1

I have an Ubuntu 16.04 KVM hypervisor behind a Debian-based firewall, and I'm trying to make the guest VMs IP-reachable, preferably matching the subnet I'm using for that collection of machines.

The firewall is hosting a 10.4.0.0/16 network, and successfully NAT'ing and accepting applicable traffic.

The hypervisor is at 10.4.20.250, with the virsh network configuration shown below. Of note, I've extended the netmask to try separating the clients from the host:

<network>
  <name>default</name>
  <uuid>02b5de1a-cde4-45dd-b8f5-a9fdfa1c6809</uuid>
  <forward mode='route'/>
  <bridge name='virbr0' stp='on' delay='0'/>
  <mac address='52:54:00:a3:f0:e9'/>
  <ip address='10.4.20.20' netmask='255.255.255.128'>
  </ip>
</network>

The hypervisor (10.4.20.250) also has the following:

# ip r
default via 10.4.0.1 dev enp0s25 onlink 
10.4.0.0/16 dev enp0s25  proto kernel  scope link  src 10.4.20.250 
10.4.20.0/25 dev virbr0  proto kernel  scope link  src 10.4.20.20 
169.254.0.0/16 dev enp0s25  scope link  metric 1000 

# brctl show
bridge name bridge id       STP enabled interfaces
virbr0      8000.fe54009e64d0   yes     vnet0

# ip link show virbr0
3: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether fe:54:00:9e:64:d0 brd ff:ff:ff:ff:ff:ff

# virsh domiflist myguest
Interface  Type       Source     Model       MAC
-------------------------------------------------------
vnet0      bridge     virbr0     virtio      52:54:00:9e:64:d0

The guest ("myguest") at 10.4.20.25 is able to reach the internet at large; it's configured with:

ip r
default via 10.4.20.20 dev eth0 
10.4.0.0/17 dev eth0  proto kernel  scope link  src 10.4.20.25

From a terminal session connected to the hypervisor (10.4.20.250), I can ping itself, the bridge at 10.4.20.20, the guest at 10.4.20.25, the firewall at 10.4.0.1, and the internet at large.

From the firewall (10.4.0.1) I can ping the hypervisor (10.4.20.250) and the bridge (10.4.20.20) .. but pings to the client (10.4.20.25) are lost. Similarly, from another machine on the 10.4 network, I can ping the firewall, the hypervisor, and the bridge, but not the client. I have the following rules set:

ip r
default via 10.4.0.1 dev enp4s0 onlink 
10.4.0.0/16 dev enp4s0 proto kernel scope link src 10.4.2.1 
10.4.20.0/25 via 10.4.20.20 dev enp4s0 
192.168.15.0/24 dev enp1s0 proto kernel scope link src 192.168.15.242

Any help what configuration I might be missing to make my client be reachable from remote devices?

Note, I have tried to set the forward mode as 'open' but virsh net-edit gives me the following error: error: unsupported configuration: unknown forwarding type 'open'

Vaibhav Dhoke
  • 459
  • 6
  • 14
Paul O
  • 21
  • 3

0 Answers0