LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Virtualization and Cloud (https://www.linuxquestions.org/questions/linux-virtualization-and-cloud-90/)
-   -   Linux KVM not accessible outside LAN (https://www.linuxquestions.org/questions/linux-virtualization-and-cloud-90/linux-kvm-not-accessible-outside-lan-4175645008/)

mario21 12-26-2018 04:35 PM
Linux KVM not accessible outside LAN
 
Hello,
we have 2 KVM hosts (hypervisors) - on the first host (KVM 1) there is currently running Pfsense firewall, on the second host (KVM 2) there are running 2 VMs - Linux mailserver and Windows 2012 server. For accessing the LAN from outside we use OpenVPN configured on the Pfsense firewall. The situation is following - when I connect to LAN via OpenVPN, I can successfully connect/ping to PCs on LAN, I can connect to all VMs running on both hosts (on KVM 1 and 2), I can access KVM 1 host but I CANNOT access/ping KVM 2 where are installed mailserver and Windows 2012 server. When I try to ping KVM 2 host sometimes I get response but most of time not. If I try to ping or access KVM 2 directly from LAN there is no problem. As I'm new to Linux and KVM I have no idea what can be the problem. The most annoying is that ping sometimes works also via OpenVPN. Do you have any idea what should I check to resolve my problem? I did not find anything in firewall log.
Thank you very much.

berndbausch 12-28-2018 01:36 AM
I will assume that the VMs are on the same LAN as the hosts. Correct me if not.

I also understand that you have connectivity to any physical and virtual machines from any physical and virtual machine. You also have connectivity to any physical and virtual machine via the VPN, except for host KVM2.

The VPN goes through the pfsense VM.

To be honest, I only have one weak idea, but would like to offer a few thoughts.

I doubt this has anything to do with KVM. You just can't reach that host, with or without KVM.
If you can occasionally reach a network device, one possible cause is another device on the same network with the same IP address.
To understand better what's going on, I would trace network traffic. I don't know what tracing options there are in pfsense. You can, however, trace the packets that leave and enter pfsense on KVM1. For that, you have to know to which network interface the pfsense VM is connected:
Code:
# virsh list
# virsh domiflist NAME_OR_NUMBER_OF_PFSENSE_VM
Interface  Type      Source    Model      MAC
-------------------------------------------------------
vnet0      bridge    br1        rtl8139    52:54:00:e0:46:6c
In the above example, the interface is vnet0. Alternatively, you can also trace the bridge, br1, but I don't know how your VMs are connected. Also note the MAC address; you will need it.

Run tcpdump on KVM1. Parameters are the interface vnet0 and the filter. Options are -n (print addresses as numbers rather than domain names), -e (print Ethernet headers), -i (interface). I don't remember the purpose of -l :)
Then you filter for ARP and ICMP (ping) packets where one of the parties has the above MAC address:
Code:
# tcpdump -neli vnet0 "(arp or icmp) and ether host 52:54:00:e0:46:6c"
Then ping KVM2 from outside and look at the traffic. It's particularly interesting to see the MAC address of the device that responds to the ARP. Is it KVM2? Is it something else? Is it nothing?

Not sure if this helps you solve the problem, but the investment is not too heavy I would think.


All times are GMT -5. The time now is 04:10 PM.