Configuring static routes for VMs

Issues related to configuring your network
Post Reply
Eniax
Posts: 6
Joined: 2018/07/12 00:59:42

Configuring static routes for VMs

Post by Eniax » 2018/08/28 21:23:51

I feel like this may be trivial, but i've never been able to get it working properly.

I've got a CentOS 7 VM host at 192.168.0.9. It serves up the subnet 192.168.122.0/24. Ip forwarding has been set up on this host.

If I shut off firewalld on 192.168.0.9, it goes through no problem.

Code: Select all

net.ipv4.ip_forward = 1

I've got another machine on my network at 192.168.0.3 which is a real machine that can ping and ssh into the 0.9 machine. I've added a static route to my 0.3 machine as follows:

Code: Select all

ip route add 192.168.122.0/24 via 192.168.0.9 dev enp5s0

Which allows me to ping the 192.168.122.1 IP.

However, I cannot access any of the machines that are beneath this subnet.

Code: Select all

sudo traceroute 192.168.122.142

traceroute to 192.168.122.142 (192.168.122.142), 30 hops max, 60 byte packets

1 192.168.0.9 (192.168.0.9) 0.166 ms 0.155 ms 0.313 ms

2 192.168.0.9 (192.168.0.9) 0.306 ms 0.300 ms 0.296 ms

Code: Select all

ssh 192.168.122.142

ssh: connect to host 192.168.122.142 port 22: Connection refused

Code: Select all

ping 192.168.122.142

PING 192.168.122.142 (192.168.122.142) 56(84) bytes of data.

From 192.168.0.9 icmp_seq=1 Destination Port Unreachable

From 192.168.0.9 icmp_seq=2 Destination Port Unreachable

I've also added the following to the 122.142 VM:

Code: Select all

ip route add 192.168.0.0/24 via 192.168.122.1
Which didn't change anything and I don't think was needed.

I'm able to ssh FROM the 122.142 VM to the machines in the 0.0/24 subnet, but not the other way around.

hunter86_bg
Posts: 1422
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Configuring static routes for VMs

Post by hunter86_bg » 2018/08/29 03:30:41

Are you using KVM?
If so, you need a 'routed' virtual network in order to access the VMs, as the default uses NAT (which is unaccessible from the outside).

Eniax
Posts: 6
Joined: 2018/07/12 00:59:42

Re: Configuring static routes for VMs

Post by Eniax » 2018/08/29 16:29:41

hunter86_bg wrote: ↑
2018/08/28 20:30:41
Are you using KVM?
If so, you need a 'routed' virtual network in order to access the VMs, as the default uses NAT (which is unaccessible from the outside).
Yes, using KVM and yes, i'm using the default of NAT.

I was reviewing the below link and content, assuming this would work for me if i just added routes and allowed traffic through the host, but no luck. What would I need to change on the virtual network in order to allow this? Created a bridge like described below?

https://wiki.libvirt.org/page/Networkin ... vice.22.29

hunter86_bg
Posts: 1422
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Configuring static routes for VMs

Post by hunter86_bg » 2018/08/29 18:54:56

Either set a bridge that will not be controlled by libvirt or you can define a network of type 'routed' (which requires static routes like the ones in your earlier post).
In my case I'm using routed network and a static route on my gateway .

The graph indicates the routed network and its drawbacks. The bridgge approach is way better, but is not always available.

Edit: When considering whether to use routed network, keep in mind that all traffic towards the routed network is being processsed by the host's netfilter ( iptable/firewalld rules are having effect not only on the host, but also the guests).

User avatar
jlehtone
Posts: 2018
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Configuring static routes for VMs

Post by jlehtone » 2018/08/30 09:14:04

Eniax wrote:
2018/08/29 16:29:41
I was reviewing the below link and content, assuming this would work for me if i just added routes and allowed traffic through the host, but no luck. What would I need to change on the virtual network in order to allow this? Created a bridge like described below?
I hope you know the typical home network setup:

Code: Select all

WAN===Router-with-NAT===LAN===PC
The WAN and LAN are separate subnets.
From WAN viewpoint the LAN does not exists; there is only a device with one public IP address (the router).
Physically, the LAN is just cables (or wireless) from Router to PC.
Most Routers have integrated 4-port switch. Lets draw a more physical picture:

Code: Select all

WAN===Router-with-NAT===switch===PC(s)
Lets remove the NAT:

Code: Select all

Foo===WAN===Router===switch===PC(s)
Now a member Foo of WAN can connect to IP of PC, if
1. If Foo knows that "to PC via WAN-IP of Router" (static route)
2. Router's firewall allows new connections from WAN to LAN

Home routers default to allow from LAN to WAN and deny from WAN to LAN.
PC knows how to reach Foo, for its default route is "via LAN-IP of Router"

Lets get radical and remove the Router:

Code: Select all

WAN===switch===PC(s)
There is no LAN. Every PC has IP address in the WAN subnet.


Now to VMs.
A switch is a bridge. A software bridge is a virtual switch.

The host can have a bridge defined and have IP address on it. Guests can link to the bridge. It is still the:

Code: Select all

WAN===host/bridge===VM(s)
Your every VM would have an address in the 192.168.0.* (the WAN)
The host will not filter the bridged traffic between WAN and VM(s).

The libvirt can create the bridge. The host cannot use the bridge for its connectivity, for libvirt may be down.

Code: Select all

WAN===virbr===VM(s)
   \==host
The libvirt can create an isolated bridge (aka Isolated Network).

Code: Select all

WAN===host   LAN(virbr)===VM(s)
There is no route between WAN and LAN, although the host might be a member of LAN too.

The libvirt can create a routed network.

Code: Select all

WAN===host(router)===LAN(virbr)===VM(s)
The WAN can access VM, if
1. If it knows that "to VM via WAN-IP of host" (static route)
2. Host's firewall allows new connections from WAN to LAN

By default, the libvirt creates Default Network. Routing with NAT.

Code: Select all

WAN===(NAT)host(router)===LAN(virbr)===VM(s)
The WAN can still access VM, if the host has "port forwarding" defined.
The WAN won't know that it is served by VM, rather than the host itself.

Home routers have similar port forwarding options.



tldr:
* Change the libvirt "Network" from "Routed with NAT" to "Routed".
* Update firewalld-rules of the host to allow WAN->LAN connections.

Post Reply