1

I am working on setting up a KVM environment and normally I just take it for granted that the networking has been set up. I am running into difficulty getting the public IPs accessible from the VMs. Node and VM are running CentOS 7

Here is the current state:

VM: 5.5.5.5  -> IP on physical node: 5.5.5.3 (pingable)
VM: 5.5.5.5 -> Neighbouring physical node: 5.5.5.2 (pingable)
VM: 5.5.5.5 -> Outside IP: 8.8.8.8 (network unreahable)
Physical Node: 5.5.5.3 -> VM: 5.5.5.5 ( Destination Host Unreachable )
Physical Node: 5.5.5.3 -> Outside: 8.8.8.8 (pingable)
Outside -> Physical Node: 5.5.5.2 (pingable)

I have the 5.5.5.0/28 Range configured on br1 on the physical node which has eth1 bound to it.

The VM has the bridge network added - and noteable arping from both the VM (5.5.5.5) and the Node (5.5.5.3) both get the correct answers as expected.

<interface type='bridge'>
  <mac address='52:54:00:84:e5:e1'/>
  <source bridge='br1'/>
  <model type='virtio'/>
  <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
</interface>

As per the DC I am working with guide, on the VM created an /etc/sysconfig/network-scripts/route-eth0 and rule-eth0 file:

# cat route-eth0 
default via 5.5.5.14 dev eth0 table 125

# cat rule-eth0 
from 5.5.5.0/28 table 125

VM Routes:

# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
5.5.5.0   0.0.0.0         255.255.255.240 U         0 0          0 eth0

Node Routes:

 Kernel IP routing table
    Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
    0.0.0.0         6.6.6.14   0.0.0.0         UG        0 0          0 br0
    6.6.6.0     0.0.0.0         255.255.255.0   U         0 0          0 br0
    5.5.5.0   0.0.0.0         255.255.255.240 U         0 0          0 eth1
    5.5.5.0   0.0.0.0         255.255.255.240 U         0 0          0 br1
    192.168.10.0    0.0.0.0         255.255.254.0   U         0 0          0 eth1
virbr0

Any pointers on what to check or where I may have gone wrong much appreciated.... and just to clarify - no those are not the real IPs, they are just made up for example sake.

Thanks in advance.

Marc
  • 33
  • 11
  • Also attach "brctl show" output on the host. Is net.ipv4.conf.all.forwarding enabled on the host? Anyhow it seems like what you're trying to achieve is to connect the VM via bridging to an outside network on eth1. Is eth1 part of br1? – ZaphodB Jun 20 '16 at 17:41

1 Answers1

0

Try this sysctl:

net.bridge.bridge-nf-call-arptables=0
net.bridge.bridge-nf-call-ip6tables=0
net.bridge.bridge-nf-call-iptables=0

You need your bridge working as a "switch" without any routing and NATing. And there is no need to set "net.ipv4.conf.all.forwarding" unless you have NATed virtual networtks too. Standard libvirt iptables rules are working well with NATed connections from the default network to the Internet, but can mess with bridged connections.

Dmitry Ilyin
  • 573
  • 2
  • 5