One host, two virtual machines that cannot ping each other. How to solve

linux virtualization kvm

10,001

It is rather obvious the machines are communicating in bridge mode, as you can ping the host, and both VMs from outside the KVM environment.

Your problem is the anti-spoofing protection in the kernel, that drops packets with a destination other than the IP address of the host.

For runtime, do this in the command line of the host server:

 sudo sysctl -w net.ipv4.conf.default.rp_filter=0
 sudo sysctl -w net.ipv4.conf.all.rp_filter=0

For it to survive booting, add the following lines to /etc/sysctl.conf:

 net.ipv4.conf.default.rp_filter=0
 net.ipv4.conf.all.rp_filter=0

From the comments on /etc/sysctl.conf (slightly changed):

rp_filter: enables Spoof protection (reverse-path filter).

Source Address Verification in all interfaces to prevent some spoofing attacks

10,001

Abhijeet Kasurde

Able to use Python to translate problems into elegant solutions. Passionate Developer. FOSS lover and Evangelist. Enjoys contributing to open source. Python is favorite language at the moment.

Updated on September 18, 2022

Comments

Abhijeet Kasurde over 1 year
We have Virtual Machines operating within the KVM environment. We setup one as a dev server running Apache etc., and the other as a Windows development environment.

The two environments are setup and running fine. However, they cannot ping each other. I am wondering if there is a clear solution to this.

This is what is happening.

From Host:
```
  Cannot ping either of 2 VM's (one `Linux`, one `Windows`)
```
From Either of the VM's:
```
  Cannot ping host
  Cannot ping each other
```
From other network machines (for instance my laptop from within my company network)
```
  Successfully ping host at 192.168.0.64
  Successfully ping VM1 (Linux) 192.168.0.43
  Successfully ping VM2 (Windows) 192.168.0.84
```
- Admin over 10 years
  
  Do you have more information of the network configuration of your virtual machines? Are you entirely sure that when your other network machines ping your VMs, they're not pinging some other random machine on the network? (e.g. can you actually hit the apache server with a browser?).
- Admin about 10 years
  
  I think it might be your bridge. The kernel's iptables will block your machine from talking to itself unless you: echo "1" > /proc/sys/net/ipv4/ip_forward ; Possibly, anyway.
- Admin about 10 years
  
  What command do you use to boot the VMs?
- Admin over 9 years
  
  Do you have other machines in the same network (which does not reside in the same host)? Are these machines able to ping those machines?
- Admin over 8 years
  
  Do you use a macvtap (wiki.libvirt.org/page/…) interface for the guest?
- Admin over 8 years
  
  What is the interface type you have specified for the VMs' network interfaces? Assuming it is 'bridge', have you connected the vnetx interfaces on the host to a single bridge on host? Please provide the xml file you are using to create the vms.
Rui F Ribeiro about 7 years

I know the question is old...
Rui F Ribeiro about 7 years

It is possible to hide computers from ICMP pings. You either disable the functionality in the kernel, or create firewall rules to block it. I have Xen and bhyve hosts in bridge mode, and they work well.