KVM guest cannot connect to host, but works vice versa
It turns out that you are using the same IP address for the host side of the bridge as for the guest. (It's impossible to see this from your question as you used xx.xx to hide part of the IP addresses; it only came out in one of the comments.)
The bridge IP address is used by the host. When a physical interface such as eth0 is added to a bridge, it must not have an IP address and should be set to promiscuous mode so that it can receive traffic for any of the IP addresses within the bridge.
The guest IP address for a bridge is defined within the guest itself as for a normal eth0 type situation.
In the same way that two devices on a network must have different IP addresses, the guest and host must have different IP addresses. To restate this explicitly: you MUST NOT have the same IP address for host and guest.
I'm impressed that your host and guest can communicate at all with this configuration; I wonder whether, when your host thought it was communicating with your guest, it was actually communicating with itself.
Here is a cut-down example, based on the configuration from my home network (I'm not at work right now):
Host (192.168.1.253/24)
$ brctl show brINT
bridge name bridge id STP enabled interfaces
brINT 8000.009c029758d6 no eth1
vnet1
$ ip addr show dev brINT
5: brINT: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether 00:9c:02:97:58:d6 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.253/24 brd 192.168.1.255 scope global brINT
$ ip addr show dev eth1
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master brINT state UP qlen 1000
link/ether 00:9c:02:97:58:d6 brd ff:ff:ff:ff:ff:ff
Guest (192.168.1.15/24)
$ ip addr show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 52:54:00:3c:75:33 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.15/24 brd 192.168.1.255 scope global eth0
Related videos on Youtube
13 : 55
12 : 06
03 : 06
02 : 48
12 : 20
geruetzel
Updated on September 18, 2022Comments
-
geruetzel almost 2 years
I have debian 7 on my host machine and I run a KVM vm on it.
My hosts network configuration is this (the relevant parts):
br0 Link encap:Ethernet HWaddr 68:b5:99:ae:8f:11 inet addr:77.244.244.123 Bcast:77.244.245.239 Mask:255.255.255.248 inet6 addr: fe80::6ab5:99ff:feae:8f11/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:762056 errors:0 dropped:0 overruns:0 frame:0 TX packets:9 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:44471912 (42.4 MiB) TX bytes:690 (690.0 B) eth1 Link encap:Ethernet HWaddr 68:b5:99:ae:8f:11 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2329129 errors:0 dropped:0 overruns:0 frame:0 TX packets:156844 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2035457148 (1.8 GiB) TX bytes:15978289 (15.2 MiB) Memory:ef060000-ef07ffffMy host's interface for internet access:
eth0 Link encap:Ethernet HWaddr 68:b5:99:ae:8f:10 inet addr:146.255.255.123 Bcast:146.255.62.175 Mask:255.255.255.240 inet6 addr: 2a02:1b8:10:68:6ab5:99ff:feae:8f10/64 Scope:Global inet6 addr: fe80::6ab5:99ff:feae:8f10/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:19692653 errors:0 dropped:0 overruns:0 frame:0 TX packets:46873952 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3070321406 (2.8 GiB) TX bytes:44921402181 (41.8 GiB) Memory:ef000000-ef01ffffMy host uses eth0 as Interface for internet connection, my KVM guest OS uses
br0, which includeseth1. Theeth0interface is intentionally not part of the bridge.Additional info on the bridge:
bridge name bridge id STP enabled interfaces br0 8000.68b599ae8f11 no eth1 vnet0My host can reach the guest over the network, but my guest cannot connect to the host machine. I am sure I am missing something very simple but I could not find an answer anywhere.
Just to give as much information as possible, here is also my guests interfaces config:
eth0 Link encap:Ethernet HWaddr 52:54:00:02:98:b7 inet addr:77.244.244.123 Bcast:77.244.245.239 Mask:255.255.255.248 inet6 addr: fe80::5054:ff:fe02:98b7/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:26969 errors:0 dropped:22761 overruns:0 frame:0 TX packets:2344 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2019925 (1.9 MiB) TX bytes:331567 (323.7 KiB)My host has the following iptables rules (which should be completely irrelevant to the guest/host communication with each other in my opinion):
G-NET // root@net:/home/geruetzel# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68I would appreciate any help you can give me - thanks in advance!
-
GioMac over 8 yearsDid you check the firewall configuration on the host? :)
-
geruetzel over 8 years@GioMac: The host does not have any firewall rules set.
-
GioMac over 8 yearsI'm very sure it does. Did you check iptables -L ?
-
geruetzel over 8 yearsit does but I do not think that these rules are relevant in my case. I have updated my question with the iptables output
-
roaima over 8 yearsIseth0part ofbr0? If so,eth0should be in PROMISC mode without an IP address. -
geruetzel over 8 years@roaima, no eth0 is only used by my host machine. br0 is only for the guest vm. Maybe it is a routing problem?
-
roaima over 8 years@geruetzel you say your guest cannot connect to the host. What about with
ping? You are trying to reach the host with thebr0IP address and not theeth0address, aren't you? -
geruetzel over 8 years@roaima no actually I tried
eth0's IP address.br0's IP address is the guest's IP. how would that even work? Maybe I misunderstand the function of a bridge? -
Eric Renouf over 8 yearsI suspect you're misunderstanding the bridge purpose. In general, a bridge is a way to "join" a bunch of interfaces so they'll be able to act like they're connected to the same piece of wire. So traditionally, if you're using a bridge with KVM you'd have a tap device for the guest and a physical device for the host together in a bridge (though of course you don't have to have a physical device be part of the bridge if you don't want to have external connectivity directly)
-
Eric Renouf over 8 yearsIn the case you're describing, the guest has no address in common with the host, so would need a route to find it, but I'm betting it also has no gateway, since there isn't any other host with an address in its collision domain, so it cannot get to anyone else because it doesn't know how to find a neighbor to talk to who can route for it. If you added another address to
eth0in the same network space as the guest it would probably be able to find it I suspect -
geruetzel over 8 years@EricRenouf I updated the question post since I forgot to mention that actually
eth1is the interface that is included inbr0.
-
-
geruetzel over 8 yearsi actually forgot to mention, that my host has
eth1as physical interface forbr0- i updated the question post -
roaima over 8 years@geruetzel this is your problem. You must not use the same IP address for your host as for your guest. Please (re-)read my answer.
-
geruetzel over 8 yearsI know, I am not supposed to do this here, but thank you very much, I feel stupid and enlightened at the same time now :) Yes, I used the same IP, that was the problem. Now that I have assigned my guest another IP from the same net, I can also ping my host's
eth0IP which was exactly what I wanted!
