12:07 p.m.
hi,
I have an issue with one host at a customer's site. I think this cannot
work, but I would like to ask you just in case I am confused.
host:
eno1: 172.20.10.x/24 management interface gw 172.20.10.254
bridge-service: 0.0.0.0/24
tun0: openvpn tunnel to external data center
internal-bridge: x.x.x.x/28 ; routed subnet that goes to openvpn tun0
on vm:
eth0: x.x.x.x/28 on internal-bridge (default gw)
eth1: 172.20.10.x/24 bridge-service gw 172.20.10.254 (same as eno1)
Connectivity to and from openvpn (from and to datacenter) is perfect. All
vms are directly reachable from our management services, no natting.
From hypervisor I can ping the gw, from vm I cannot ping
172.20.10.254.
My gut feeling is that this cannot work because traffic for the hypervisor
for subnet 172.20.10.x/24 flows through eno1, but for vm through the
bridge-loggin interface. So that cannot work.
Should we just ask the customer to give us different subnets for the host
and the vm?
TIA.
--
regards,
Natxo
10:05 a.m.
On Thu, Feb 24, 2022 at 07:07:18PM +0100, Natxo Asenjo wrote:
hi,
I have an issue with one host at a customer's site. I think this cannot
work, but I would like to ask you just in case I am confused.
host:
eno1: 172.20.10.x/24 management interface gw 172.20.10.254
bridge-service: 0.0.0.0/24
tun0: openvpn tunnel to external data center
internal-bridge: x.x.x.x/28 ; routed subnet that goes to openvpn tun0
on vm:
eth0: x.x.x.x/28 on internal-bridge (default gw)
eth1: 172.20.10.x/24 bridge-service gw 172.20.10.254 (same as eno1)
Connectivity to and from openvpn (from and to datacenter) is perfect. All
vms are directly reachable from our management services, no natting.
>From hypervisor I can ping the gw, from vm I cannot ping 172.20.10.254.
My gut feeling is that this cannot work because traffic for the hypervisor
for subnet 172.20.10.x/24 flows through eno1, but for vm through the
bridge-loggin interface. So that cannot work.
I am not sure, but I would try to see where the packets are really going
through by using wireshark/tshark or tcpdump.
The only thing that I can come up on the spot is that it is trying to go
through different interface at some point due to reverse path filtering,
settings for that are in /proc/sys/net/ipv4/conf/*/rp_filter, it might
be routed elsewhere anywhere along the way. But it is hard to say
without knowing how all the networks are connected. Maybe I'm just bad
at understanding your situation, for me it is usually better to see this
stuff happen in wireshark. But I figured I at least let know know one
idea which we had an issue before as well.
Hope that helps,
Martin
Should we just ask the customer to give us different subnets for the
host
and the vm?
TIA.
--
regards,
Natxo
10:20 a.m.
On 2/25/22 11:05 AM, Martin Kletzander wrote:
On Thu, Feb 24, 2022 at 07:07:18PM +0100, Natxo Asenjo wrote:
> hi,
>
> I have an issue with one host at a customer's site. I think this cannot
> work, but I would like to ask you just in case I am confused.
>
> host:
> eno1: 172.20.10.x/24 management interface gw 172.20.10.254
> bridge-service: 0.0.0.0/24
I may be misunderstanding this "freehand" description of your setup, but
it sounds like you have a Linux host bridge device that is attached to
eno1 and to a VM (via a tap device), and that the bridge device has no
IP address, but the host's ethernet device *does* have an IP address
configured. I haven't ever tried the setup this way, but I do know that
normally you should have *no IP* on the ethernet device, and an IP on
the bridge device (every set of instructions I've ever seen for adding a
bridge to an ethernet have included the step of "move the ethernet IP
config over to the bridge device config").
If the config actually does have IP address on the ethernet but not on
the bridge, try swapping that.
> tun0: openvpn tunnel to external data center
> internal-bridge: x.x.x.x/28 ; routed subnet that goes to openvpn tun0
>
> on vm:
> eth0: x.x.x.x/28 on internal-bridge (default gw)
> eth1: 172.20.10.x/24 bridge-service gw 172.20.10.254 (same as eno1)
>
> Connectivity to and from openvpn (from and to datacenter) is perfect. All
> vms are directly reachable from our management services, no natting.
>
>> From hypervisor I can ping the gw, from vm I cannot ping 172.20.10.254.
>
> My gut feeling is that this cannot work because traffic for the
> hypervisor
> for subnet 172.20.10.x/24 flows through eno1, but for vm through the
> bridge-loggin interface. So that cannot work.
>
I am not sure, but I would try to see where the packets are really going
through by using wireshark/tshark or tcpdump.
The only thing that I can come up on the spot is that it is trying to go
through different interface at some point due to reverse path filtering,
settings for that are in /proc/sys/net/ipv4/conf/*/rp_filter, it might
be routed elsewhere anywhere along the way. But it is hard to say
without knowing how all the networks are connected. Maybe I'm just bad
at understanding your situation, for me it is usually better to see this
stuff happen in wireshark. But I figured I at least let know know one
idea which we had an issue before as well.
Hope that helps,
Martin
> Should we just ask the customer to give us different subnets for the host
> and the vm?
>
> TIA.
> --
> regards,
> Natxo
1001
days inactive
1002
days old
2 comments
3 participants
participants (3)
-
Laine Stump -
Martin Kletzander -
Natxo Asenjo