Routing issue with two subnets

Issues related to configuring your network
Post Reply
Eniax
Posts: 6
Joined: 2018/07/12 00:59:42

Routing issue with two subnets

Post by Eniax » 2018/07/20 17:25:18

I've got a CentOS host, configured with /etc/sysctl.conf set up for ipv4 forwarding.

I've also got 3 VMs. Two live in the 122.xx VLAN, and a third in the 100.xx VLAN.

Either two in the 122 can ping, ssh, whatever, to the machine in the 100, and it's gateway (the host).

But the 100.xx machine cannot. It can ping the 122.1 gateway (also the host) but it cannot hit any of the machines within it.

icmp_seq=1 Destination Port Unreachable.

If i try to connect with ssh, it will just say connection refused, despite having the firewall configured to both, accept ssh as well as have 192.168.100.0/24 set up as a source IP.

Do I need to set up a static route or a bridge somewhere? Not sure what to check if it's working in one direction and not the other.

Thanks.

hunter86_bg
Posts: 1361
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Routing issue with two subnets

Post by hunter86_bg » 2018/07/21 03:50:18

Have you enabled masquerading ?

Eniax
Posts: 6
Joined: 2018/07/12 00:59:42

Re: Routing issue with two subnets

Post by Eniax » 2018/07/27 21:50:47

hunter86_bg wrote:
2018/07/21 03:50:18
Have you enabled masquerading ?
Where? On the host? (which acts as the gateway for both machines)

hunter86_bg
Posts: 1361
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Routing issue with two subnets

Post by hunter86_bg » 2018/07/30 04:05:12

Yes? The gateway should have masquerading on.

User avatar
jlehtone
Posts: 2005
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Routing issue with two subnets

Post by jlehtone » 2018/07/30 06:41:04

Host and VM's. With libvirt, presumably.

"virtual" LAN, where the VM's connect, is a software bridge on the host.
The LAN could be:
*) isolated
*) bridged
*) routed
*) routed with NAT
to other subnet(s) of the host. The "Default network" that libvirt creates is routed with NAT.

The host should have connection to three subnets (unless you use "bridged"):
1) 122
2) 100
3) physical LAN

For members of 122 and 100 subnets the DHCP, DNS, and default (and only) router are the host.

When 122.x pings 100.y, it must route via 122.host, but it does not need to SNAT the packet to-source 100.host, because the 100.y sends replies to its default gateway (100.host) anyway.
Hence masquerade does not seem relevant to the issue; host should be the router for both subnets and obviously should know the route to both subnets.


Config on each VM should be essentially same: default route (aka gateway) is the host's IP address on VM's link-local subnet.
Routes are IMHO easy to see on Linux with:

Code: Select all

ip ro
It is the configuration of host that is more of interest.
To show virtual LAN's created by libvirt:

Code: Select all

sudo virsh net-list
For each network name:

Code: Select all

sudo virsh net-dumpxml name
NAT is implemented with kernel iptables rules. Furthermore, iptables filter rules dictate what packets are allowed.
Do you use firewalld.service or iptables.service to configure firewall rules?


"ssh to VM fails"
Be more specific. Is it ssh from host to VM?

Post Reply