KVM CentOS 7 host doesn't pass guests traffic but ping each other
Solution 1
I have exactly the same problem. it looks like a bug in the virtio network driver. In order to solve the problem i did the following changes:
On Centos 7 - KVM -->
- Disable the NetworkManager service on Centos 7 running the KVM and enable the old 'network' service.
- Define your GATEWAY in /etc/sysconfig/network and do all necessary changes in /etc/sysconfig/network-scripts/ifcfg-eth0 (or similar). Set IPADDR,NETMASK etc.
- Change the Virtual Network Driver (through virt-manager) for your guest machines. Set it to 'e1000'
On your Guest -->
- Do exactly the same. Disable NetworkManager and enable network service.
- This change my affect the network interface name , so check the new name using the command #cat /proc/net/dev (centos guests)
The above work for me. I have spend more than a week to find a solution.
Solution 2
Since you bridged the physical device of your host with the virtual machine ( I guess vnet0
and/or vnet1
are the devices that are used for the VM ), you have physical access to the 10.120.0.0/24
network within your VM.
So you should replace
GATEWAY="10.120.0.57" (!?)
DNS1="10.120.0.57"
by
GATEWAY="110.120.0.1"
DNS1="10.120.0.1"
Related videos on Youtube
Tiroue
Updated on September 18, 2022Comments
-
Tiroue about 1 year
I am looking for the answer for few days and any configuration is right for me to set the networking working.
I have CentOS 7 (10.120.0.57) with installed KVM on it. I created simple guest (10.120.0.58) vm with CentOS7 as well, but I have some problem with network on the guest. Host can access to the internet, and it can ping the guest machine. Guest can ping host as well, but when it ping some other IP it get: Destination Unreachable. I disabled in advance firewalld and selinux on both machines to eliminate problems.
My hosts bridge should pass traffic because I set /etc/sysctl.conf (!!!)
net.ipv4.ip_forward = 1 net.ipv4.conf.all.proxy_arp = 1
On Host in tcpdump I can see the ICMP packets from guest but it's only in one way requests (no replies), when I try to ping the real gateway of the network (10.120.0.1)
IP 10.120.0.58 > gateway: ICMP echo request, id 3716, seq 1, length 64 IP 10.120.0.58 > gateway: ICMP echo request, id 3716, seq 2, length 64
If I ping from guest e.g google.com (tcpdump from host):
IP localhost.localdomain > 10.120.0.58: ICMP localhost.localdomain udp port domain unreachable, length 64 IP localhost.localdomain > 10.120.0.58: ICMP localhost.localdomain udp port domain unreachable, length 64
But of course ping is working when I ping Guest (10.120.0.58)<=> Host(10.120.0.57):
10.120.0.58 > localhost.localdomain: ICMP echo request, id 3719, seq 8, length 64 localhost.localdomain > 10.120.0.58: ICMP echo reply, id 3719, seq 8, length 64
Could someone enlight me what is wrong with my Host/Guest configuration?
HOST: ifconfig -a:
br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.120.0.57 netmask 255.255.255.0 broadcast 10.120.0.255 inet6 fe80::20c:29ff:fed5:14fa prefixlen 64 scopeid 0x20<link> ether 00:0c:29:d5:14:fa txqueuelen 1000 (Ethernet) RX packets 74849 bytes 6444652 (6.1 MiB) RX errors 0 dropped 100 overruns 0 frame 0 TX packets 1033 bytes 88046 (85.9 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 eno16780032: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500 inet6 fe80::20c:29ff:fed5:14fa prefixlen 64 scopeid 0x20<link> ether 00:0c:29:d5:14:fa txqueuelen 1000 (Ethernet) RX packets 2975 bytes 239252 (233.6 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 164 bytes 23286 (22.7 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1 (Local Loopback) RX packets 6 bytes 644 (644.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 6 bytes 644 (644.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255 ether 52:54:00:9f:de:66 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 virbr0-nic: flags=4098<BROADCAST,MULTICAST> mtu 1500 ether 52:54:00:9f:de:66 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 vnet0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 ether fe:54:00:7f:c5:c5 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 5885 overruns 0 carrier 0 collisions 0 vnet1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 ether fe:54:00:b0:3d:40 txqueuelen 1000 (Ethernet) RX packets 420 bytes 34697 (33.8 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 111762 bytes 9374955 (8.9 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
br0 configuration:
DEVICE=br0 BOOTPROTO=static TYPE=Bridge ONBOOT=yes IPADDR="10.120.0.57" NETMASK="255.255.255.0" #GATEWAY="10.120.0.1" #DNS1="10.120.0.1" #DNS2="8.8.8.8" STP=yes DELAY=0 NM_CONTROLLED=no
eno16780032 configuration:
TYPE="Ethernet" #NAME="eno16780032" #UUID="4fc9740c-536a-4330-aab4-bdef7489582f" DEVICE="eno16780032" ONBOOT="yes" NM_CONTROLLED=no BRIDGE=br0
bridge:
bridge name bridge id STP enabled interfaces br0 8000.000c29d514fa yes eno16780032 vnet0 vnet1 virbr0 8000.5254009fde66 yes virbr0-nic
Hosts /etc/sysconfig/network:
# Created by anaconda NETWORKING=yes GATEWAY=10.120.0.1
Guest eth0 configuration:
DEVICE=eth0 NAME=eth0 TYPE=Ethernet BOOTPROTO=static ONBOOT=yes IPADDR="10.120.0.58" NETMASK="255.255.255.0" GATEWAY="10.120.0.57" (!?) DNS1="10.120.0.57" DNS2="8.8.8.8"
Thank you in advance for taking a look.
