KVM network bridge: Can't access VM from outside

5,050

Ok, so it turns out the host is actually configured correctly, it was the Windows firewall blocking connections despite the network being marked as private. (Jesus H. Christ, Windows, really?)

5,050

kralyk

Updated on September 18, 2022

Comments

kralyk over 1 year

I have a host machine runing Debian stable and a KVM virtual machine running Windows on that host. I have a networking bridge setup for the VM but I'm unable to reach the VM (ping, connect,...) from either the host machine or other machines on the same network. The VM on the other hand can access machines on the netwrok as well as the internet, it's only the outside-to-VM direction that doesn't work.

/etc/network/interfaces:

auto lo
iface lo inet loopback

iface enp5s0 inet manual

auto br0
iface br0 inet dhcp
    bridge_ports    enp5s0
    bridge_stp      on
    bridge_maxwait  0
    bridge_fd       0

ifconfig:

br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.24.10.10  netmask 255.255.0.0  broadcast 10.24.255.255
        inet6 fe80::1276:44ff:fe93:e5d5  prefixlen 64  scopeid 0x20<link>
        ether 10:76:44:93:e5:d5  txqueuelen 1000  (Ethernet)
        RX packets 134578  bytes 6829887 (6.5 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1998  bytes 13852642 (13.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp5s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether 10:7b:44:93:e9:d5  txqueuelen 1000  (Ethernet)
        RX packets 136408  bytes 9378239 (8.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 11162  bytes 14598770 (13.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device memory 0xefc00000-efc1ffff  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 4  bytes 246 (246.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4  bytes 246 (246.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

vnet0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::fc54:ff:fee0:fa4  prefixlen 64  scopeid 0x20<link>
        ether fe:54:00:e0:0f:a4  txqueuelen 1000  (Ethernet)
        RX packets 786  bytes 196127 (191.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 130674  bytes 8943783 (8.5 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

VM network config:

<interface type='bridge'>
  <mac address='52:54:00:e0:0f:a4'/>
  <source bridge='br0'/>
  <model type='virtio'/>
  <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>

route:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.24.255.254   0.0.0.0         UG    0      0        0 br0
10.24.0.0       0.0.0.0         255.255.0.0     U     0      0        0 br0

sysctl -n net.ipv4.ip_forward:

The br_netfilter modules is not loaded.

Inside the VM, the virtio-net driver seems to be working correctly and the adapter does recive an IP from the DHCP. It can ping/connect to the host but the host can't ping the VM's IP nor establish a TCP connection to it.

Any idea what could be the problem?