Re: No outbound connectivity from guest VM(fedora 32)
On 6/8/20 8:55 AM, Justin Stephenson wrote:
On Mon, Jun 8, 2020 at 5:09 AM Daniel P. Berrangé
<berrange(a)redhat.com> wrote:
>
> On Fri, Jun 05, 2020 at 01:27:08PM -0400, Justin Stephenson wrote:
>> Hi,
>>
>> I recently installed a fresh install of Fedora 32 and I am having
>> trouble with my virtual machine networking, I can ssh and connect into
>> my guest VMs from my host, but the guest VMs cannot ping out to the
>> internet.
>>
>> I am using the "default" NAT virtual network, the interesting thing is
>> I have made no configuration changes on my host or in the guest VMs,
>> simply created and installed two VMs(Fedora and RHEL8) in Fedora where
>> the VMs are having the same issue.
>>
>> I am happy to provide any logs or command output if that would help.
>
> Do you have "podman" installed on your host ? As there is an issue
> with podman loading "br_netfilter" which is harming libvirt default
> network traffic..
Hi, yes I am using podman for some development tasks. However I don't
see any br_netfilter module loaded:
# lsmod | grep br_netfilter
# grep 'netfilter' /proc/modules
I'm not sure if it matters but my host laptop is also connected wirelessly.
Since it's not the "problem du jour" with F32, here's a few other things
you can try:
1) Try "systemctl restart libvirtd.service" (which reloads libvirt's
iptables rules), and then start the VM again to see if the problem is
solved. (If this fixes it, then something that is starting after
libvirtd.service is adding a firewall rule that blocks the outbound
guest traffic)
2) You say this was a fresh install of F32. Have yourun dnf update to
make sure you have all post-release updates to libvirt and firewalld
packages? If not, try that first.
(BTW, can you ssh from guest to host?)
3) see if you can ping from the guest to the outside network. If you can
ping but can't ssh, then again there is a firewall problem. make sure
the libvirt zone exists in firewalld config, and that virbr0 is a part
of that zone. (aside from allowing inbound dns, dhcp and ssh from guests
to the host, the libvirt zone has a default "ACCEPT" policy, which will
allow packets to be forwarded from the guest through the host. If virbr0
is on a different zone, then the default policy won't be ACCEPT, and
forwarded traffic will be rejected. all libvirt networks are put into
firewalld's "libvirt" zone by default, so this should always be the case)
Beyond those suggestions, I'm not sure what else to recommend, other
than that you might get a quicker response on troubleshooting like this
by logging into irc.oftc.net and joining the #virt channel :-)