Hi,



I installed 12.04 on my host and installed a 12.04 guest under
kvm/libvirt. I setup a bridge as described here

https://help.ubuntu.com/12.04/serverguide/network-configuration.html#bridging

but my guest can not reach the internet nor other host within my
local net.



ON THE HOST:

============



~$ ifconfig

br0****** Link encap:Ethernet* HWaddr 00:25:90:57:02:c7

********* inet addr:113.203.209.163* Bcast:213.203.209.191*
Mask:255.255.255.224

********* inet6 addr: fe80::225:90ff:fe57:2c7/64 Scope:Link

********* UP BROADCAST RUNNING MULTICAST* MTU:1500* Metric:1

********* RX packets:5195 errors:0 dropped:0 overruns:0 frame:0

********* TX packets:3643 errors:0 dropped:0 overruns:0 carrier:0

********* collisions:0 txqueuelen:0

********* RX bytes:397189 (397.1 KB)* TX bytes:2499669 (2.4 MB)



eth0***** Link encap:Ethernet* HWaddr 00:25:90:57:02:c7

********* UP BROADCAST RUNNING MULTICAST* MTU:1500* Metric:1

********* RX packets:5417 errors:0 dropped:128 overruns:0 frame:0

********* TX packets:4775 errors:0 dropped:0 overruns:0 carrier:0

********* collisions:0 txqueuelen:1000

********* RX bytes:528691 (528.6 KB)* TX bytes:2591855 (2.5 MB)

********* Interrupt:20 Memory:fba00000-fba20000



lo******* Link encap:Local Loopback

********* inet addr:127.0.0.1* Mask:255.0.0.0

********* inet6 addr: ::1/128 Scope:Host

********* UP LOOPBACK RUNNING* MTU:16436* Metric:1

********* RX packets:5442 errors:0 dropped:0 overruns:0 frame:0

********* TX packets:5442 errors:0 dropped:0 overruns:0 carrier:0

********* collisions:0 txqueuelen:0

********* RX bytes:2484575 (2.4 MB)* TX bytes:2484575 (2.4 MB)



vnet0**** Link encap:Ethernet* HWaddr fe:54:00:d2:d1:73

********* inet6 addr: fe80::fc54:ff:fed2:d173/64 Scope:Link

********* UP BROADCAST RUNNING MULTICAST* MTU:1500* Metric:1

********* RX packets:103 errors:0 dropped:0 overruns:0 frame:0

********* TX packets:875 errors:0 dropped:0 overruns:0 carrier:0

********* collisions:0 txqueuelen:500

********* RX bytes:7882 (7.8 KB)* TX bytes:55858 (55.8 KB)



~$ route -n

Kernel IP routing table

Destination**** Gateway******** Genmask******** Flags Metric
Ref*** Use Iface

0.0.0.0******** 113.203.209.161 0.0.0.0******** UG*** 100***
0******* 0 br0

113.203.209.160 0.0.0.0******** 255.255.255.224 U**** 0*****
0******* 0 br0



:~$ sudo iptables -L

Chain INPUT (policy ACCEPT)

target**** prot opt source************** destination



Chain FORWARD (policy DROP)

target**** prot opt source************** destination



Chain OUTPUT (policy ACCEPT)

target**** prot opt source************** destination



~$ brctl show

bridge name**** bridge id************** STP enabled**** interfaces

br0************ 8000.0025905702c7****** no************* eth0

************************************************** ***** vnet0



~$ sudo cat /etc/libvirt/qemu/guest.xml

[...]

<interface type='bridge'>

***** <mac address='52:54:00:d2:d1:73'/>

***** <source bridge='br0'/>

***** <model type='virtio'/>

***** <address type='pci' domain='0x0000' bus='0x00'
slot='0x03' function='0x0'/>

*** </interface>

[...]



ON THE GUEST:

=============

~$ ifconfig

eth0***** Link encap:Ethernet** HWaddr 52:54:00:d2:d1:73

********* inet addr:113.203.209.165* Bcast:213.203.09.191**
Mask:255.255.255.224

[...]



