You are not logged in.

Pages: 1

#1 2015-07-02 15:39:19

rob356
Member
Registered: 2010-12-31
Posts: 8

Libvirt NAT network not connecting to the internet

My guests cannot contact the outside network, but can ping the host (192.168.122.1). I can't seem to figure this out, as far as I can tell all my configs and settings are correct. I have a Windows Server 2012 R2 guest, but the arch install ISO had the same problem. Here are my configs:

iptables rules:

# Generated by iptables-save v1.4.21 on Thu Jul  2 11:23:14 2015
*mangle
:PREROUTING ACCEPT [201377:11068270]
:INPUT ACCEPT [201186:11057368]
:FORWARD ACCEPT [19:972]
:OUTPUT ACCEPT [162387:347120316]
:POSTROUTING ACCEPT [163200:347190116]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Thu Jul  2 11:23:14 2015
# Generated by iptables-save v1.4.21 on Thu Jul  2 11:23:14 2015
*nat
:PREROUTING ACCEPT [321:43651]
:INPUT ACCEPT [174:35009]
:OUTPUT ACCEPT [3727:278865]
:POSTROUTING ACCEPT [3725:278229]
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Thu Jul  2 11:23:14 2015
# Generated by iptables-save v1.4.21 on Thu Jul  2 11:23:14 2015
*filter
:INPUT ACCEPT [201177:11056235]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [162390:347120952]
:LOGDROP - [0:0]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
COMMIT
# Completed on Thu Jul  2 11:23:14 2015

Interfaces:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp6s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether $NIC1_MAC_ADDRESS brd ff:ff:ff:ff:ff:ff
    inet $MY_PUBLIC_IP brd 50.30.235.255 scope global dynamic enp6s0
       valid_lft 1866sec preferred_lft 1866sec
    inet6 fe80::225:90ff:fe24:307e/64 scope link 
       valid_lft forever preferred_lft forever
3: enp7s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether $NIC2_MAC_ADDRESS brd ff:ff:ff:ff:ff:ff
26: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 52:54:00:eb:43:5b brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
27: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr0 state DOWN group default qlen 500
    link/ether 52:54:00:eb:43:5b brd ff:ff:ff:ff:ff:ff
28: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master virbr0 state UNKNOWN group default qlen 500
    link/ether fe:54:00:98:21:84 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::fc54:ff:fe98:2184/64 scope link 
       valid_lft forever preferred_lft forever

Default libvirt network xml:

<network>
  <name>default</name>
  <uuid>ce44d0b0-4cf8-48b6-9ea4-265cba232aaa</uuid>
  <forward mode='nat'/>
  <bridge name='virbr0' stp='on' delay='0'/>
  <mac address='52:54:00:eb:43:5b'/>
  <ip address='192.168.122.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.122.2' end='192.168.122.254'/>
    </dhcp>
  </ip>
</network>

The network section of the domain xml:

    <interface type='network'>
      <mac address='52:54:00:98:21:84'/>
      <source network='default'/>
      <model type='virtio'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>

ip_forward:

$ cat /proc/sys/net/ipv4/ip_forward
1

I have no idea what the problem is here, does anyone else see something wrong?

EDIT: So it turns out each interface has it's own forwarding settings, and the one for my internet nic was turned off. All I had to run was

# sysctl -w net.ipv4.conf.enp6s0.forwarding=1

Fixed now!

Last edited by rob356 (2015-07-02 20:21:38)

Offline

#2 2015-07-03 12:14:06

revellion
Member
From: Sweden
Registered: 2007-04-10
Posts: 54

Re: Libvirt NAT network not connecting to the internet

Might wanna edit the title to [Solved]

Hurricane Electric Certified IPv6 Sage

CPU: Core i7-2600 @ 4.0Ghz | RAM: 16GB (4x4GB) | GFX: AMD Radeon R9 290 4096MB VRAM | HDD: 1x 120GB SATA3 Corsair SSD (~500MB/s RW), 1x SATA2 250GB, 1x SATA2 320GB, 1x 180GB SATA3 Intel SSD
*EDIT* Replaced Nvidia GTX 570 for a AMD Radeon R9 290, and added an extra SSD 180GB

Offline

Pages: 1

Board footer

Powered by FluxBB