LibVirt – overcoming problems with internal routing (aka some features I wish I knew about earlier!)

This article will be expanded with new issues/workarounds if I manage to find any.

Strange title, isn’t it? Well, the title is as strange as what I’ve managed to find when creating my last article for you, folks!

Issue 1 – Packets won’t get routed past host

Well, long story short – I’ve no idea how I didn’t run into those problems earlier, but here’s my topology:

Since it was a very simple lab, all I did was create static routes on my router (for both 172.16.1.0/24 and 192.168.200.0/29) and called it a day. Thing is, traffic from WEB-SRV-1 would only reach my host. Trying to access anything beyond it would result in PORT UNREACHABLE ICMP message. “Strange”, I said to myself. Especially considering that I always enable ip forwarding on my host with:

echo '1' > /proc/sys/net/ipv4/ip_forward # Run this as root

Well, turns out creating routed networks in LibVirt automatically amends the iptables rulebase, basically blocking some of our traffic. I won’t get into much detail as I didn’t spend much looking at the rules but basically a workaround (not a very elegant one) is to do:

iptables -F # Run as root

This flushes our iptables rulebase basically getting rid of all the rules. As I said early, it’s not an elegant solution and I’m definitely going to try and find a way around it but for now this will do. Kudos to the author of jamielinux.com since his blog post (here) pointed me at the issue.

Anyway, I’m going to edit some of my articles and mention this as I think it’s quite an annoyance and may result in few hours spent staring at your screen trying to figure out why that stupid routing won’t work! (I’m sorry. Yes, this was me yesterday).

Issue 2 – Two hosts on the same network have no connectivity to each other

This is rather a simple one. If you are creating a home lab and you’re wondering why pings from one host aren’t seen by another even though they’re on the exact same network, here’s your answer: RTL8139. Yes, when you change the NIC device from RTL8139 to e1000, everything should start working. I’m not sure if it’s because it’s trying to use host device to handle traffic or because it’s a bug (if someone knows, feel free to share in comments) but generally, stick to e1000:

Leave a Reply

Your email address will not be published. Required fields are marked *

Navigation