~$ route -n

Kernel IP routing table

Destination**** Gateway******** Genmask******** Flags Metric
Ref*** Use Iface

0.0.0.0******** 113.203.209.161 0.0.0.0******** UG*** 100***
0******* 0 eth0

1213.203.209.160 0.0.0.0******** 255.255.255.224 U**** 0*****
0******* 0 eth0



:~$ sudo iptables -L

Chain INPUT (policy ACCEPT)

target**** prot opt source************** destination



Chain FORWARD (policy DROP)

target**** prot opt source************** destination



Chain OUTPUT (policy ACCEPT)

target**** prot opt source************** destination



My NET:

=======

host-server: 113.203.209.163

guest: 113.203.209.165

default gateway: 113.203.209.161



From the host-server I can ping all hosts and the internet. But on
the guest I can ping the host (213.203.209.163) but no other host.
(TX packets increases but no RX packets). Any idea?



Best regards,

-Thorsten-














--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

The information you show looks good. What does /etc/resolv.conf on
the guest show? Can you capture traffic using wireshark and see
whether pings from the guest to the outside world make it there?

-serge

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Sorry, my fault. I had a typo. The broadcst is configured correctly:
113.203.209.191



Any other idea?



Am 17.05.2012 00:51, schrieb Paul Schulz:


Chech IP address and broadcast addess on br0. They don't appear
to match.

On May 17, 2012 12:38 AM, "Thorsten
Göllner" <tg@ovm-group.com> wrote:

Hi,



I installed 12.04 on my host and installed a 12.04 guest
under kvm/libvirt. I setup a bridge as described here

https://help.ubuntu.com/12.04/serverguide/network-configuration.html#bridging

but my guest can not reach the internet nor other host
within my local net.



ON THE HOST:

