[SOLVED] Unable to access network on windows guest with default nat.

croxymoc · 2024-07-19 05:51:46

My windows guest with libvirt/virt-manager doesn't get internet access. After browsing other threads and the wiki I believe my issue is with firewall backend. I tried changing
firewall_backend to "iptables" in /etc/libvirt/network.conf however that didn't resolve the issue.
Here is my default network
<network>
<name>default</name>
<uuid>ca20a639-1dad-4ced-b8c1-4de6db5283c3</uuid>
<forward mode='nat'>
<nat>
<port start='1024' end='65535'/>
</nat>
</forward>
<bridge name='virbr0' stp='on' delay='0'/>
<mac address='52:54:00:4f:e3:48'/>
<ip address='192.168.122.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.122.2' end='192.168.122.254'/>
</dhcp>
</ip>
<ip family='ipv6' address='2001:db8:ca2:2::1' prefix='64'>
</ip>
</network>

The guest is using NIC with virtio over default (I have installed virtio drivers).
All my poking around seems to suggest something might be wrong with my firewall / ufw but I am practically illiterate when it comes to network.

Last edited by croxymoc (2024-07-23 20:55:52)

croxymoc · 2024-07-20 08:28:19

I followed this thread and I 90% sure my issue is with network manager somehow. however I do not have systemd-networkd enabled as of now so there must be some remenant from when I did which is screwing things up

https://bbs.archlinux.org/viewtopic.php?id=273243&p=2

croxymoc · 2024-07-20 08:30:18

journalctl on libvirt

Jul 20 13:35:06 Framework systemd[1]: Starting libvirt legacy monolithic daemon...
Jul 20 13:35:06 Framework libvirtd[48436]: setlocale: No such file or directory
Jul 20 13:35:06 Framework systemd[1]: Started libvirt legacy monolithic daemon.
Jul 20 13:35:06 Framework dnsmasq[48547]: started, version 2.90 cachesize 150
Jul 20 13:35:06 Framework dnsmasq[48547]: compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset nftset auth cryptohash >
Jul 20 13:35:06 Framework dnsmasq-dhcp[48547]: DHCP, IP range 192.168.122.2 -- 192.168.122.254, lease time 1h
Jul 20 13:35:06 Framework dnsmasq-dhcp[48547]: router advertisement on 2001:db8:ca2:2::
Jul 20 13:35:06 Framework dnsmasq-dhcp[48547]: DHCP, sockets bound exclusively to interface virbr0
Jul 20 13:35:06 Framework dnsmasq[48547]: reading /etc/resolv.conf
Jul 20 13:35:06 Framework dnsmasq[48547]: using nameserver 127.0.0.53#53
Jul 20 13:35:06 Framework dnsmasq[48547]: read /etc/hosts - 2 names
Jul 20 13:35:06 Framework dnsmasq[48547]: read /var/lib/libvirt/dnsmasq/default.addnhosts - 0 names
Jul 20 13:35:06 Framework dnsmasq-dhcp[48547]: read /var/lib/libvirt/dnsmasq/default.hostsfile
Jul 20 13:35:37 Framework dnsmasq-dhcp[48547]: RTR-ADVERT(virbr0) 2001:db8:ca2:2::
Jul 20 13:35:43 Framework dnsmasq-dhcp[48547]: RTR-ADVERT(virbr0) 2001:db8:ca2:2::
Jul 20 13:35:57 Framework dnsmasq-dhcp[48547]: RTR-ADVERT(virbr0) 2001:db8:ca2:2::
Jul 20 13:36:10 Framework dnsmasq-dhcp[48547]: RTR-ADVERT(virbr0) 2001:db8:ca2:2::
Jul 20 13:45:21 Framework dnsmasq-dhcp[48547]: RTR-ADVERT(virbr0) 2001:db8:ca2:2::
Jul 20 13:54:27 Framework dnsmasq-dhcp[48547]: RTR-ADVERT(virbr0) 2001:db8:ca2:2::

croxymoc · 2024-07-23 08:42:07

Okay so If I flush my nft ruleset at after each host startup before starting the guest I get internet. I thought firewalld had it's zone for libvirt so it'll allow guest to host but for some reason it doesn't. I really don't understand what I am doing and would love if someone actually pointed me to a resource on how to configure the libvirt policy/zone so I don't have to flush nft everytime.

seth · 2024-07-23 15:31:21

systemctl status nftables.service

croxymoc · 2024-07-23 19:08:33

nft.service is inactive now (as I think it should be)
I also seemed to have fixed it permanently by

> # systemctl stop firewalld
> # nft flush ruleset
> # systemctl start firewalld
> # firewall-cmd --complete-reload
> # firewall-cmd --set-default-zone=public
> # firewall-cmd --runtime-to-permanent

leaving this here jic someone else has a similar issue.

EDIT:
nvm it still doesnt work after reboot, but I already marked it as solved and it kinda is so I'll let it sit.

Last edited by croxymoc (2024-07-23 19:13:34)

mcdoogs · 2024-07-23 20:34:42

Thanks, this solved my problem too. Last week multiple guests that I've been using for years (windows & linux) had network issues after a system update, along with all docker containers. It seems like some combination of NetworkManager/firewall settings that used to work fine are now breaking my network bridges.

seth · 2024-07-23 20:40:43

nvm it still doesnt work after reboot, but I already marked it as solved and it kinda is so I'll let it sit.

