0

A/ Host (Fedora 33) with Ethernet if eth0. ip 192.168.18.11(/24)
and
B1/ Kvm guest with if vnet0 enslaved to virbr101. ip 192.168.101.88(/24) (manual routing, static IP)
or
B2/ Kvm guest with if vnet1 enslaved to virbr102. ip 192.168.102.210(/24) (virt-manager routing, DHCP)

With the configuration shown below, I seem to be missing a step for it to work. Not sure how to debug my set-up.

What happens is:

  1. From A, I can ping B and ssh into B
  2. From B, I can ping A
  3. From A, I can ping 192.168.18.1
  4. From B, I cannot ping 192.168.18.1, that's what I want to fix at this stage

The difference between B1 and B2 is that if I ping a named server, e.g. google.com, with B1 it says no route to host, with B2 it finds the IP address, but there are no ping replies.

Routed network using nmcli + brctl + nft

On the host, virbr101:

ip link add virbr101-mac address 52:54:41:0b:00:01 type dummy
brctl addif virbr101 virbr101-mac

file ifcfg-virbr101:

DEVICE=virbr101
NAME=virbr101
# Change to 'no' to disable NetworkManager for this interface.
NM_CONTROLLED=yes
ONBOOT=yes
TYPE=Bridge
DELAY=2
STP=on

IPADDR=192.168.101.1
NETMASK=255.255.255.0

Activate this interface:

nmcli connection load /etc/sysconfig/network-scripts/ifcfg-virbr101
nmcli connection up virbr101

Enable ip forwarding:

echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.forwarding=1" >> /etc/sysctl.conf
echo "net.ipv6.conf.all.forwarding=1" >> /etc/sysctl.conf
sysctl -p

Route the interface with the following nft commands:

delete table ip filter
add table ip filter
add chain ip filter INPUT
add chain ip filter FORWARD
add chain ip filter OUTPUT
add rule ip filter FORWARD oifname "virbr101" ip daddr 192.168.101.0/24 counter accept
add rule ip filter FORWARD iifname "virbr101" ip saddr 192.168.101.0/24 counter accept
add rule ip filter FORWARD iifname "virbr101" oifname "virbr101" counter accept
add rule ip filter FORWARD iifname "virbr101" counter reject
add rule ip filter FORWARD oifname "virbr101" counter reject

Routed network using virt-manager

Network:

<network>
  <name>bridged102</name>
  <uuid>2e8d6e42-b70e-43c8-8523-02008070f03c</uuid>
  <forward dev="ens3" mode="route">
    <interface dev="ens3"/>
  </forward>
  <bridge name="virbr0" stp="on" delay="0"/>
  <mac address="52:54:00:42:1d:e4"/>
  <domain name="bridged102"/>
  <ip address="192.168.102.1" netmask="255.255.255.0">
    <dhcp>
      <range start="192.168.102.128" end="192.168.102.254"/>
    </dhcp>
  </ip>
</network>

Guest interface:

<interface type="network">
  <mac address="52:54:00:ee:a6:67"/>
  <source network="bridged102" portid="238df934-14ac-422e-bfbd-a4047a9444fb" bridge="virbr0"/>
  <target dev="vnet1"/>
  <model type="virtio"/>
  <link state="up"/>
  <alias name="net1"/>
  <address type="pci" domain="0x0000" bus="0x00" slot="0x08" function="0x0"/>
</interface>

For the virt-manager solution, I followed this example: libvirt docs // Network XML format // Routed network config

asoundmove
  • 256
  • 1
  • 2
  • 6
  • Yes, you are right, I mean routing, I'll edit my post. – asoundmove Dec 21 '20 at 12:05
  • Why on earth are you not using libvirt? – Michael Hampton Dec 21 '20 at 15:32
  • Good, point. I have now tried setting up a routed network using virt-manager, it produces almost exactly the same results. So like I said earlier, I must be doing something wrong or incorrect and any pointer that helps me correct my mistake would be very welcome, as there is always a piece missing in the whole puzzle. – asoundmove Jan 05 '21 at 22:24

1 Answers1

1

What was missing was routes from the various devices on my LAN back to my VM's NW.

As in:

route add -net 192.168.102.0/24 gw 192.168.18.11
# Or other gateway as appropriate for the device and nw distance
asoundmove
  • 256
  • 1
  • 2
  • 6