CentOS

The Community ENTerprise Operating System
https://forums.centos.org/

Routing issue with two subnets

https://forums.centos.org/viewtopic.php?f=50&t=67751

Page 1 of 1

Routing issue with two subnets

Posted: 2018/07/20 17:25:18
by Eniax
I've got a CentOS host, configured with /etc/sysctl.conf set up for ipv4 forwarding.

I've also got 3 VMs. Two live in the 122.xx VLAN, and a third in the 100.xx VLAN.

Either two in the 122 can ping, ssh, whatever, to the machine in the 100, and it's gateway (the host).

But the 100.xx machine cannot. It can ping the 122.1 gateway (also the host) but it cannot hit any of the machines within it.

icmp_seq=1 Destination Port Unreachable.

If i try to connect with ssh, it will just say connection refused, despite having the firewall configured to both, accept ssh as well as have 192.168.100.0/24 set up as a source IP.

Do I need to set up a static route or a bridge somewhere? Not sure what to check if it's working in one direction and not the other.

Thanks.

Re: Routing issue with two subnets

Posted: 2018/07/21 03:50:18
by hunter86_bg
Have you enabled masquerading ?

Re: Routing issue with two subnets

Posted: 2018/07/27 21:50:47
by Eniax
hunter86_bg wrote:
2018/07/21 03:50:18
 Have you enabled masquerading ?
Where? On the host? (which acts as the gateway for both machines)

Re: Routing issue with two subnets

Posted: 2018/07/30 04:05:12
by hunter86_bg
Yes? The gateway should have masquerading on.

Re: Routing issue with two subnets

Posted: 2018/07/30 06:41:04
by jlehtone
Host and VM's. With libvirt, presumably.

"virtual" LAN, where the VM's connect, is a software bridge on the host.
The LAN could be:
*) isolated
*) bridged
*) routed
*) routed with NAT
to other subnet(s) of the host. The "Default network" that libvirt creates is routed with NAT.

The host should have connection to three subnets (unless you use "bridged"):
1) 122
2) 100
3) physical LAN

For members of 122 and 100 subnets the DHCP, DNS, and default (and only) router are the host.

When 122.x pings 100.y, it must route via 122.host, but it does not need to SNAT the packet to-source 100.host, because the 100.y sends replies to its default gateway (100.host) anyway.
Hence masquerade does not seem relevant to the issue; host should be the router for both subnets and obviously should know the route to both subnets.


Config on each VM should be essentially same: default route (aka gateway) is the host's IP address on VM's link-local subnet.
Routes are IMHO easy to see on Linux with:

Code: Select all

ip ro
It is the configuration of host that is more of interest.
To show virtual LAN's created by libvirt:

Code: Select all

sudo virsh net-list
For each network name:

Code: Select all

sudo virsh net-dumpxml name
NAT is implemented with kernel iptables rules. Furthermore, iptables filter rules dictate what packets are allowed.
Do you use firewalld.service or iptables.service to configure firewall rules?


"ssh to VM fails"
Be more specific. Is it ssh from host to VM?
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited