Proxmox 5.3: VMs ping each other but not outside

Guilherme F

New Member
Apr 10, 2019
5
0
1
42
Hello guys,

I've installed the latest Proxmox 5.3 on a HP Proliant ML110 G7 machine.

I've 2 guest VMs with NICs configured in bridge mode. The problem is that inside the VMs there's no access to any machine outside the Proxmox host. The ping only works from VM1 to VM2 (and vice versa) and from VMs to the vmbr0 IP.

Curioslly from the Proxmox host I can ping the Internet and others machines in the LAN. I can also ping the VMs IPs.

Any ideas?

Thanks in advance,

Guilherme

Here are some information:

ip addr
root@pve1:~# ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UP group default qlen 1000
link/ether 00:9c:02:97:97:f0 brd ff:ff:ff:ff:ff:ff
3: eno1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 00:9c:02:97:97:f1 brd ff:ff:ff:ff:ff:ff
7: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:9c:02:97:97:f0 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.217/24 brd 192.168.1.255 scope global vmbr0
valid_lft forever preferred_lft forever
inet6 fe80::29c:2ff:fe97:97f0/64 scope link
valid_lft forever preferred_lft forever
8: tap100i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN group default qlen 1000
link/ether 8e:30:1a:e6:2d:69 brd ff:ff:ff:ff:ff:ff
10: tap101i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN group default qlen 1000
link/ether 1a:1f:e0:fd:9d:13 brd ff:ff:ff:ff:ff:ff

host interfaces
root@pve1:~# cat /etc/network/interfaces
auto lo
iface lo inet loopback

#iface enp2s0 inet manual

auto vmbr0
iface vmbr0 inet static
address 192.168.1.217
netmask 255.255.255.0
gateway 192.168.1.1
bridge_ports enp2s0
bridge_stp off
bridge_fd 0

#iface eno1 inet manual

ip route
root@pve1:~# ip r
default via 192.168.1.1 dev vmbr0 onlink
192.168.1.0/24 dev vmbr0 proto kernel scope link src 192.168.1.217

ethtool
root@pve1:~# ethtool -i enp2s0
driver: e1000e
version: 3.4.1.1-NAPI
firmware-version: 2.1-2
expansion-rom-version:
bus-info: 0000:02:00.0
supports-statistics: yes
supports-test: yes
supports-eeprom-access: yes
supports-register-dump: yes
supports-priv-flags: no

lspci
root@pve1:~# lspci
00:00.0 Host bridge: Intel Corporation Xeon E3-1200 Processor Family DRAM Controller (rev 09)
00:01.0 PCI bridge: Intel Corporation Xeon E3-1200/2nd Generation Core Processor Family PCI Express Root Port (rev 09)
00:06.0 PCI bridge: Intel Corporation Xeon E3-1200/2nd Generation Core Processor Family PCI Express Root Port (rev 09)
00:1a.0 USB controller: Intel Corporation 6 Series/C200 Series Chipset Family USB Enhanced Host Controller #2 (rev 05)
00:1c.0 PCI bridge: Intel Corporation 6 Series/C200 Series Chipset Family PCI Express Root Port 1 (rev b5)
00:1c.4 PCI bridge: Intel Corporation 6 Series/C200 Series Chipset Family PCI Express Root Port 5 (rev b5)
00:1c.5 PCI bridge: Intel Corporation 6 Series/C200 Series Chipset Family PCI Express Root Port 6 (rev b5)
00:1c.6 PCI bridge: Intel Corporation 6 Series/C200 Series Chipset Family PCI Express Root Port 7 (rev b5)
00:1c.7 PCI bridge: Intel Corporation 6 Series/C200 Series Chipset Family PCI Express Root Port 8 (rev b5)
00:1d.0 USB controller: Intel Corporation 6 Series/C200 Series Chipset Family USB Enhanced Host Controller #1 (rev 05)
00:1e.0 PCI bridge: Intel Corporation 82801 PCI Bridge (rev a5)
00:1f.0 ISA bridge: Intel Corporation C204 Chipset Family LPC Controller (rev 05)
00:1f.2 IDE interface: Intel Corporation 6 Series/C200 Series Chipset Family 4 port SATA IDE Controller (rev 05)
00:1f.5 IDE interface: Intel Corporation 6 Series/C200 Series Chipset Family 2 port SATA IDE Controller (rev 05)
01:00.0 System peripheral: Hewlett-Packard Company Integrated Lights-Out Standard Slave Instrumentation & System Support (rev 05)
01:00.1 VGA compatible controller: Matrox Electronics Systems Ltd. MGA G200EH
01:00.2 System peripheral: Hewlett-Packard Company Integrated Lights-Out Standard Management Processor Support and Messaging (rev 05)
01:00.4 USB controller: Hewlett-Packard Company Integrated Lights-Out Standard Virtual USB Controller (rev 02)
02:00.0 Ethernet controller: Intel Corporation 82574L Gigabit Network Connection
03:00.0 Ethernet controller: Intel Corporation 82574L Gigabit Network Connection


modinfo
root@pve1:~# modinfo e1000e
filename: /lib/modules/4.15.18-10-pve/kernel/drivers/net/ethernet/intel/e1000e/e1000e.ko
version: 3.4.1.1-NAPI
license: GPL
description: Intel(R) PRO/1000 Network Driver
author: Intel Corporation, <linux.nics@intel.com>
srcversion: 89FE86B9B71A2C23609F574
alias: pci:v00008086d000015BCsv*sd*bc*sc*i*
alias: pci:v00008086d000015BBsv*sd*bc*sc*i*
alias: pci:v00008086d000015BEsv*sd*bc*sc*i*
alias: pci:v00008086d000015BDsv*sd*bc*sc*i*
alias: pci:v00008086d000015D6sv*sd*bc*sc*i*
alias: pci:v00008086d000015E3sv*sd*bc*sc*i*
alias: pci:v00008086d000015D8sv*sd*bc*sc*i*
alias: pci:v00008086d000015D7sv*sd*bc*sc*i*
alias: pci:v00008086d000015B9sv*sd*bc*sc*i*
alias: pci:v00008086d000015B8sv*sd*bc*sc*i*
alias: pci:v00008086d000015B7sv*sd*bc*sc*i*
alias: pci:v00008086d00001570sv*sd*bc*sc*i*
alias: pci:v00008086d0000156Fsv*sd*bc*sc*i*
alias: pci:v00008086d000015A3sv*sd*bc*sc*i*
alias: pci:v00008086d000015A2sv*sd*bc*sc*i*
alias: pci:v00008086d000015A1sv*sd*bc*sc*i*
alias: pci:v00008086d000015A0sv*sd*bc*sc*i*
alias: pci:v00008086d00001559sv*sd*bc*sc*i*
alias: pci:v00008086d0000155Asv*sd*bc*sc*i*
alias: pci:v00008086d0000153Bsv*sd*bc*sc*i*
alias: pci:v00008086d0000153Asv*sd*bc*sc*i*
alias: pci:v00008086d00001503sv*sd*bc*sc*i*
alias: pci:v00008086d00001502sv*sd*bc*sc*i*
alias: pci:v00008086d000010F0sv*sd*bc*sc*i*
alias: pci:v00008086d000010EFsv*sd*bc*sc*i*
alias: pci:v00008086d000010EBsv*sd*bc*sc*i*
alias: pci:v00008086d000010EAsv*sd*bc*sc*i*
alias: pci:v00008086d00001525sv*sd*bc*sc*i*
alias: pci:v00008086d000010DFsv*sd*bc*sc*i*
alias: pci:v00008086d000010DEsv*sd*bc*sc*i*
alias: pci:v00008086d000010CEsv*sd*bc*sc*i*
alias: pci:v00008086d000010CDsv*sd*bc*sc*i*
alias: pci:v00008086d000010CCsv*sd*bc*sc*i*
alias: pci:v00008086d000010CBsv*sd*bc*sc*i*
alias: pci:v00008086d000010F5sv*sd*bc*sc*i*
alias: pci:v00008086d000010BFsv*sd*bc*sc*i*
alias: pci:v00008086d000010E5sv*sd*bc*sc*i*
alias: pci:v00008086d0000294Csv*sd*bc*sc*i*
alias: pci:v00008086d000010BDsv*sd*bc*sc*i*
alias: pci:v00008086d000010C3sv*sd*bc*sc*i*
alias: pci:v00008086d000010C2sv*sd*bc*sc*i*
alias: pci:v00008086d000010C0sv*sd*bc*sc*i*
alias: pci:v00008086d00001501sv*sd*bc*sc*i*
alias: pci:v00008086d00001049sv*sd*bc*sc*i*
alias: pci:v00008086d0000104Dsv*sd*bc*sc*i*
alias: pci:v00008086d0000104Bsv*sd*bc*sc*i*
alias: pci:v00008086d0000104Asv*sd*bc*sc*i*
alias: pci:v00008086d000010C4sv*sd*bc*sc*i*
alias: pci:v00008086d000010C5sv*sd*bc*sc*i*
alias: pci:v00008086d0000104Csv*sd*bc*sc*i*
alias: pci:v00008086d000010BBsv*sd*bc*sc*i*
alias: pci:v00008086d00001098sv*sd*bc*sc*i*
alias: pci:v00008086d000010BAsv*sd*bc*sc*i*
alias: pci:v00008086d00001096sv*sd*bc*sc*i*
alias: pci:v00008086d0000150Csv*sd*bc*sc*i*
alias: pci:v00008086d000010F6sv*sd*bc*sc*i*
alias: pci:v00008086d000010D3sv*sd*bc*sc*i*
alias: pci:v00008086d0000109Asv*sd*bc*sc*i*
alias: pci:v00008086d0000108Csv*sd*bc*sc*i*
alias: pci:v00008086d0000108Bsv*sd*bc*sc*i*
alias: pci:v00008086d0000107Fsv*sd*bc*sc*i*
alias: pci:v00008086d0000107Esv*sd*bc*sc*i*
alias: pci:v00008086d0000107Dsv*sd*bc*sc*i*
alias: pci:v00008086d000010B9sv*sd*bc*sc*i*
alias: pci:v00008086d000010D5sv*sd*bc*sc*i*
alias: pci:v00008086d000010DAsv*sd*bc*sc*i*
alias: pci:v00008086d000010D9sv*sd*bc*sc*i*
alias: pci:v00008086d00001060sv*sd*bc*sc*i*
alias: pci:v00008086d000010A5sv*sd*bc*sc*i*
alias: pci:v00008086d000010BCsv*sd*bc*sc*i*
alias: pci:v00008086d000010A4sv*sd*bc*sc*i*
alias: pci:v00008086d0000105Fsv*sd*bc*sc*i*
alias: pci:v00008086d0000105Esv*sd*bc*sc*i*
depends: ptp
retpoline: Y
name: e1000e
vermagic: 4.15.18-10-pve SMP mod_unload modversions
parm: copybreak:Maximum size of packet that is copied to a new buffer on receive (uint)
parm: TxIntDelay:Transmit Interrupt Delay (array of int)
parm: TxAbsIntDelay:Transmit Absolute Interrupt Delay (array of int)
parm: RxIntDelay:Receive Interrupt Delay (array of int)
parm: RxAbsIntDelay:Receive Absolute Interrupt Delay (array of int)
parm: InterruptThrottleRate:Interrupt Throttling Rate (array of int)
parm: IntMode:Interrupt Mode (array of int)
parm: SmartPowerDownEnable:Enable PHY smart power down (array of int)
parm: KumeranLockLoss:Enable Kumeran lock loss workaround (array of int)
parm: CrcStripping:Enable CRC Stripping, disable if your BMC needs the CRC (array of int)
parm: EEE:Enable/disable on parts that support the feature (array of int)
parm: Node:[ROUTING] Node to allocate memory on, default -1 (array of int)
parm: debug:Debug level (0=none,...,16=all) (int)

