Bridge to VM guest not accessible from within guest.

hemisphere.energy

New Member
Jul 22, 2022
3
0
1
I seem to have a problem where I can ping my Fedora Core guest but not ping my Proxmox host. The intention is to share my local zpool on my host with my guest via NFS.

My network configuration is:

Code:
auto lo
iface lo inet loopback

iface enp193s0f0 inet manual
iface enp193s0f1 inet manual

# Primary interface
auto bond0
iface bond0 inet static
        bond-slaves enp193s0f0 enp193s0f1
        bond-miimon 100
        bond-mode 802.3ad
        bond-xmit-hash-policy layer2+3

# VM/Container interface
auto vmbr0
iface vmbr0 inet manual
        bridge-ports bond0
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

# Host interface to network
auto vmbr0.2
iface vmbr0.2 inet static
        address 192.168.2.253/24
        gateway 192.168.2.1

# Management interface
auto vmbr0.4
iface vmbr0.4 inet static
        address 192.168.4.253/24
        gateway 192.168.4.1

At first I tried with a separate bridge

Code:
# Host/Guest bridge
auto vmbr1
iface vmbr1 inet static
        address 192.168.50.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0

and a second interface on my guest. I installed dnsmasq on my host and was able to receive an IP address inside the guest.

Code:
server=192.168.2.1
domain=<hostname>
interface=vmbr1
dhcp-range=192.168.50.2,192.168.50.254,12h
dhcp-option=vmbr1,3,192.168.50.1
dhcp-leasefile=/var/lib/misc/dnsmasq.leases

I could ping the guest from 192.168.50.1, but no luck pinging the host, ie 192.168.50.1 from inside the VM.

I decided I didn't really need vmbr1, so I got rid of that, and the second interface in my guest. I modified vmbr0 to have an IP address:

Code:
auto vmbr0
iface vmbr0 inet manual
        address 192.168.2.252/24
        gateway 192.168.2.1
        bridge-ports bond0
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

I can ping the outside world, but not 192.168.2.252 from the guest. When trying to ping the guest from the host I get:

Code:
From 192.168.2.252 icmp_seq=1 Destination Host Unreachable

So questions:

1. Is the one interface ie (vmbr0) sufficient?, is there any benefit to having a second bridge vmbr1?
2. What is causing the Destination Host Unreachable error?

There is no firewall running in the guest, nor is there one on Proxmox.
 
# Host interface to network
auto vmbr0.2
iface vmbr0.2 inet static
address 192.168.2.253/24
gateway 192.168.2.1
Here your Host is tagged with vlan id 2.
auto vmbr0
iface vmbr0 inet manual
address 192.168.2.252/24
gateway 192.168.2.1
bridge-ports bond0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes bridge-vids 2-4094
Here your host isn't tagged.

So is your guest also using vlan id 2? Not that one is only responding to VLAN id 2 tagged packets and the other one is sending untagged packets.
 
Last edited:
Here your Host is tagged with vlan id 2
I should be able to use this interface to talk to the guest?
Here your host isn't tagged.
I did tag the guest as VLAN2. I decided to get rid of the IP address on vmbr0, as I have vmbr0.2 on the host anyway.

Code:
# VM/Container interface
auto vmbr0
iface vmbr0 inet manual
        bridge-ports bond0
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

# Host interface to network
auto vmbr0.2
iface vmbr0.2 inet static
        address 192.168.2.253/24
        gateway 192.168.2.1

The reason vmbr0 requires VLAN awareness is it allows my VMs to be tagged as they enter the network as per the configured switch port.

The VM is configured like:
992458677.png

So to recap on the host I cannot ping 192.168.2.253 (host IP), nor can I ping it from the guest, both can ping the outside world. vmbr0.2 does allow access to the outside world:

Code:
root@pve:~# traceroute 192.168.2.1
traceroute to 192.168.2.1 (192.168.2.1), 30 hops max, 60 byte packets
 1  192.168.2.1 (192.168.2.1)  0.688 ms  0.741 ms  0.926 ms

Should I have a second bridge vmbr1 to communicate with my guests as I originally had?

I'm thinking as the host cannot ping it's own interface 192.168.2.253 the issue may lay with the routing to that interface.
 
I figured this out, embarrassingly I had net.ipv4.icmp_echo_ignore_all, set when I added some hardening settings.
Normally I do that at the end, after everything is working.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!