So no, it's not.

What nft.service?
Please post the output of

find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -f

If you then also disable firewalld, do you get acess to the port/http service?

croxymoc · 2024-07-23 20:49:41

auto-cpufreq.service                     | multi-user.target.wants
bluetooth.service                        | bluetooth.target.wants
dbus-org.bluez.service                   | system
dbus-org.fedoraproject.FirewallD1.service | system
dbus-org.freedesktop.nm-dispatcher.service | system
dbus-org.freedesktop.resolve1.service    | system
dbus-org.freedesktop.timesync1.service   | system
display-manager.service                  | system
docker.socket                            | sockets.target.wants
firewalld.service                        | multi-user.target.wants
gcr-ssh-agent.socket                     | sockets.target.wants
getty@tty1.service                       | getty.target.wants
iwd.service                              | multi-user.target.wants
libvirtd-admin.socket                    | sockets.target.wants
libvirtd-ro.socket                       | sockets.target.wants
libvirtd.service                         | multi-user.target.wants
libvirtd.socket                          | sockets.target.wants
NetworkManager.service                   | multi-user.target.wants
NetworkManager-wait-online.service       | network-online.target.wants
nftables.service                         | multi-user.target.wants
p11-kit-server.socket                    | sockets.target.wants
pipewire-pulse.socket                    | sockets.target.wants
pipewire-session-manager.service         | user
pipewire.socket                          | sockets.target.wants
reflector.service                        | multi-user.target.wants
remote-fs.target                         | multi-user.target.wants
systemd-resolved.service                 | sysinit.target.wants
systemd-timesyncd.service                | sysinit.target.wants
virtlockd-admin.socket                   | sockets.target.wants
virtlockd.socket                         | sockets.target.wants
virtlogd-admin.socket                    | sockets.target.wants
virtlogd.service                         | multi-user.target.wants
virtlogd.socket                          | sockets.target.wants
wireplumber.service                      | pipewire.service.wants
xdg-user-dirs-update.service             | default.target.wants

The way I have been "fixing" it has been just flushing the ruleset and then starting nftables.service again,
Here is nftables.service output too, but from what I understand it is supposed to be inactive.

 
○ nftables.service - Netfilter Tables
     Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; preset:>
     Active: inactive (dead) since Wed 2024-07-24 02:18:52 IST; 10s ago
 Invocation: 7e89e555ac184b6583d662ed8d7c25e3
       Docs: man:nft(8)
    Process: 7099 ExecStart=/usr/bin/nft -f /etc/nftables.conf (code=exited, st>
   Main PID: 7099 (code=exited, status=0/SUCCESS)

Jul 24 02:18:52 Framework systemd[1]: Starting Netfilter Tables...
Jul 24 02:18:52 Framework systemd[1]: nftables.service: Deactivated successfull>
Jul 24 02:18:52 Framework systemd[1]: Finished Netfilter Tables.

seth · 2024-07-23 20:53:50

nftables.service                         | multi-user.target.wants

Disable that, it's not required to run firewalld or anything else but will only load some very restrictive default rules, https://wiki.archlinux.org/title/Nftabl … e_firewall
You got rid of them w/ nft flush ruleset, then rebuild firewalld as desired but after the reboot /etc/nftables.conf got applied again.

Edit: it's "inactive" because it just loads that file and then quits.
netfilter happens in the kernel, everything else just loads and deleted rules.

Last edited by seth (2024-07-23 20:54:58)

croxymoc · 2024-07-23 20:55:19

Thanks, now I can mark as solve for real for real!

mcdoogs · 2024-07-23 21:16:35

Yep, that fixed the problem across reboots for me as well.

Arch Linux

#1 2024-07-19 05:51:46

[SOLVED] Unable to access network on windows guest with default nat.

#2 2024-07-20 08:28:19

Re: [SOLVED] Unable to access network on windows guest with default nat.

#3 2024-07-20 08:30:18

Re: [SOLVED] Unable to access network on windows guest with default nat.

#4 2024-07-23 08:42:07

Re: [SOLVED] Unable to access network on windows guest with default nat.

#5 2024-07-23 15:31:21

Re: [SOLVED] Unable to access network on windows guest with default nat.

#6 2024-07-23 19:08:33

Re: [SOLVED] Unable to access network on windows guest with default nat.

#7 2024-07-23 20:34:42

Re: [SOLVED] Unable to access network on windows guest with default nat.

#8 2024-07-23 20:40:43

Re: [SOLVED] Unable to access network on windows guest with default nat.

#9 2024-07-23 20:49:41

Re: [SOLVED] Unable to access network on windows guest with default nat.

#10 2024-07-23 20:53:50

Re: [SOLVED] Unable to access network on windows guest with default nat.

#11 2024-07-23 20:55:19

Re: [SOLVED] Unable to access network on windows guest with default nat.

#12 2024-07-23 21:16:35

Re: [SOLVED] Unable to access network on windows guest with default nat.

Board footer