============



~$ ifconfig

br0****** Link encap:Ethernet* HWaddr 00:25:90:57:02:c7

********* inet addr:113.203.209.163*
Bcast:213.203.209.191* Mask:255.255.255.224

********* inet6 addr: fe80::225:90ff:fe57:2c7/64
Scope:Link

********* UP BROADCAST RUNNING MULTICAST* MTU:1500*
Metric:1

********* RX packets:5195 errors:0 dropped:0 overruns:0
frame:0

********* TX packets:3643 errors:0 dropped:0 overruns:0
carrier:0

********* collisions:0 txqueuelen:0

********* RX bytes:397189 (397.1 KB)* TX bytes:2499669
(2.4 MB)



eth0***** Link encap:Ethernet* HWaddr 00:25:90:57:02:c7

********* UP BROADCAST RUNNING MULTICAST* MTU:1500*
Metric:1

********* RX packets:5417 errors:0 dropped:128 overruns:0
frame:0

********* TX packets:4775 errors:0 dropped:0 overruns:0
carrier:0

********* collisions:0 txqueuelen:1000

********* RX bytes:528691 (528.6 KB)* TX bytes:2591855
(2.5 MB)

********* Interrupt:20 Memory:fba00000-fba20000



lo******* Link encap:Local Loopback

********* inet addr:127.0.0.1* Mask:255.0.0.0

********* inet6 addr: ::1/128 Scope:Host

********* UP LOOPBACK RUNNING* MTU:16436* Metric:1

********* RX packets:5442 errors:0 dropped:0 overruns:0
frame:0

********* TX packets:5442 errors:0 dropped:0 overruns:0
carrier:0

********* collisions:0 txqueuelen:0

********* RX bytes:2484575 (2.4 MB)* TX bytes:2484575 (2.4
MB)



vnet0**** Link encap:Ethernet* HWaddr fe:54:00:d2:d1:73

********* inet6 addr: fe80::fc54:ff:fed2:d173/64
Scope:Link

********* UP BROADCAST RUNNING MULTICAST* MTU:1500*
Metric:1

********* RX packets:103 errors:0 dropped:0 overruns:0
frame:0

********* TX packets:875 errors:0 dropped:0 overruns:0
carrier:0

********* collisions:0 txqueuelen:500

********* RX bytes:7882 (7.8 KB)* TX bytes:55858 (55.8 KB)



~$ route -n

Kernel IP routing table

Destination**** Gateway******** Genmask******** Flags
Metric Ref*** Use Iface

0.0.0.0******** 113.203.209.161 0.0.0.0******** UG***
100*** 0******* 0 br0

113.203.209.160 0.0.0.0******** 255.255.255.224 U****
0***** 0******* 0 br0



:~$ sudo iptables -L

Chain INPUT (policy ACCEPT)

target**** prot opt source************** destination



Chain FORWARD (policy DROP)

target**** prot opt source************** destination



Chain OUTPUT (policy ACCEPT)

target**** prot opt source************** destination



~$ brctl show

bridge name**** bridge id************** STP enabled****
interfaces

br0************ 8000.0025905702c7****** no*************
eth0

************************************************** *****
vnet0



~$ sudo cat /etc/libvirt/qemu/guest.xml

[...]

<interface type='bridge'>

***** <mac address='52:54:00:d2:d1:73'/>

***** <source bridge='br0'/>

***** <model type='virtio'/>

***** <address type='pci' domain='0x0000' bus='0x00'
slot='0x03' function='0x0'/>

*** </interface>

[...]



ON THE GUEST:

=============

~$ ifconfig

eth0***** Link encap:Ethernet** HWaddr 52:54:00:d2:d1:73

********* inet addr:113.203.209.165*
Bcast:213.203.09.191** Mask:255.255.255.224

[...]



~$ route -n

Kernel IP
routing table

Destination**** Gateway******** Genmask******** Flags
Metric Ref*** Use Iface

0.0.0.0******** 113.203.209.161 0.0.0.0******** UG***
100*** 0******* 0 eth0

1213.203.209.160 0.0.0.0******** 255.255.255.224 U****
0***** 0******* 0 eth0



:~$ sudo
iptables -L

Chain INPUT (policy ACCEPT)

target**** prot opt source************** destination



Chain FORWARD (policy DROP)

target**** prot opt source************** destination



Chain OUTPUT (policy ACCEPT)

target**** prot opt source************** destination



My NET:

=======

host-server: 113.203.209.163

guest: 113.203.209.165

default gateway: 113.203.209.161



From the host-server I can ping all hosts and the internet.
But on the guest I can ping the host (213.203.209.163) but
no other host. (TX packets increases but no RX packets). Any
idea?



Best regards,

-Thorsten-














--

ubuntu-server mailing list

ubuntu-server@lists.ubuntu.com

https://lists.ubuntu.com/mailman/listinfo/ubuntu-server

More info: https://wiki.ubuntu.com/ServerTeam






--
Thorsten Göllner

OVM Office Voice Media GmbH
Herderstrasse 68
40237 Düsseldorf

Tel.: +49(0)211 / 618 57 53
Fax: +49(0)211 / 618 57 54



--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Hi,





Am 18.05.2012 10:57, schrieb Thorsten Göllner:


Sorry, my fault. I had a typo. The broadcst is configured
correctly: 113.203.209.191



Any other idea?




yes but may be it is another typo:










ON THE GUEST:

=============

~$ ifconfig

eth0***** Link encap:Ethernet** HWaddr 52:54:00:d2:d1:73

********* inet addr:113.203.209.165*
Bcast:213.203.09.191** Mask:255.255.255.224

[...]



~$ route -n

Kernel IP
routing table

Destination**** Gateway******** Genmask******** Flags
Metric Ref*** Use Iface

0.0.0.0******** 113.203.209.161 0.0.0.0******** UG***
100*** 0******* 0 eth0

1213.203.209.160 0.0.0.0******** 255.255.255.224 U****
0***** 0******* 0 eth0










An IP of 1213.203.209.160
in your default route does not exist in IPv4 ;-). The 1213 is much
too high ;-) and I think the 2 should be deleted. But I also think
your routing is not correct. In my opinion there should be 113.203.209.163(the IP of
your KVM host) instead of 113.203.209.161 and 113.203.209.0
instead* of 1213.203.209.16.

