OpenVZ Forum


Home » General » Support » VE in separate subnet (other than HN)
VE in separate subnet (other than HN) [message #32979] Sat, 13 September 2008 15:49 Go to next message
kuckus is currently offline  kuckus
Messages: 4
Registered: September 2008
Junior Member
Hi all,

I am on a Debian 4.0 system and got OpenVZ installed without complications (I've done it before). Now, there is one VE that I have created successfully, however, this VE so far is not able to communicate with the world outside of my HN.

What's working fine is pinging the VE from the HN as well as the HN from inside the VE, or doing things like SSH'ing from the HN to the VE and back to the HN.
Also, if I set the VE's IP as a second IP for the HN, the HN can be reached through this same IP over the Internet.


The setup I'd like to get to work is as follows:

HN's IP is 81.x.y.z,
HN's default gateway is 81.x.y.1.

The IP that I have available to use for the VE is 85.a.b.c/32 (broadcast address 85.a.b.255).


After assigning this IP to the VE, this is the routing table on the HN:

h50522.serverko *               255.255.255.255 UH    0      0        0 eth0
81.x.y.1    h50522.serverko 255.255.255.255 UGH   0      0        0 eth0
85.a.b.c  *               255.255.255.255 UH    0      0        0 venet0
default         81.x.y.1    0.0.0.0         UG    0      0        0 eth0



What could I be missing here to get the VE connected to the rest of the network/Internet?


If you need any more information, please let me know - any help would be greatly appreciated.


Thanks,


kuckus


/*edit:

Some more details:

- `ip route` in VE
192.0.2.1 dev venet0  scope link 
default via 192.0.2.1 dev venet0


- `ip -V` in VE
ip utility, iproute2-ss071016


- Kernel version running on HN: 2.6.18-12-fza-686

- `sysctl -p` on HN
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.ip_forward = 1
net.ipv4.conf.all.rp_filter = 1
kernel.sysrq = 1
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0


*/

[Updated on: Sat, 13 September 2008 16:19]

Report message to a moderator

Re: VE in separate subnet (other than HN) [message #33002 is a reply to message #32979] Tue, 16 September 2008 19:49 Go to previous messageGo to next message
den is currently offline  den
Messages: 494
Registered: December 2005
Senior Member
Hmm...

Your default gateway (81.x.y.1) need to know how to get to 85.a.b.c. It should have a direct route via VE0 or HWN should answer to arp requests for 85.a.b.c

Could you pls check that
- arp requests for 85.a.b.c are seen on eth0
- arp replies sent back

Basically, arp replies should be sent if
ip r g 85.a.b.c from 81.x.y.1 iif eth0
returns route to venet.

Regards,
Den

Report message to a moderator

Re: VE in separate subnet (other than HN) [message #33010 is a reply to message #32979] Wed, 17 September 2008 13:20 Go to previous messageGo to next message
Avi Brender is currently offline  Avi Brender
Messages: 17
Registered: October 2006
Junior Member
In the vz config file (/etc/sysconfig/vz) make sure this is set:
NEIGHBOUR_DEVS=all

Report message to a moderator

Re: VE in separate subnet (other than HN) [message #33231 is a reply to message #32979] Wed, 01 October 2008 12:47 Go to previous messageGo to next message
kuckus is currently offline  kuckus
Messages: 4
Registered: September 2008
Junior Member
Avi, thanks, but I had this setting in place already.

Den, thank you too - I can see that ping requests are seen on eth0 but no replies are sent back.

I'm not quite the linux networking/routing expert yet though... could you maybe give me some more pointers on what exactly you would check here?

Thanks again,
kuckus

Report message to a moderator

Re: VE in separate subnet (other than HN) [message #33232 is a reply to message #33231] Wed, 01 October 2008 13:14 Go to previous messageGo to next message
den is currently offline  den
Messages: 494
Registered: December 2005
Senior Member
Basically, we should go step by step and check the packet on each interface. In you case:

- VE0, eth0 (seen)
- VE0, venet0
- VEnnn, venet0

When you'll find a place where packets are lost. Next we'll have to check actual reason by
netstat -s
and investigating iptables.

Right now I think you should start with 'ip r g' in VE0 as I have suggested previously.

Report message to a moderator

Re: VE in separate subnet (other than HN) [message #33245 is a reply to message #33232] Wed, 01 October 2008 18:35 Go to previous messageGo to next message
kuckus is currently offline  kuckus
Messages: 4
Registered: September 2008
Junior Member
I actually didn't quite recognize the `ip r g` as a command, d'uh. Wink

Anyway:
# ip r g 85.a.b.c from 81.x.y.1 iif eth0
85.a.b.c from 81.x.y.1 dev venet0  src 81.x.y.z
    cache <src-direct>  mtu 1500 advmss 1460 hoplimit 64 iif eth0



In the guest VE, pings other than from VE0 are not seen (on venet0:0).

I'm using tcpdump to check this.
venet0 on VE0 doesn't have its own IP, what would I use to check the packet there?


`ip r g` inside VEnnn returns
# ip r g 85.a.b.c from 81.x.y.1 iif venet0:0
local 85.a.b.c from 81.x.y.1 dev lo  src 85.a.b.c
    cache <local,src-direct>  iif venet0

Report message to a moderator

Re: VE in separate subnet (other than HN) [message #33273 is a reply to message #33245] Fri, 03 October 2008 07:27 Go to previous messageGo to next message
den is currently offline  den
Messages: 494
Registered: December 2005
Senior Member
I am complete lost with what you are doing.

OK. Lets assume you are trying to ping from VE to the world. You should subsequently check that ICMP echo requests are going through:

- venet in VE
- venet in VE0
- eth0 in VE0

and you see ICMP echo replies on
- eth0 in VE0
- venet in VE0
- venet in VE

Could you specify which positions of these exact locations are missed.

Report message to a moderator

Re: VE in separate subnet (other than HN) [message #33276 is a reply to message #33273] Fri, 03 October 2008 10:50 Go to previous message
kuckus is currently offline  kuckus
Messages: 4
Registered: September 2008
Junior Member
OK, sorry.

ICMP echo requests from VE to the world are seen on venet0:0 in VE and venet0 in VE0, but not on eth0 in VE0.

Replies aren't seen on any of the interfaces.



(ICMP echo requests from VE to VE0 are seen on venet0:0 in VE and venet0 in VE0, and replies are getting back fine.)

Report message to a moderator

Previous Topic: NFS in VE == hang?
Next Topic: Kernel 2.6.24 ovz006 - Problems?
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ] [ PDF ]

Current Time: Sun Jul 14 12:53:58 GMT 2024

Total time taken to generate the page: 0.02336 seconds
Powered by FUDforum Powered by Virtuozzo Containers