routing problem between openvz guests

[grenzlaeufer]

Hi @all!

I have a routing problem, for which I couldn´t find help in this forum nor two collegues could solve the it. Unfortunately a guest from one network can´t reach a guest from an other network.
I want to build a secure virtual network architecture on my Proxmox VE host. It network segments look like this:

Network bridge
7.7.1.0/24 vmbr1 (guest: infra 7.7.1.2/24 / vmbr1)
7.7.2.0/24 vmbr2 (guest: zarafa 7.7.2.1/24 / vmbr2)
7.7.3.0/24 vmbr3
7.7.4.0/24 vmbr4

The guests are connected to the apropriate bridges.


My Firewall (fw-ext) connects all network-segments. For the moment it has no iptables rules and just works as a gateway.
The routing table looks the following:

fw-ext:/# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.128.0   0.0.0.0         255.255.255.0   U     0      0        0 eth1
7.7.4.0         0.0.0.0         255.255.255.0   U     0      0        0 net4
7.7.3.0         0.0.0.0         255.255.255.0   U     0      0        0 net3
7.7.2.0         0.0.0.0         255.255.255.0   U     0      0        0 net2
7.7.1.0         0.0.0.0         255.255.255.0   U     0      0        0 net1
0.0.0.0         192.168.128.254 0.0.0.0         UG    0      0        0 eth1

This are the network devices on my firewall/gateway:

fw-ext:/# ifconfig  | grep -A 1 encap
eth1      Link encap:Ethernet  HWaddr 00:0e:2e:ef:6c:96  
          inet addr:192.168.128.222  Bcast:192.168.128.255  Mask:255.255.255.0
--
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
--
net1      Link encap:Ethernet  HWaddr 00:18:51:b5:96:63  
          inet addr:7.7.1.250  Bcast:7.7.1.255  Mask:255.255.255.0
--
net2      Link encap:Ethernet  HWaddr 00:18:51:35:e6:8f  
          inet addr:7.7.2.250  Bcast:7.7.2.255  Mask:255.255.255.0
--
net3      Link encap:Ethernet  HWaddr 00:18:51:e6:a1:eb  
          inet addr:7.7.3.250  Bcast:7.7.3.255  Mask:255.255.255.0
--
net4      Link encap:Ethernet  HWaddr 00:18:51:95:8b:65  
          inet addr:7.7.4.250  Bcast:7.7.4.255  Mask:255.255.255.0

The network interfaces are configured like this:

cube:/etc/vz/conf# cat 106.conf | grep NETIF
NETIF="ifname=net4,bridge=vmbr4,mac=00:18:51:95:8B:65,host_ifname=veth106.4,host_mac=00:18:51:B1:E9:2B;
ifname=net1,bridge=vmbr1,mac=00:18:51:B5:96:63,host_ifname=veth106.1,host_mac=00:18:51:60:7E:BA;
ifname=net2,bridge=vmbr2,mac=00:18:51:35:E6:8F,host_ifname=veth106.2,host_mac=00:18:51:27:B8:65;
ifname=net3,bridge=vmbr3,mac=00:18:51:E6:A1:EB,host_ifname=veth106.3,host_mac=00:18:51:2F:86:63"

IP-Forwarding es activated on my firewall:

fw-ext:/# cat /proc/sys/net/ipv4/ip_forward
1

Both guests can reach the gateway:

zarafa:/# ping 7.7.2.250
PING 7.7.2.250 (7.7.2.250) 56(84) bytes of data.
64 bytes from 7.7.2.250: icmp_seq=1 ttl=64 time=3.25 ms
64 bytes from 7.7.2.250: icmp_seq=2 ttl=64 time=0.148 ms

infra:/# ping 7.7.1.250
PING 7.7.1.250 (7.7.1.250) 56(84) bytes of data.
64 bytes from 7.7.1.250: icmp_seq=1 ttl=64 time=2.56 ms
64 bytes from 7.7.1.250: icmp_seq=2 ttl=64 time=0.124 ms

The problem is, that the guests can´t ping each other:

infra:/# ping 7.7.2.1
PING 7.7.2.1 (7.7.2.1) 56(84) bytes of data.
From 7.7.1.2 icmp_seq=2 Destination Host Unreachable

zarafa:/# ping 7.7.1.2
PING 7.7.1.2 (7.7.1.2) 56(84) bytes of data.
[ctrl-c]
--- 7.7.1.2 ping statistics ---
37 packets transmitted, 0 received, 100% packet loss, time 35999ms

Yesterday the following worked. Don´t know why it doens´t work anymore:

fw-ext:/# iptables -t nat -A POSTROUTING -o eth1 -s 7.7.0.0/16 -j MASQUERADE
iptables: No chain/target/match by that name

I would apreaciate any help to solve this problem. I would like to use Proxmox VE in a production environment for a customer. But if I can´t solve this problem we would be forced to use VMware ESXi for this customer.

 

[tom]

looks like a firewall issue (not related to proxmox ve).