3

I am looking for the answer for few days and any configuration is right for me to set the networking working.

I have CentOS 7 (10.120.0.57) with installed KVM on it. I created simple guest (10.120.0.58) vm with CentOS7 as well, but I have some problem with network on the guest. Host can access to the internet, and it can ping the guest machine. Guest can ping host as well, but when it ping some other IP it get: Destination Unreachable. I disabled in advance firewalld and selinux on both machines to eliminate problems.

My hosts bridge should pass traffic because I set /etc/sysctl.conf (!!!)

net.ipv4.ip_forward = 1
net.ipv4.conf.all.proxy_arp = 1

On Host in tcpdump I can see the ICMP packets from guest but it's only in one way requests (no replies), when I try to ping the real gateway of the network (10.120.0.1)

IP 10.120.0.58 > gateway: ICMP echo request, id 3716, seq 1, length 64
IP 10.120.0.58 > gateway: ICMP echo request, id 3716, seq 2, length 64

If I ping from guest e.g google.com (tcpdump from host):

 IP localhost.localdomain > 10.120.0.58: ICMP localhost.localdomain udp port domain unreachable, length 64
 IP localhost.localdomain > 10.120.0.58: ICMP localhost.localdomain udp port domain unreachable, length 64

But of course ping is working when I ping Guest (10.120.0.58)<=> Host(10.120.0.57):

10.120.0.58 > localhost.localdomain: ICMP echo request, id 3719, seq 8, length 64
localhost.localdomain > 10.120.0.58: ICMP echo reply, id 3719, seq 8, length 64

Could someone enlight me what is wrong with my Host/Guest configuration?

HOST: ifconfig -a:

br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.120.0.57  netmask 255.255.255.0  broadcast 10.120.0.255
        inet6 fe80::20c:29ff:fed5:14fa  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:d5:14:fa  txqueuelen 1000  (Ethernet)
        RX packets 74849  bytes 6444652 (6.1 MiB)
        RX errors 0  dropped 100  overruns 0  frame 0
        TX packets 1033  bytes 88046 (85.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eno16780032: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500
        inet6 fe80::20c:29ff:fed5:14fa  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:d5:14:fa  txqueuelen 1000  (Ethernet)
        RX packets 2975  bytes 239252 (233.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 164  bytes 23286 (22.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 6  bytes 644 (644.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 6  bytes 644 (644.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255
        ether 52:54:00:9f:de:66  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr0-nic: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether 52:54:00:9f:de:66  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

vnet0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether fe:54:00:7f:c5:c5  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 5885 overruns 0  carrier 0  collisions 0

vnet1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether fe:54:00:b0:3d:40  txqueuelen 1000  (Ethernet)
        RX packets 420  bytes 34697 (33.8 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 111762  bytes 9374955 (8.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

br0 configuration:

DEVICE=br0
BOOTPROTO=static
TYPE=Bridge
ONBOOT=yes
IPADDR="10.120.0.57"
NETMASK="255.255.255.0"
#GATEWAY="10.120.0.1"
#DNS1="10.120.0.1"
#DNS2="8.8.8.8"
STP=yes
DELAY=0
NM_CONTROLLED=no

eno16780032 configuration:

TYPE="Ethernet"
#NAME="eno16780032"
#UUID="4fc9740c-536a-4330-aab4-bdef7489582f"
DEVICE="eno16780032"
ONBOOT="yes"
NM_CONTROLLED=no
BRIDGE=br0

bridge:

bridge name     bridge id               STP enabled     interfaces
br0             8000.000c29d514fa       yes             eno16780032
                                                        vnet0
                                                        vnet1
virbr0          8000.5254009fde66       yes             virbr0-nic

Hosts /etc/sysconfig/network:

# Created by anaconda
NETWORKING=yes
GATEWAY=10.120.0.1

Guest eth0 configuration:

DEVICE=eth0
NAME=eth0
TYPE=Ethernet
BOOTPROTO=static
ONBOOT=yes
IPADDR="10.120.0.58"
NETMASK="255.255.255.0"
GATEWAY="10.120.0.57" (!?)
DNS1="10.120.0.57"
DNS2="8.8.8.8"

Thank you in advance for taking a look.

