Can't get ARP reply on macvtap device

Question

I have a physical server at Hetzner with two assigned public IPs in different /27 ranges. One is for the server itself and the other is for one VM inside it. The host is running CentOS 8 and libvirt.

I've created the virtual machine with a macvtap interface binded to my physical adapter and I changed the guest network configuration to use the second public IP. The result is that my guest can never connect to the outside.

What I've observed with tcpdump is that, although the guest ARP requests reach the gateway, the response is not delivered to the guest.

At the physical interface I see this:

[root@server ~]# tcpdump -i enp8s0 arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp8s0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:03:48.207364 ARP, Request who-has static.88-198-19-129.clients.your-server.de tell static.88.198.19.139.clients.your-server.de, length 28
14:03:48.207868 ARP, Reply static.88-198-19-129.clients.your-server.de is-at 4c:16:fc:c8:e1:24 (oui Unknown), length 46
14:03:49.301192 ARP, Request who-has static.88-198-19-129.clients.your-server.de tell static.88.198.19.139.clients.your-server.de, length 28
14:03:49.301689 ARP, Reply static.88-198-19-129.clients.your-server.de is-at 4c:16:fc:c8:e1:24 (oui Unknown), length 46

But at the macvtap interface I see this:

[root@server ~]# tcpdump -i macvtap0 arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on macvtap0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:05:32.598221 ARP, Request who-has static.88-198-19-129.clients.your-server.de tell static.88.198.19.139.clients.your-server.de, length 28
14:05:33.207406 ARP, Request who-has static.88-198-19-129.clients.your-server.de tell static.88.198.19.139.clients.your-server.de, length 28

I've tried to change these settings, individually or all together, but I couldn't make it work:

sysctl net.bridge.bridge-nf-call-iptables=0
sysctl net.ipv4.conf.all.proxy_arp=1
sysctl net.ipv6.conf.all.forwarding=1
sysctl net.ipv4.conf.all.arp_filter=1
iptables -P FORWARD ACCEPT
iptables -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT

I also tried to setup a bridge for the main connection, having enp8s0 connected to it and connecting the VM to it, but I see the same arp reply drop.

Can anyone help me please?

score 0 · Answer 1 · answered May 12 '20 at 07:31

0

After talking with Hetzner support, they pointed me in the right direction. My configuration was ok, but they had an ARP filter for each public IP. Once I configured the custom MAC at the virtual machine interface, everything started working.

answered May 12 '20 at 07:31

nicovell3

13
1
1
5

Can't get ARP reply on macvtap device

1 Answers1