EDIT
I add the iptables result from the host:
[root@localhost ~]# iptables -L -v -n -t nat Chain PREROUTING (policy ACCEPT 59 packets, 4981 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 34 packets, 3619 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2 packets, 103 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 2 packets, 103 bytes) pkts bytes target prot opt in out source destination
Iptables from the guest:
[root@localhost ~]# iptables -L -v -n -t nat Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Tracepath from the guest(10.120.0.58) to 8.8.8.8:
1?: [LOCALHOST] pmtu 1500 1: 10.120.0.58 3012.516ms !H Resume: pmtu 1500
EDIT2
I add iptables -L -v -n results. From Host:
[root@localhost ~]# iptables -L -v -n Chain INPUT (policy ACCEPT 162K packets, 17M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 8 packets, 476 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 3894 packets, 309K bytes) pkts bytes target prot opt in out source destination
From guest:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
-
Mikhail Khirgiy almost 7 yearsPlease show ip tables rules via command
iptables -L -v -n -t nat
. -
Tiroue almost 7 years[root@localhost ~]# iptables -L -v -n -t nat Chain PREROUTING (policy ACCEPT 59 packets, 4981 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 34 packets, 3619 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2 packets, 103 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 2 packets, 103 bytes) pkts bytes target prot opt in out source destination
-
Mikhail Khirgiy almost 7 yearsPlease show ip tables rules without nat via command
iptables -L -v -n
. Post the output as update your question. -
Mikhail Khirgiy almost 7 yearsAnd what does the command
sysctl net.ipv4.ip_forward
show? -
Tiroue almost 7 yearsUnfortunate: net.ipv4.ip_forward = 1
-
Mikhail Khirgiy almost 7 yearsChange gateway to 10.120.0.1 on guest and dns server to 8.8.8.8. Then do
traceroute 8.8.8.8
on host and guest systems. And what about iptables? -
Tiroue almost 7 yearsI changed the gateway (no results) changed dns and edited my first post where i've added result. What abut iptables? (i attached as well)
-
Mikhail Khirgiy almost 7 yearsAgain:
iptables -L -v -n
without nat tables. -
Tiroue almost 7 yearsI added it inside first post. Thank you for investingating.
-
Mikhail Khirgiy almost 7 yearsOk. Iptables doesn't block anything and traffic must be forwarded. Then show ip routes on host server and check that ip address 10.120.0.58 isn't used as described at superuser.com/questions/48446/…. Before checking ip address duplication issue shutdown your virtual machine.
-
Tiroue almost 7 years@MikhailKhirgiy routes from host looks like this:
10.120.0.0/24 dev br0 proto kernel scope link src 10.120.0.57 169.254.0.0/16 dev br0 scope link metric 1003 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
And I checked duplicates - there is no duplicates. Only 1 response on both IPs( host:10.120.0.57 , guest: 10.120.0.58) with different MAC. Is there any possible way to check why host doesnt passthrough traffic of guest? -
Mikhail Khirgiy almost 7 yearsI think the problem is outside of the host server. Check router and switch configurations.
-
Tiroue almost 7 yearsI think it is not problem with network devices. Probably i should mention that the KVM host is the virtual machine itself (VM on VMware ESXi). I'm wondering If there would be single server with the KVM as a host would that work.
-
-
Tiroue almost 7 yearsUnfortunate I changed to this configuration (I had this before) and still cannot ping 10.120.0.1 - see only requests on bridge, no the replies. Cannot resolve IP as well