But these are only guesses and it depends on how routing is done in
your data center. (I think you are using Hetzner and Hetzner does
not allow you to use their gateway with other MAC addresses than
your KVM host!)* Maybe it is a typo but may be not because you used
the command "route -n".



If you realy want some help you should post config files! It is
easier to track problems.*





By,

michael



--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Yes, it was another typo. Sorry for that.



My kvm host is attached to a switch with another 4 servers in our
rack (it is mesh solution düsseldorf and not hetzner).



I tried the following as suggested by serge: On another server
connected to my switch I started tcpdump. On my guest I started a
ping to the server with tcpdump. I can see, that the ping packet on
the guest starts an arp request. My server (with running tcpdump)
replies to the arp request correctly. In the guest I can see a
correct arp table:



~# arp-n

Address********* HWtype* HWaddress******** Flags* Mask** Iface

113.203.209.161* ether** 00:15:17:0e:6a:a9 C************ eth0

113.203.209.162* ether** 00:22:15:41:13:23 C************ eth0



The first entry is that of my default gateway. The second one is
that of my server running tcpdump.



On the server running tcpdump (server name ist nostradamus2) I can
see that:



# tcpdump host
113.203.209.165

tcpdump: verbose output suppressed, use -v or -vv for full
protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535
bytes

12:28:19.370690 ARP, Request who-has nostradamus2 tell
165.209.203.113.static.inetbone.net, length 46

12:28:19.370703 ARP, Reply nostradamus2 is-at 00:22:15:41:13:23
(oui Unknown), length 28



So the question sould be: why does the guest not receive the arp
reply from my server?!



Am 18.05.2012 11:52, schrieb Michael Zoet:



Hi,





Am 18.05.2012 10:57, schrieb Thorsten Göllner:


Sorry, my fault. I had a typo. The broadcst is configured
correctly: 113.203.209.191



Any other idea?




yes but may be it is another typo:











ON THE GUEST:

=============

~$ ifconfig

eth0***** Link encap:Ethernet** HWaddr
52:54:00:d2:d1:73

********* inet addr:113.203.209.165*
Bcast:213.203.09.191** Mask:255.255.255.224

[...]



~$ route -n

Kernel IP
routing table

Destination**** Gateway******** Genmask******** Flags
Metric Ref*** Use Iface

0.0.0.0******** 113.203.209.161 0.0.0.0******** UG***
100*** 0******* 0 eth0

1213.203.209.160 0.0.0.0******** 255.255.255.224 U****
0***** 0******* 0 eth0










An IP of 1213.203.209.160
in your default route does not exist in IPv4 ;-). The 1213 is much
too high ;-) and I think the 2 should be deleted. But I also think
your routing is not correct. In my opinion there should be 113.203.209.163(the IP of
your KVM host) instead of 113.203.209.161 and 113.203.209.0
instead* of 1213.203.209.16.

But these are only guesses and it depends on how routing is done
in your data center. (I think you are using Hetzner and Hetzner
does not allow you to use their gateway with other MAC addresses
than your KVM host!)* Maybe it is a typo but may be not because
you used the command "route -n".



If you realy want some help you should post config files! It is
easier to track problems.*





By,

michael









--
Thorsten Göllner

OVM Office Voice Media GmbH
Herderstrasse 68
40237 Düsseldorf

Tel.: +49(0)211 / 618 57 53
Fax: +49(0)211 / 618 57 54



--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Ups: I solved it now! On my kvm host the forward chain in iptables
was set to "blocked". Changing it to "accept" solved the problem.



Till this day I though, that the forward chain is only used in
nat-environment. So I will take a deeper look in iptables now.