VM1 interfaces
iface ens18 inet static
address 192.168.1.21
netmask 255.255.255.0
gateway 192.168.1.1

VM2 interfaces
iface ens19 inet static
address 192.168.1.22
netmask 255.255.255.0
gateway 192.168.1.1
 
Firewall enabled?
 
Hey Alwin,

Thanks for your reply! The PVE firewall is disabled. I'm sending the screenshots of the PVE Firewall and the output of iptables from both the host and the guest VMs. The VM1 and VM2 iptables' are clean with ACCEPT as default policy.


Thanks in advance,

Guilherme

iptables

root@pve1:~# iptables -L -t nat
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

root@pve1:~# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

ebtables
root@pve1:~# ebtables -L
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 0, policy: ACCEPT

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
 

Attachments

  • pve_firewall-1.PNG
    pve_firewall-1.PNG
    28.4 KB · Views: 16
  • pve_firewall-2.PNG
    pve_firewall-2.PNG
    33.4 KB · Views: 16
  • pve_firewall-3.PNG
    pve_firewall-3.PNG
    35.5 KB · Views: 15
  • vm1_iptables.PNG
    vm1_iptables.PNG
    12.2 KB · Views: 11
  • vm2_iptables.PNG
    vm2_iptables.PNG
    12.1 KB · Views: 11
  • pve_firewall-4.PNG
    pve_firewall-4.PNG
    32.2 KB · Views: 13
Did you test with the eno1 interface too? And can you upgrade the PVE installation?
 
Hello Alwin!

Yes I`ve tested with eno1 and also created a new bridge with eno1 and VMs attached. Same results.

I will try the 5.4 upgrade.


Thanks in advance,


Guilherme
 
Hello Alwin,

I tested PVE 5.4 using eno1 interface and had the same results. I noticed a difference from 5.3. Now the VETH interfaces are being created. But no ping to outside the host at all.


I also did two tests:
1) Tested PVE 5.4 on a Dell Optiplex 7010 workstation. The ping from the VMs to outside is working properly!

2) Installed a debian 9.8 on the same HP Proliant ML 110 G7 server. So via apt installed and configured the KVM, bridge-utils, virt-manager stuffs. The ping from the VMs to outside worked too.


Any other ideas?


Thanks in advance,


Guilherme
 
Last edited:
Different NICs, different firmware? Test with a different kernel, then you can check what firmware does work.
 
Hello Alwin,

The test that worked was installing Proxmox 5.4 on a Dell Optiplex 7010 workstation. It has Intel 82579LM embedded NICs. As this is a workstation, I cannot use this machine.

The other test that worked was installing the latest debian 9 on the server (HP Proliant ML 110 G7) machine and then installed/configured all the kvm and bridge stuffs. The debian 9 has kernel 4.9.144-3.1 and the e1000e driver has version 3.2.6-k. In this setup all the VMs could ping outside.

Lastly, in the setup that I need (Proxmox 5.4 on HP Proliant ML 110 G7) I downloaded the latest driver from Intel (3.4.2.1) and compiled it using the latest PVE headers. Still not pinging outside.


Regards,


Guilherme
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!