0

I have a computer that should connect two networks: 192.168.0.x and 192.168.1.x

192.168.0.x is reachable through interface tun3 while 192.168.1.x is reachable through interface virbr1.

It seems that computers from 0.x can talk with computers from 1.x but not the other way around.

It seems that arp packets coming from virbr1 are dropped. Where does this happen?

Here is the ifconfig for both interfaces(tun3 and virbr1) on the host that should connect the two networks:

root@pgrozav:/home/paul/data/work/server# ifconfig tun3 ; ifconfig virbr1
tun3      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.1.0.1  P-t-P:10.1.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:942 errors:0 dropped:0 overruns:0 frame:0
          TX packets:463 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:88986 (86.9 KiB)  TX bytes:42452 (41.4 KiB)

virbr1    Link encap:Ethernet  HWaddr 52:54:00:78:23:3b  
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:51616 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1198 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1469672 (1.4 MiB)  TX bytes:155418 (151.7 KiB)

Also, here's the IPTables rules:

root@pgrozav:/home/paul/data/work/server# iptables -nvL
Chain INPUT (policy ACCEPT 4097K packets, 1544M bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67
    0     0 ACCEPT     udp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67

Chain FORWARD (policy ACCEPT 481 packets, 40360 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      virbr0  0.0.0.0/0            192.168.122.0/24     ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/0           
    0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
  393 42938 ACCEPT     all  --  *      virbr1  0.0.0.0/0            192.168.1.0/24       ctstate RELATED,ESTABLISHED
  397 35116 ACCEPT     all  --  virbr1 *       192.168.1.0/24       0.0.0.0/0           
    0     0 ACCEPT     all  --  virbr1 virbr1  0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  virbr1 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 3217K packets, 435M bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            udp dpt:68
    0     0 ACCEPT     udp  --  *      virbr1  0.0.0.0/0            0.0.0.0/0            udp dpt:68
root@pgrozav:/home/paul/data/work/server# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 99697 packets, 15M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 65648 packets, 13M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 169K packets, 12M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 169K packets, 12M bytes)
 pkts bytes target     prot opt in     out     source               destination         
   69  5293 RETURN     all  --  *      *       192.168.122.0/24     224.0.0.0/24        
    0     0 RETURN     all  --  *      *       192.168.122.0/24     255.255.255.255     
    0     0 MASQUERADE  tcp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
    0     0 MASQUERADE  udp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
    0     0 MASQUERADE  all  --  *      *       192.168.122.0/24    !192.168.122.0/24    
   69  5293 RETURN     all  --  *      *       192.168.1.0/24       224.0.0.0/24        
    0     0 RETURN     all  --  *      *       192.168.1.0/24       255.255.255.255     
    5   300 MASQUERADE  tcp  --  *      *       192.168.1.0/24      !192.168.1.0/24       masq ports: 1024-65535
   12   766 MASQUERADE  udp  --  *      *       192.168.1.0/24      !192.168.1.0/24       masq ports: 1024-65535
    5   420 MASQUERADE  all  --  *      *       192.168.1.0/24      !192.168.1.0/24

And the routing table(s):

root@pgrozav:/home/paul/data/work/server# ip route
default via 192.168.200.1 dev eth0 
10.1.0.2 dev tun3  proto kernel  scope link  src 10.1.0.1 
192.168.0.0/24 via 10.1.0.1 dev tun3  scope link 
192.168.1.0/24 dev virbr1  proto kernel  scope link  src 192.168.1.1 
192.168.122.0/24 dev virbr0  proto kernel  scope link  src 192.168.122.1 
192.168.200.0/24 dev eth0  proto kernel  scope link  src 192.168.200.70 
root@pgrozav:/home/paul/data/work/server# ip route list table 200
default via 10.1.0.1 dev tun3 
192.168.1.0/24 via 10.1.0.1 dev tun3

Actually, I have a script that sets this up:

remoteHost=devel
tunnelNumber=3
tunnelPrefixName="tun"
tunnelName="$tunnelPrefixName$tunnelNumber"
tunnelLocalIP="10.1.0.1"
tunnelRemoteIP="10.1.0.2"
remoteNetworkToJoin="192.168.0.0"
remoteNetworkToJoinNetmask="255.255.255.0"
remoteNetworkToJoinInterfaceName="eth0"
localNetworkToJoin="192.168.1.0"
localNetworkToJoinNetmask="255.255.255.0"
localNetworkToJoinInterfaceName="virbr1"


        ssh -f -NTC -w $tunnelNumber:$tunnelNumber $remoteHost
        ip link set $tunnelName up
        ssh $remoteHost ip link set $tunnelName up
        ip addr add $tunnelLocalIP/32 peer $tunnelRemoteIP dev $tunnelName
        ssh $remoteHost ip addr add $tunnelRemoteIP/32 peer $tunnelLocalIP dev $tunnelName
        route add -net $remoteNetworkToJoin gw $tunnelLocalIP netmask $remoteNetworkToJoinNetmask dev $tunnelName
        ip route add default via $tunnelLocalIP dev $tunnelName table 200
        ip rule add from $localNetworkToJoin/24 table 200
        ssh $remoteHost route add -net $localNetworkToJoin gw $tunnelRemoteIP netmask $localNetworkToJoinNetmask dev $tunnelName
        ssh $remoteHost iptables -A FORWARD -i $remoteNetworkToJoinInterfaceName -o $tunnelName -m state --state ESTABLISHED,RELATED -j ACCEPT
        ssh $remoteHost iptables -A FORWARD -s $tunnelLocalIP -o $remoteNetworkToJoinInterfaceName -j ACCEPT
        ssh $remoteHost iptables -t nat -A POSTROUTING -s $tunnelLocalIP -o $remoteNetworkToJoinInterfaceName -j MASQUERADE

I am running KVM on this machine and virbr1 is connecting my machine to the virtual LAN where all the virtual machines are. I am trying to connect the local LAN (with the VMs - 1.x) to a remote network (0.x)

Improve this question
2
  • Add some information to your question. Do ifconfig tun3 and ifconfig virbr1 and put that on your question. As your question stands, there's no way to answer it. Commented Jul 30, 2015 at 14:46
  • OK, I did that. Thanks Bruce, this was my first post on stackexchange and I was eager to ask you guys if you see where the problem is (-: . Commented Jul 31, 2015 at 5:47

2 Answers 2

Reset to default
0

Arp is used on LAN to identify IP-MAC couples. I'm not sure ARP is connected to your problem.

If connection from 0.x -> 1.x works, it means that you have no routing problem, because during communication, packets are send from 0.x to 1.x and from 1.x to 0.x (assuming it is TCP communication)

And if connection from 1.x -> 0.x fails then you may have something in between; firewall, NAT, application access list, tcp wrapper...

You will have to check the client, the gateway and the server.

Improve this answer
0

There was a problem in the routing table of my 1.2 computer, from where I was pinging 0.6:

[root@localhost ~]# ip route list
default via 192.168.1.1 dev eth0  proto static  metric 100                                                                          
192.168.0.0 via 192.168.1.1 dev eth0  proto static                                                                       
192.168.0.0/16 dev eth0  proto kernel  scope link  src 192.168.1.2  metric 100

I thought the virtual machine was clean and had (by default) an empty routing table and iptables. I spent a few days/weeks with this problem.

Thanks, and sorry for taking your time.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.