Am 18.05.2012 12:29, schrieb Thorsten Göllner:


Yes, it was another typo. Sorry for that.



My kvm host is attached to a switch with another 4 servers in our
rack (it is mesh solution düsseldorf and not hetzner).



I tried the following as suggested by serge: On another server
connected to my switch I started tcpdump. On my guest I started a
ping to the server with tcpdump. I can see, that the ping packet
on the guest starts an arp request. My server (with running
tcpdump) replies to the arp request correctly. In the guest I can
see a correct arp table:



~# arp-n

Address********* HWtype* HWaddress******** Flags* Mask** Iface

113.203.209.161* ether** 00:15:17:0e:6a:a9 C************ eth0

113.203.209.162* ether** 00:22:15:41:13:23 C************ eth0



The first entry is that of my default gateway. The second one is
that of my server running tcpdump.



On the server running tcpdump (server name ist nostradamus2) I can
see that:



# tcpdump host
113.203.209.165

tcpdump: verbose output suppressed, use -v or -vv for full
protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size
65535 bytes

12:28:19.370690 ARP, Request who-has nostradamus2 tell
165.209.203.113.static.inetbone.net, length 46

12:28:19.370703 ARP, Reply nostradamus2 is-at 00:22:15:41:13:23
(oui Unknown), length 28



So the question sould be: why does the guest not receive the arp
reply from my server?!



Am 18.05.2012 11:52, schrieb Michael Zoet:



Hi,





Am 18.05.2012 10:57, schrieb Thorsten Göllner:


Sorry, my fault. I had a typo. The broadcst is configured
correctly: 113.203.209.191



Any other idea?




yes but may be it is another typo:










ON THE GUEST:

=============

~$
ifconfig

eth0***** Link encap:Ethernet** HWaddr
52:54:00:d2:d1:73

********* inet addr:113.203.209.165*
Bcast:213.203.09.191** Mask:255.255.255.224

[...]



~$ route -n

Kernel IP
routing table

Destination**** Gateway******** Genmask********
Flags Metric Ref*** Use Iface

0.0.0.0******** 113.203.209.161 0.0.0.0********
UG*** 100*** 0******* 0 eth0

1213.203.209.160 0.0.0.0******** 255.255.255.224
U**** 0***** 0******* 0 eth0










An IP of 1213.203.209.160
in your default route does not exist in IPv4 ;-). The 1213 is
much too high ;-) and I think the 2 should be deleted. But I
also think your routing is not correct. In my opinion there
should be 113.203.209.163(the
IP of your KVM host) instead of 113.203.209.161 and 113.203.209.0
instead* of 1213.203.209.16.

But these are only guesses and it depends on how routing is done
in your data center. (I think you are using Hetzner and Hetzner
does not allow you to use their gateway with other MAC addresses
than your KVM host!)* Maybe it is a typo but may be not because
you used the command "route -n".



If you realy want some help you should post config files! It is
easier to track problems.*





By,

michael









--
Thorsten Göllner

OVM Office Voice Media GmbH
Herderstrasse 68
40237 Düsseldorf

Tel.: +49(0)211 / 618 57 53
Fax: +49(0)211 / 618 57 54








--
Thorsten Göllner

OVM Office Voice Media GmbH
Herderstrasse 68
40237 Düsseldorf

Tel.: +49(0)211 / 618 57 53
Fax: +49(0)211 / 618 57 54



--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

For all people with the same problem:



I am using "arno-iptables-firewall" on the host. To make any guest
"work" you have to open the forward chain for it:



~$ cat
/etc/arno-iptables-firewall/custom-rules

# Put any custom (iptables) rules here down below:

##################################################



# guest

iptables -A FORWARD -i br0 -d 113.203.209.165 -j ACCEPT

iptables -A FORWARD -o br0 -s 113.203.209.165 -j ACCEPT



Where 113.203.209.165 is the ip number of the guest of course. Keep
in mind, that you have to tell arno-iptables-firewall, that the
external interface on the host is "br0" and not "eth0". On the guest
the external interface is "eth0".



