmbr0 doesnt know how to route traffic if it's coming from the guest

The tcpdump you posted shows something else (traffic is routed correctly, but external host does not route it back - is your firewall correctly configured?).

 

[sylverb]

The tcpdump you posted shows something else (traffic is routed correctly, but external host does not route it back - is your firewall correctly configured?).

Hi,

Actually the firewall on the host doesn' t have any rule - iptables -L is empty .. should i have anything configured ?

 

[dietmar]

No, I meant the external firewall (which you should have!), or the next hop on the network.

 

[sylverb]

No, I meant the external firewall (which you should have!), or the next hop on the network.

No other firewall.. the next hope is the router. I used openvz with no problem, but going nowhere with kvm

 

[dietmar]

Then login to the router an do a tcpdump there.

 

[sylverb]

Then login to the router an do a tcpdump there.

I will ask my ISP, i don't have access to that box .. it's a hosted server

thanks

 

[dietmar]

Most provider block traffic when they see a different MAC (which is the case when you use a VM on a bridge).

 

[sylverb]

Most provider block traffic when they see a different MAC (which is the case when you use a VM on a bridge).

effectively.. this is what they said :
only one mac adress is allowed per switchport. You have to setup routing or nat to allow internet access to or from the virtual servers.

At least I'm glad all the hours i spent configuring this system was right )

So, is there a way to assign a public IP to my KVM guest and still reach it from outside? paradoxically they allow me to use up to 4 public IPs.

 

[dietmar]

# network interface settings
auto lo
iface lo inet loopback
 
auto eth0
iface eth0 inet static
        address xx.118.27.62
        netmask 255.255.255.128
        gateway xx.118.27.1
 
auto vmbr0
iface vmbr0 inet static
        address xx.118.24.157
        netmask 255.255.255.192
        bridge_ports none
        bridge_stp off
        bridge_fd 0

Try something like above (do not connect the bridge to eth0)

 

[sircolin]

IT would be nice to know if this worked as i have almost the same setup and it hasn't worked for me thus far , there's gotta be a trick here some where, im missing i also have 4 ip's

# network interface settings
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address 212.1xx.160.139
netmask 255.255.255.0
gateway 212.1xx.160.1

auto vmbr0
iface vmbr0 inet static
address 212.1xx.177.36
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0

can any one spot a problem here ?