KVM guest is unable to access the internet

I have a Debian host that has several allocated IPs and KVM with a Debian guest using a bridged network. The guest is completely unable to reach the network, including the LAN or even the host. Pinging the host from the guest produces a Destination Host Unreachable error. If I try to ping the guest from the host, I get a response from the host itself instead of from the guest.

Host's /etc/network/interfaces

# The loopback network interface
auto lo

auto eth1

iface lo inet loopback

allow-hotplug eth1
iface eth1 inet static
        address 108.xxx.xxx.130
        netmask 255.255.255.248
        network 108.xxx.xxx.128
        broadcast 108.xxx.xxx.135
        gateway 108.xxx.xxx.129
        dns-nameservers 127.0.0.1 208.167.225.22 64.237.42.82
        dns-domain example.com
        # dns-* options are implemented by the resolvconf package, if installed

auto eth0
iface eth0 inet manual

auto br0
iface br0 inet static
        address 108.xxx.xxx.132
        netmask 255.255.255.248
        bridge_ports eth0
        bridge_stp on
        bridge_fd 0
        bridge_maxwait 0

Host's bridges:

# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.bc5ff43b621c       yes             eth0
                                                        vnet0
virbr0          8000.000000000000       yes

Host's KVM networks:

# virsh net-list --all
Name                 State      Autostart
-----------------------------------------
br0                  active     yes       
default              active     yes

br0 network config:

<network>
  <name>br0</name>
  <uuid>cc78c850-b182-11e4-ab27-0800200c9a66</uuid>
  <forward mode='bridge'/>
  <bridge name='br0' />
  <mac address='52:54:00:43:58:77'/>
</network>

VM's interface settings:

<interface type='bridge'>
  <mac address='52:54:00:ea:c0:83'/>
  <source bridge='br0'/>
  <model type='virtio'/>
  <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>

Host's sysctl

# sysctl -p /etc/sysctl.conf
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

Host's iptables:

# iptables -vnL
Chain INPUT (policy ACCEPT 16 packets, 3436 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      virbr0  0.0.0.0/0            192.168.122.0/24     state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/0           
    0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT 9 packets, 832 bytes)
 pkts bytes target     prot opt in     out     source               destination

Guest's network settings:

auto eth0
iface eth0 inet static
        address 108.xxx.xxx.132
        netmask 255.255.255.248
        gateway 108.xxx.xxx.129

---

Edit (after making host and guest IPs different as per shodanshok's answer)

Host's ifconfig:

# ifconfig
br0       Link encap:Ethernet  HWaddr bc:5f:f4:3b:62:1c  
          inet addr:108.xxx.xxx.132  Bcast:108.xxx.xxx.135  Mask:255.255.255.248
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2584 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:594801 (580.8 KiB)  TX bytes:0 (0.0 B)

eth0      Link encap:Ethernet  HWaddr bc:5f:f4:3b:62:1c  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:21817 errors:0 dropped:0 overruns:0 frame:0
          TX packets:493 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:5806951 (5.5 MiB)  TX bytes:38774 (37.8 KiB)
          Interrupt:20 Memory:f7d00000-f7d20000 

eth1      Link encap:Ethernet  HWaddr 68:05:ca:05:f2:1e  
          inet addr:108.xxx.xxx.130  Bcast:108.xxx.xxx.135  Mask:255.255.255.248
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:84560 errors:0 dropped:0 overruns:0 frame:0
          TX packets:140042 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:9419446 (8.9 MiB)  TX bytes:157587628 (150.2 MiB)
          Interrupt:16 Memory:f7cc0000-f7ce0000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:13361 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13361 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:3897517 (3.7 MiB)  TX bytes:3897517 (3.7 MiB)

virbr0    Link encap:Ethernet  HWaddr 3e:14:8f:80:03:75  
          inet addr:192.168.122.1  Bcast:192.168.122.255  Mask:255.255.255.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

vnet0     Link encap:Ethernet  HWaddr fe:54:00:ea:c0:83  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:16 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2517 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:956 (956.0 B)  TX bytes:583780 (570.0 KiB)

Guest's ifconfig:

Those lines are added automatically when restarting the libvirt services. I have edited my question to make that a bit clearer. Removing those entries didn't fix the problem.

@Mike. Host interfaces file is using eth1. Bridge is using eth0.

I've got two NICs, eth0 and eth1. eth1 is for the host's connection to the internet and eth0 is for the bridge.

I tried and it didn't work either. Pinging the host from the guest or vice versa just produces Destination Host Unreachable.

Can you output ifconfig output on both host and guest?

@mike that's fine if that's really what you want, but how are you routing between them? With a VM having an external ip address you would almost always put it on the external interface.

Both NICs are "external". If I remove the bridge on eth0 and configure it normally (with a static IP), I get a ping reply when pinging the IP I give it.

I've added it to my question.

@mike, unfortunately I now can't check here, but I have a little feeling that the host eth0 interface for your bridge should be in promiscuous mode. Does your upstream expect two different NICs? If you put a host static address on eth0, are you saying it can be pinged from elsewhere?

I tried putting eth0 in promiscuous mode and it didn't seem to change anything. The server is a dedicated server and the host provider put 2 NICs on it by default, so I am assuming they expect there to be 2 there. And yes, I can ping a static address on eth0 from elsewhere when it is configured with a static address.

Mmm... It seems ok. Can you try to disable rp_filtering on host side? It makes any difference?

I just tried that too and it didn't do anything.

Try to bring down eth1 on Host (ifconfig eth1 down) and retry to ping the guest/host.

Good thinking, however it didn't work either...