2

I have debian 7 on my host machine and I run a KVM vm on it.

My hosts network configuration is this (the relevant parts):

br0       Link encap:Ethernet  HWaddr 68:b5:99:ae:8f:11  
          inet addr:77.244.244.123  Bcast:77.244.245.239 Mask:255.255.255.248
          inet6 addr: fe80::6ab5:99ff:feae:8f11/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:762056 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:44471912 (42.4 MiB)  TX bytes:690 (690.0 B)

eth1      Link encap:Ethernet  HWaddr 68:b5:99:ae:8f:11  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2329129 errors:0 dropped:0 overruns:0 frame:0
          TX packets:156844 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2035457148 (1.8 GiB)  TX bytes:15978289 (15.2 MiB)
          Memory:ef060000-ef07ffff

My host's interface for internet access:

eth0      Link encap:Ethernet  HWaddr 68:b5:99:ae:8f:10  
          inet addr:146.255.255.123  Bcast:146.255.62.175  Mask:255.255.255.240
          inet6 addr: 2a02:1b8:10:68:6ab5:99ff:feae:8f10/64 Scope:Global
          inet6 addr: fe80::6ab5:99ff:feae:8f10/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:19692653 errors:0 dropped:0 overruns:0 frame:0
          TX packets:46873952 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3070321406 (2.8 GiB)  TX bytes:44921402181 (41.8 GiB)
          Memory:ef000000-ef01ffff

My host uses eth0 as Interface for internet connection, my KVM guest OS uses br0, which includes eth1. The eth0 interface is intentionally not part of the bridge.

Additional info on the bridge: 

bridge name   bridge id          STP enabled  interfaces
br0           8000.68b599ae8f11  no           eth1
                                              vnet0

My host can reach the guest over the network, but my guest cannot connect to the host machine. I am sure I am missing something very simple but I could not find an answer anywhere.

Just to give as much information as possible, here is also my guests interfaces config:

eth0      Link encap:Ethernet  HWaddr 52:54:00:02:98:b7  
          inet addr:77.244.244.123  Bcast:77.244.245.239  Mask:255.255.255.248
          inet6 addr: fe80::5054:ff:fe02:98b7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:26969 errors:0 dropped:22761 overruns:0 frame:0
          TX packets:2344 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2019925 (1.9 MiB)  TX bytes:331567 (323.7 KiB)

My host has the following iptables rules (which should be completely irrelevant to the guest/host communication with each other in my opinion):

G-NET // root@net:/home/geruetzel# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:67

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:68

I would appreciate any help you can give me - thanks in advance!

geruetzel
  • 143
  • 1
  • 1
  • 12
  • Did you check the firewall configuration on the host? :) – GioMac Dec 11 '15 at 08:43
  • @GioMac: The host does not have any firewall rules set. – geruetzel Dec 11 '15 at 17:41
  • I'm very sure it does. Did you check iptables -L ? – GioMac Dec 12 '15 at 07:28
  • it does but I do not think that these rules are relevant in my case. I have updated my question with the iptables output – geruetzel Dec 12 '15 at 14:41
  • Is `eth0` part of `br0`? If so, `eth0` should be in PROMISC mode without an IP address. – roaima Dec 12 '15 at 14:41
  • @roaima, no eth0 is only used by my host machine. br0 is only for the guest vm. Maybe it is a routing problem? – geruetzel Dec 12 '15 at 14:53
  • @geruetzel you say your guest cannot connect to the host. What about with `ping`? You are trying to reach the host with the `br0` IP address and not the `eth0` address, aren't you? – roaima Dec 12 '15 at 15:04
  • @roaima no actually I tried `eth0`'s IP address. `br0`'s IP address is the guest's IP. how would that even work? Maybe I misunderstand the function of a bridge? – geruetzel Dec 12 '15 at 15:08
  • I suspect you're misunderstanding the bridge purpose. In general, a bridge is a way to "join" a bunch of interfaces so they'll be able to act like they're connected to the same piece of wire. So traditionally, if you're using a bridge with KVM you'd have a tap device for the guest and a physical device for the host together in a bridge (though of course you don't have to have a physical device be part of the bridge if you don't want to have external connectivity directly) – Eric Renouf Dec 12 '15 at 15:21
  • In the case you're describing, the guest has no address in common with the host, so would need a route to find it, but I'm betting it also has no gateway, since there isn't any other host with an address in its collision domain, so it cannot get to anyone else because it doesn't know how to find a neighbor to talk to who can route for it. If you added another address to `eth0` in the same network space as the guest it would probably be able to find it I suspect – Eric Renouf Dec 12 '15 at 15:23
  • @EricRenouf I updated the question post since I forgot to mention that actually `eth1` is the interface that is included in `br0`. – geruetzel Dec 12 '15 at 15:40

1 Answers1

3

It turns out that you are using the same IP address for the host side of the bridge as for the guest. (It's impossible to see this from your question as you used xx.xx to hide part of the IP addresses; it only came out in one of the comments.)

The bridge IP address is used by the host. When a physical interface such as eth0 is added to a bridge, it must not have an IP address and should be set to promiscuous mode so that it can receive traffic for any of the IP addresses within the bridge.

The guest IP address for a bridge is defined within the guest itself as for a normal eth0 type situation.

In the same way that two devices on a network must have different IP addresses, the guest and host must have different IP addresses. To restate this explicitly: you MUST NOT have the same IP address for host and guest.

I'm impressed that your host and guest can communicate at all with this configuration; I wonder whether, when your host thought it was communicating with your guest, it was actually communicating with itself.

Here is a cut-down example, based on the configuration from my home network (I'm not at work right now):

Host (192.168.1.253/24)

$ brctl show brINT
bridge name     bridge id               STP enabled     interfaces
brINT           8000.009c029758d6       no              eth1
                                                        vnet1

$ ip addr show dev brINT
5: brINT: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
    link/ether 00:9c:02:97:58:d6 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.253/24 brd 192.168.1.255 scope global brINT

$ ip addr show dev eth1
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master brINT state UP qlen 1000
    link/ether 00:9c:02:97:58:d6 brd ff:ff:ff:ff:ff:ff

Guest (192.168.1.15/24)

$ ip addr show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 52:54:00:3c:75:33 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.15/24 brd 192.168.1.255 scope global eth0
roaima
  • 1,567
  • 13
  • 26
  • i actually forgot to mention, that my host has `eth1` as physical interface for `br0` - i updated the question post – geruetzel Dec 12 '15 at 15:38
  • @geruetzel can you ping from the guest to the host's IP address for `br0`? – roaima Dec 12 '15 at 15:43
  • yes, that works but isn't that to be expected? eth0 of my guest has the same ip so isn't pinging this ip, pinging it's own eth0 interface? – geruetzel Dec 12 '15 at 15:46
  • @geruetzel this is your problem. You must not use the same IP address for your host as for your guest. Please (re-)read my answer. – roaima Dec 12 '15 at 15:48
  • I know, I am not supposed to do this here, but thank you very much, I feel stupid and enlightened at the same time now :) Yes, I used the same IP, that was the problem. Now that I have assigned my guest another IP from the same net, I can also ping my host's `eth0` IP which was exactly what I wanted! – geruetzel Dec 12 '15 at 15:53