I have two hosts, which I installed XCP 1.6 on. The machines are hosted at Hetzner.

Each host currently has a public IP and an additional IP assigned. There is a guest on each of the hosts which shall be reachable using an additional failover-ip.

Setup of the "normal" IP worked very well. I configured the guests for the IP and set the MAC of their eth0 to the virtual MAC provided by Hetzner.

The problem now is the failover IP. This IP can dynamically be re-routet between physical servers and will be routet to their physical IP.

As far as I understood it, this means that I have to route the IP to the guest VM, using the host as the gateway (Since Hetzner expects the traffic coming from the hosts MAC).

In the guest, I added the failover-IP like this:

iface eth0:1 inet static
    address xx.xx.4.170
    netmask <= provided by Hetzner
    broadcast xx.xx.4.170 <= provided by Hetzner
    gateway xx.xx.10.214 <= IP of the host

Pinging the host and other systems from the guest using this interface seems to work:

ping -I eth0:1 xx.xx.10.214
PING xx.xx.10.214 (xx.xx.10.214) from xx.xx.10.242 eth0:1: 56(84) bytes of data.
64 bytes from xx.xx.10.214: icmp_req=1 ttl=64 time=0.618 ms
64 bytes from xx.xx.10.214: icmp_req=2 ttl=64 time=0.082 ms
64 bytes from xx.xx.10.214: icmp_req=3 ttl=64 time=0.140 ms
--- xx.xx.10.214 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms

When I try to ssh into the failover ip, I only reach the host system.

Can someone point me to the right steps to route incoming traffic via the failover ip to the guest vm?

  • 45
  • 1
  • 1
  • 6

1 Answers1


The problem was that I added a route to the VM by using route add instead of ip route add.

Works now, additionally, one might have to delete the firewall rules for dropping icmp requests.

  • 45
  • 1
  • 1
  • 6