Routed network can't reach outside network

Laine Stump laine at redhat.com
Mon Jul 27 20:15:42 UTC 2020 

On 7/23/20 6:14 PM, Rui Correia wrote:
> 
> 
> On Thu, Jul 23, 2020 at 10:36 PM Rui Correia <rdscorreia74 at gmail.com 
> <mailto:rdscorreia74 at gmail.com>> wrote:
> 
> 
>     Thanks for the headsup. I'll ask the Manjaro guys about the nft.
>     Hopefully they'll know if nft is installed and running.
> 
> Well, that was fast.
> I've asked the guys and they told me Manjaro KDE doesn't come with 'nft' 
> installed by default.
> Then I searched the installed packages by nft and the only thing 
> installed is the libnftnl package which seems to be related to nft but 
> not nft itself.
> So, I guess my system only has firewall iptables and ufw installed.
> Hope this helps. I could run wireshark but I wouldn't know what to look for.
> Any tips?
 >

Back in your original message, you said this:


On 7/19/20 6:54 AM, Rui Correia wrote:
> The host can ping the Debian VM and the Debian VM can ping the host but
> the Debian VM cannot ping the router 10.0.0.1 or any ip address on the internet.

But in a later message you say this:

On 7/23/20 10:34 AM, Rui Correia wrote:
 > But, for testing purposes (trying to reach the VM's from the KVM host)
 > I don't need those static routes, right? Because right now I'd be ok
 > if I could reach the VM's from the KVM host and right now I can't.

So which is correct?



>  <forward dev="wlo1" mode="route">
>    <interface dev="wlo1"/>
>  </forward>

It will probably make no difference (unless traffic leaving your "KVM 
Host" isn't actually using the interface named "wlo1", and in that case 
it makes *all* the difference!), but I would change this to simply:

   <forward mode='route'/>

The purpose of the "forward dev" is commonly misunderstood as having 
something to do with routine, but it doesn't - it only serves to add an 
iptables rule that will block traffic if it's coming from or going to 
any interface other than (in this case) "wlo1". ie. it's a security 
knob, not a routing knob; if you're not concerned about rogue guests 
then at best it's just creating extra overhead for each packet, and at 
worst it could be blocking traffic if it's misconfigured.



As for checking with wireshark/tcpdump, mainly the intent is just to 
see, when you send a packet from one end or the other, whether a 
corresponding packet shows up in the output of wireshark/tcpdump. As an 
example, let's say that you are trying to ping (from your original 
diagram) "desktop manjaro" (10.0.0.11) from "debian 10 VM" (10.2.2.10). 
First start a ping in a shell on debian 10 VM", then run a command like 
(as root) this on the KVM Host:

     tcpdump -i virbr2 -n host 10.2.2.10

You should at least see one icmp "echo request" packet for each ping 
that is sent. You might even see an icmp response (and if so, hopefully 
is is an icmp echo reply, rather than destination unreachable or 
something like that).

If you see the outbound icmp echo request and an echo reply, then the 
problem is on your host or in the guest. If you see an echo request but 
no echo reply, then look at the next step out - wlo1 interface on the 
KVM host:

     tcpdump -i wlo1 -n host 10.2.2.10

You should still see the outbound echo request. If not, then again your 
problem is on the KVM host. If you see the echo request, but no reply, 
then you need to go look on "manjaro desktop". Run the same tcpdump 
command there (as root), but replace "wlo1" with whatever is the name of 
the ethernet device on that host connecting it to the network.

At this point you may see an echo request *and* an outgoing echo 
response, but not see that response back at the KVM host. That's when 
you'll want to rerun tcpdump telling it to display the MAC address of 
the packets:

    tcpdump -i <whatever-interface-name> -e -n host 10.2.2.10

Now you can look at the MAC address in the tcpdump output - it should 
contain the MAC of the KVM host, *not* the MAC of your router. If it has 
the MAC of your router, then you haven't added a routing table entry to 
the manjaro desktop's network config. Do that.

(or, possibly you just want to add a route to the router. That will 
work, but will result it a lot of duplicated traffic and ICMP redirect 
packets from the router to the manjaro desktop).

Anyway, there are many paths this can take, but that gives you an idea 
of how to use tcpdump. (you could do the same thing with wireshark, it's 
just a lot more overhead and lots of info when you really need very 
little (and also requires that wireshark be installed and a desktop 
session open, on all the machines involved).

More information about the libvirt-users mailing list