No outbound connectivity from guest VM(fedora 32)

Tue Jun 9 15:38:58 UTC 2020

On 6/8/20 8:55 AM, Justin Stephenson wrote:
> On Mon, Jun 8, 2020 at 5:09 AM Daniel P. Berrangé <berrange at redhat.com> wrote:
>>
>> On Fri, Jun 05, 2020 at 01:27:08PM -0400, Justin Stephenson wrote:
>>> Hi,
>>>
>>> I recently installed a fresh install of Fedora 32 and I am having
>>> trouble with my virtual machine networking, I can ssh and connect into
>>> my guest VMs from my host, but the guest VMs cannot ping out to the
>>> internet.
>>>
>>> I am using the "default" NAT virtual network, the interesting thing is
>>> I have made no configuration changes on my host or in the guest VMs,
>>> simply created and installed two VMs(Fedora and RHEL8) in Fedora where
>>> the VMs are having the same issue.
>>>
>>> I am happy to provide any logs or command output if that would help.
>>
>> Do you have "podman" installed on your host ? As there is an issue
>> with podman loading "br_netfilter" which is harming libvirt default
>> network traffic..
> 
> Hi, yes I am using podman for some development tasks. However I don't
> see any br_netfilter module loaded:
> 
>   # lsmod | grep br_netfilter
>   # grep 'netfilter' /proc/modules
> 
> I'm not sure if it matters but my host laptop is also connected wirelessly.

Since it's not the "problem du jour" with F32, here's a few other things 
you can try:

1) Try "systemctl restart libvirtd.service" (which reloads libvirt's 
iptables rules), and then start the VM again to see if the problem is 
solved. (If this fixes it, then something that is starting after 
libvirtd.service is adding a firewall rule that blocks the outbound 
guest traffic)

2) You say this was a fresh install of F32. Have yourun dnf update to 
make sure you have all post-release updates to libvirt and firewalld 
packages? If not, try that first.

(BTW, can you ssh from guest to host?)

3) see if you can ping from the guest to the outside network. If you can 
ping but can't ssh, then again there is a firewall problem. make sure 
the libvirt zone exists in firewalld config, and that virbr0 is a part 
of that zone. (aside from allowing inbound dns, dhcp and ssh from guests 
to the host, the libvirt zone has a default "ACCEPT" policy, which will 
allow packets to be forwarded from the guest through the host. If virbr0 
is on a different zone, then the default policy won't be ACCEPT, and 
forwarded traffic will be rejected. all libvirt networks are put into 
firewalld's "libvirt" zone by default, so this should always be the case)

Beyond those suggestions, I'm not sure what else to recommend, other 
than that you might get a quicker response on troubleshooting like this 
by logging into irc.oftc.net and joining the #virt channel :-)