-Thorsten-



Am 18.05.2012 12:37, schrieb Thorsten Göllner:


Ups: I solved it now! On my kvm host the forward chain in iptables
was set to "blocked". Changing it to "accept" solved the problem.



Till this day I though, that the forward chain is only used in
nat-environment. So I will take a deeper look in iptables now.



Am 18.05.2012 12:29, schrieb Thorsten Göllner:


Yes, it was another typo. Sorry for that.



My kvm host is attached to a switch with another 4 servers in
our rack (it is mesh solution düsseldorf and not hetzner).



I tried the following as suggested by serge: On another server
connected to my switch I started tcpdump. On my guest I started
a ping to the server with tcpdump. I can see, that the ping
packet on the guest starts an arp request. My server (with
running tcpdump) replies to the arp request correctly. In the
guest I can see a correct arp table:



~# arp-n

Address********* HWtype* HWaddress******** Flags* Mask** Iface

113.203.209.161* ether** 00:15:17:0e:6a:a9 C************ eth0

113.203.209.162* ether** 00:22:15:41:13:23 C************ eth0



The first entry is that of my default gateway. The second one is
that of my server running tcpdump.



On the server running tcpdump (server name ist nostradamus2) I
can see that:



# tcpdump host
113.203.209.165

tcpdump: verbose output suppressed, use -v or -vv for full
protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size
65535 bytes

12:28:19.370690 ARP, Request who-has nostradamus2 tell
165.209.203.113.static.inetbone.net, length 46

12:28:19.370703 ARP, Reply nostradamus2 is-at
00:22:15:41:13:23 (oui Unknown), length 28



So the question sould be: why does the guest not receive the arp
reply from my server?!



Am 18.05.2012 11:52, schrieb Michael Zoet:



Hi,





Am 18.05.2012 10:57, schrieb Thorsten Göllner:


Sorry, my fault. I had a typo. The broadcst is configured
correctly: 113.203.209.191



Any other idea?




yes but may be it is another typo:










ON THE GUEST:

=============

~$
ifconfig

eth0***** Link encap:Ethernet** HWaddr
52:54:00:d2:d1:73

********* inet addr:113.203.209.165*
Bcast:213.203.09.191** Mask:255.255.255.224

[...]



~$ route -n

Kernel
IP routing table

Destination**** Gateway******** Genmask********
Flags Metric Ref*** Use Iface

0.0.0.0******** 113.203.209.161 0.0.0.0********
UG*** 100*** 0******* 0 eth0

1213.203.209.160 0.0.0.0******** 255.255.255.224
U**** 0***** 0******* 0 eth0










An IP of 1213.203.209.160
in your default route does not exist in IPv4 ;-). The 1213 is
much too high ;-) and I think the 2 should be deleted. But I
also think your routing is not correct. In my opinion there
should be 113.203.209.163(the

IP of your KVM host) instead of 113.203.209.161 and 113.203.209.0
instead* of 1213.203.209.16.

But these are only guesses and it depends on how routing is
done in your data center. (I think you are using Hetzner and
Hetzner does not allow you to use their gateway with other MAC
addresses than your KVM host!)* Maybe it is a typo but may be
not because you used the command "route -n".



If you realy want some help you should post config files! It
is easier to track problems.*





By,

michael









--
Thorsten Göllner

OVM Office Voice Media GmbH
Herderstrasse 68
40237 Düsseldorf

Tel.: +49(0)211 / 618 57 53
Fax: +49(0)211 / 618 57 54








--
Thorsten Göllner

OVM Office Voice Media GmbH
Herderstrasse 68
40237 Düsseldorf

Tel.: +49(0)211 / 618 57 53
Fax: +49(0)211 / 618 57 54








--
Thorsten Göllner

OVM Office Voice Media GmbH
Herderstrasse 68
40237 Düsseldorf

Tel.: +49(0)211 / 618 57 53
Fax: +49(0)211 / 618 57 54



--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam