I will assume that the VMs are on the same LAN as the hosts. Correct me if not.
I also understand that you have connectivity to any physical and virtual machines from any physical and virtual machine. You also have connectivity to any physical and virtual machine via the VPN, except for host KVM2.
The VPN goes through the pfsense VM.
To be honest, I only have one weak idea, but would like to offer a few thoughts.
I doubt this has anything to do with KVM. You just can't reach that host, with or without KVM.
If you can occasionally reach a network device, one possible cause is another device on the same network with the same IP address.
To understand better what's going on, I would trace network traffic. I don't know what tracing options there are in pfsense. You can, however, trace the packets that leave and enter pfsense on KVM1. For that, you have to know to which network interface the pfsense VM is connected:
Code:
# virsh list
# virsh domiflist NAME_OR_NUMBER_OF_PFSENSE_VM
Interface Type Source Model MAC
-------------------------------------------------------
vnet0 bridge br1 rtl8139 52:54:00:e0:46:6c
In the above example, the interface is vnet0. Alternatively, you can also trace the bridge, br1, but I don't know how your VMs are connected. Also note the MAC address; you will need it.
Run tcpdump on KVM1. Parameters are the interface vnet0 and the filter. Options are -n (print addresses as numbers rather than domain names), -e (print Ethernet headers), -i (interface). I don't remember the purpose of -l
Then you filter for ARP and ICMP (ping) packets where one of the parties has the above MAC address:
Code:
# tcpdump -neli vnet0 "(arp or icmp) and ether host 52:54:00:e0:46:6c"
Then ping KVM2 from outside and look at the traffic. It's particularly interesting to see the MAC address of the device that responds to the ARP. Is it KVM2? Is it something else? Is it nothing?
Not sure if this helps you solve the problem, but the investment is not too heavy I would think.