EDIT

I add the iptables result from the host:

[root@localhost ~]# iptables -L -v -n -t nat
Chain PREROUTING (policy ACCEPT 59 packets, 4981 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain INPUT (policy ACCEPT 34 packets, 3619 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain OUTPUT (policy ACCEPT 2 packets, 103 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain POSTROUTING (policy ACCEPT 2 packets, 103 bytes)
 pkts bytes target     prot opt in     out     source               destination

Iptables from the guest:

[root@localhost ~]# iptables -L -v -n -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Tracepath from the guest(10.120.0.58) to 8.8.8.8:

 1?: [LOCALHOST]                                         pmtu 1500
 1:  10.120.0.58                                         3012.516ms !H
                   Resume: pmtu 1500

EDIT2

I add iptables -L -v -n results. From Host:

[root@localhost ~]# iptables -L -v -n
Chain INPUT (policy ACCEPT 162K packets, 17M bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain FORWARD (policy ACCEPT 8 packets, 476 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain OUTPUT (policy ACCEPT 3894 packets, 309K bytes)
 pkts bytes target     prot opt in     out     source               destination

From guest:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
Tiroue
  • 131
  • 1
  • 2
  • 6
  • Please show ip tables rules via command `iptables -L -v -n -t nat`. – Mikhail Khirgiy Jan 23 '17 at 05:33
  • [root@localhost ~]# iptables -L -v -n -t nat Chain PREROUTING (policy ACCEPT 59 packets, 4981 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 34 packets, 3619 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2 packets, 103 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 2 packets, 103 bytes) pkts bytes target prot opt in out source destination – Tiroue Jan 24 '17 at 15:20
  • Please show ip tables rules without nat via command `iptables -L -v -n`. Post the output as update your question. – Mikhail Khirgiy Jan 24 '17 at 15:28
  • And what does the command `sysctl net.ipv4.ip_forward` show? – Mikhail Khirgiy Jan 24 '17 at 15:38
  • Unfortunate: net.ipv4.ip_forward = 1 – Tiroue Jan 24 '17 at 15:59
  • Change gateway to 10.120.0.1 on guest and dns server to 8.8.8.8. Then do `traceroute 8.8.8.8` on host and guest systems. And what about iptables? – Mikhail Khirgiy Jan 24 '17 at 18:47
  • I changed the gateway (no results) changed dns and edited my first post where i've added result. What abut iptables? (i attached as well) – Tiroue Jan 24 '17 at 19:58
  • Again: `iptables -L -v -n` without nat tables. – Mikhail Khirgiy Jan 24 '17 at 20:40
  • I added it inside first post. Thank you for investingating. – Tiroue Jan 25 '17 at 08:56
  • Ok. Iptables doesn't block anything and traffic must be forwarded. Then show ip routes on host server and check that ip address 10.120.0.58 isn't used as described at http://superuser.com/questions/48446/how-discover-duplicate-ip-using-ubuntu-is-it-possible-to-have-duplicate-ip. Before checking ip address duplication issue shutdown your virtual machine. – Mikhail Khirgiy Jan 25 '17 at 15:28
  • @MikhailKhirgiy routes from host looks like this: `10.120.0.0/24 dev br0 proto kernel scope link src 10.120.0.57 169.254.0.0/16 dev br0 scope link metric 1003 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1` And I checked duplicates - there is no duplicates. Only 1 response on both IPs( host:10.120.0.57 , guest: 10.120.0.58) with different MAC. Is there any possible way to check why host doesnt passthrough traffic of guest? – Tiroue Feb 09 '17 at 08:56
  • I think the problem is outside of the host server. Check router and switch configurations. – Mikhail Khirgiy Feb 09 '17 at 14:16
  • I think it is not problem with network devices. Probably i should mention that the KVM host is the virtual machine itself (VM on VMware ESXi). I'm wondering If there would be single server with the KVM as a host would that work. – Tiroue Feb 09 '17 at 16:05
  • You can check is your host VM or not via reading this article http://unix.stackexchange.com/questions/89714/easy-way-to-determine-virtualization-technology – Mikhail Khirgiy Feb 09 '17 at 19:30

2 Answers2

1

Since you bridged the physical device of your host with the virtual machine ( I guess vnet0 and/or vnet1 are the devices that are used for the VM ), you have physical access to the 10.120.0.0/24 network within your VM.
So you should replace 

GATEWAY="10.120.0.57" (!?)
DNS1="10.120.0.57"

by

GATEWAY="110.120.0.1"
DNS1="10.120.0.1"
Thomas
  • 4,225
  • 5
  • 23
  • 28
  • Unfortunate I changed to this configuration (I had this before) and still cannot ping 10.120.0.1 - see only requests on bridge, no the replies. Cannot resolve IP as well – Tiroue Jan 22 '17 at 18:59
1

I have exactly the same problem. it looks like a bug in the virtio network driver. In order to solve the problem i did the following changes:

On Centos 7 - KVM -->

  1. Disable the NetworkManager service on Centos 7 running the KVM and enable the old 'network' service.
  2. Define your GATEWAY in /etc/sysconfig/network and do all necessary changes in /etc/sysconfig/network-scripts/ifcfg-eth0 (or similar). Set IPADDR,NETMASK etc.
  3. Change the Virtual Network Driver (through virt-manager) for your guest machines. Set it to 'e1000'

On your Guest -->

  1. Do exactly the same. Disable NetworkManager and enable network service.
  2. This change my affect the network interface name , so check the new name using the command #cat /proc/net/dev (centos guests)

The above work for me. I have spend more than a week to find a solution.

LinuxMan
  • 11
  • 1