10

We have Virtual Machines operating within the KVM environment. We setup one as a dev server running Apache etc., and the other as a Windows development environment.

The two environments are setup and running fine. However, they cannot ping each other. I am wondering if there is a clear solution to this.

This is what is happening.

From Host:

  Cannot ping either of 2 VM's (one `Linux`, one `Windows`)

From Either of the VM's:

  Cannot ping host
  Cannot ping each other

From other network machines (for instance my laptop from within my company network)

  Successfully ping host at 192.168.0.64
  Successfully ping VM1 (Linux) 192.168.0.43
  Successfully ping VM2 (Windows) 192.168.0.84
Abhijeet Kasurde
  • 487
  • 3
  • 17
Jay Lepore
  • 111
  • 1
  • 1
  • 7
  • 4
    Do you have more information of the network configuration of your virtual machines? Are you entirely sure that when your other network machines ping your VMs, they're not pinging some other random machine on the network? (e.g. can you actually hit the apache server with a browser?). – GregHNZ Oct 23 '13 at 05:57
  • I think it might be your bridge. The kernel's iptables will block your machine from talking to itself unless you: echo "1" > /proc/sys/net/ipv4/ip_forward ; Possibly, anyway. – mikeserv Mar 14 '14 at 04:18
  • What command do you use to boot the VMs? – jobin Apr 14 '14 at 18:33
  • Do you have other machines in the same network (which does not reside in the same host)? Are these machines able to ping those machines? – Sreeraj Nov 21 '14 at 06:42
  • 1
    Do you use a macvtap (http://wiki.libvirt.org/page/Guest_can_reach_outside_network,_but_can't_reach_host_%28macvtap%29) interface for the guest? – nkms Aug 29 '15 at 05:59
  • What is the interface type you have specified for the VMs' network interfaces? Assuming it is 'bridge', have you connected the vnetx interfaces on the host to a single bridge on host? Please provide the xml file you are using to create the vms. – Swanand Pashankar Dec 04 '15 at 10:26
  • I don't konw KVM, but with VirtualBox, I have to create a "host only" virtual network (tun/tap) and add a new virtual network card to the guests. So all machines (virtal and host) share the same virtual network and they can ping each other. – Vouze Jan 03 '17 at 18:01

2 Answers2

1

It is rather obvious the machines are communicating in bridge mode, as you can ping the host, and both VMs from outside the KVM environment.

Your problem is the anti-spoofing protection in the kernel, that drops packets with a destination other than the IP address of the host.

For runtime, do this in the command line of the host server:

 sudo sysctl -w net.ipv4.conf.default.rp_filter=0
 sudo sysctl -w net.ipv4.conf.all.rp_filter=0

For it to survive booting, add the following lines to /etc/sysctl.conf:

 net.ipv4.conf.default.rp_filter=0
 net.ipv4.conf.all.rp_filter=0

From the comments on /etc/sysctl.conf (slightly changed):

rp_filter: enables Spoof protection (reverse-path filter).

Source Address Verification in all interfaces to prevent some spoofing attacks

Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227
0

Generally the connection type should be NAT as far as I know. So in the settings from mouse right click on the particular VM you can change the network type.

PS: hiding a computer from ping in local area network specifically I think not possible. But its worth a look.

Raja G
  • 5,749
  • 12
  • 44
  • 67
  • It is possible to hide computers from ICMP pings. You either disable the functionality in the kernel, or create firewall rules to block it. I have Xen and bhyve hosts in bridge mode, and they work well. – Rui F Ribeiro Feb 12 '17 at 09:44