Problem with Virtual Router

I need some help with a Virtual Router.
I downloaded the image - Vrouter Alpine - KVM. Created two virtual networks - and and connected it to the Virutal Router.
Then created two VMs each one connected to a different network.
But ping between VMs doesn’t work.
I want to see network configuration on Vrouter Alpine - KVM, but context parameters - USERNAME and CRYPTED_PASSWORD_BASE64 doesn’t work.
Can please help me?

Did you use and as network addresses? Take into account that those network addresses are not correct. You should use and instead.

Thank you for reply.
I mean that and there are IPs on the Virtual Route.
Networks of course are and
Do you have any ideas why it not work?

Maybe you don’t the VM routes properly configured.

I would try the following:

  1. Use the router IP for each network as GATEWAY in Virtual Networks configuration.
  2. Remove the default route set in Virtual Router. You can do it, for instance, with ip route del default in Start scriptof VM Context.
  3. Also in VM Context, you can set PASSWORD/<YOUR_PASSWD> as Name/Value in Custom vars. Doing that, you should be able to login with root/<YOUR_PASSWD>.

Hi. Thank you for reply.
I’ve done all, but ping between networks isn’t working.

  1. Gateway in each Virtual Network is IP the Virtual Router
  2. I’ve added start script to VM Context - ip route del default
  3. I’ve added a custom vars PASSWORD/<YOUR_PASSWD> as Name/Value, but i can’t login.
    I haven’t got any ideas


I am jumping here to just let you know guys that login will NOT work for the vrouter - it does not support full contextualization as a regular VM - so setting PASSWORD env. variable will not set the root password.

The idea behind it was that vrouter is a blackbox well enough integrated with the UI and there is no reason to actually log inside and tweak it. BUT I fully understand that enabling the full contextualization would so much help in a debugging session…

In your case - verify that your vnets are properly setup, e.g.:

on VM1 in do:
ip r

sample output: default via dev eth0

and verify that the default gateway ( is the ip which your vrouter has on that same network (e.g.: attached NIC0).

Then on VM2 in do the same:
ip r

sample output: default via dev eth0

and verify that its default gateway ( is the ip on your vrouter on the other network (e.g.: attached NIC1).

NOTE: the actual default gateway IPs can differ in your case - it depends on how you did set them in the relevant vnet…


Thank you for reply.
I very hope you help me.
So, I’ve created one more physical public network for checking work the Vitrual Router.
My physical public network, let it be, has gateway The first IP-address is, range 10.
I’ve created for this physical network Virtual Network in vlan 101:

BRIDGE = "onebr.101"
BRIDGE_TYPE = "linux"
DNS = ""
PHYDEV = "eth0"
VLAN_ID = "101"
VN_MAD = "802.1Q"

After that created a Vitrual Machine and attach the vitrual public network to it.
Everything is ok, my Vitrual Machine has access to Internet.

Then I created private networks - and first IPs in each one networks are: and Range 20.
These private Vitrual Networks working in Bridged network mode:

BRIDGE = "onebr39"
BRIDGE_TYPE = "linux"
PHYDEV = "eth0"
VLAN_ID = ""
VN_MAD = "bridge"

The main task have access to the Internet from the networks 172, 192.
For this I’m creating the Vitrual Router.
One network interface from the public network (without Force IP)
Other network interface from the private network 172 (with Force IP -

DISK_ID = "1",
  ETH0_DNS = "",
  ETH0_GATEWAY = "",
  ETH0_IP = "",
  ETH0_MASK = "",
  ETH0_NETWORK = "",
  ETH0_VLAN_ID = "101",
  ETH1_DNS = "",
  ETH1_GATEWAY = "",
  ETH1_IP = "",
  ETH1_MASK = "",
  ETH1_MTU = "",
  ETH1_NETWORK = "",
  ETH1_VLAN_ID = "",
  TARGET = "hda",
  VROUTER_ID = "28",
NIC = [
  AR_ID = "0",
  BRIDGE = "onebr.101",
  BRIDGE_TYPE = "linux",
  CLUSTER_ID = "0",
  IP = "",
  MODEL = "virtio",
  NAME = "NIC0",
  NETWORK = "public",
  NETWORK_ID = "37",
  NIC_ID = "0",
  PHYDEV = "eth0",
  TARGET = "one-405-0",
  VLAN_ID = "101",
  VN_MAD = "802.1Q" ]
NIC = [
  AR_ID = "0",
  BRIDGE = "onebr39",
  BRIDGE_TYPE = "linux",
  CLUSTER_ID = "0",
  IP = "",
  MODEL = "virtio",
  NAME = "NIC1",
  NETWORK = "172",
  NETWORK_ID = "39",
  NIC_ID = "1",
  PHYDEV = "eth0",
  TARGET = "one-405-1",
  VN_MAD = "bridge" ]
  MODEL = "virtio" ]

And finally I’m creating a VM in the network 172.
But here I get a failure. The VM hasn’t got access to the Internet.
But from the VMs I successfully ping a gateway with network 172 and successfully ping a public IP on the Vitrual Router -
Ping to the gateway for public network - is not successful

ip r on the VMs is:

dafaul via dev eth0 dev eth0 proto kernel scope link src

Maybe, do you have any decision?
Thank you.


so the first issue you had: two VMs on separate networks (vnets) connected via vrouter do not ping each other is now solved - right? VM1 pings VM2 and vice versa? Is that correct?

For the other issue: are you certain that your gateway is NOT dropping packets due to them being on a non-routable private non-public network ranges? In that case you need to have NAT. If you are certain that it cannot be the problem then because the vlan is involved I suspect that vlan tag is not set on that interface and it is ignored on the public network…not sure - it needs further debugging.

There is a way how to get inside the vrouter - passwordless login via ssh key… Prepare ssh key pair and insert the public key in the context tab like is described here:

then you can do:
apk update
apk add tcpdump
tcpdump -i eth0 -n -e -vvv icmp # or something similar

Now let VM1 or VM2 ping the public gateway and investigate if the packet is truly leaving the public interface on the vrouter and if it has vlan tag assigned (from the tcpdump output)

If it looks all ok then go to the public gateway and run tcpdump there (in the same way just adjust the interface) and look if you see the packets there arriving…

I am not sure if vrouter was tested with a vlan configuration, so I am just trying to point you to the right direction.

UPDATE: maybe my previous tcpdump example was not ideal ( so I would try it also like this:

tcpdump -i eth0 -n -e -vvv 'icmp or (vlan and icmp)' # or something similar


Thank you so much for reply.
You are right - the first issue is solved.

About the second problem.
I connected to the VR via ssh and installed tcpump.
On the VR i also added:

net.ipv4.ip_forward = 1

And rules for iptables:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

After that i got successful ping to my public gateway and the Internet.

Can I add settings for NAT via Start script or as Custom Vars?


glad to hear that your issue was solved! In the near future your use-case may be already covered and no need to setup these iptables rules manually :wink:

As for your question - I think the Start script is the right place - but because you are already inside the vrouter vm - you can just install iptables-persistent and do it the right way (alpine way) or via rc.local etc.

Many ways how to do that - pick what works for you.

That net.ipv4.ip_forward = 1 I think was not necessary - that is implied in the vrouter but if you want to have it there nonetheless - you can verify that it was not already set by sysctl -a | grep net.ipv4.ip_forward. If you still want to setup net.ipv4.conf.eth?.forwarding manually you can do that in /etc/sysctl.conf or a similar place.


I apologize, could you, please, tell me how can i create a VR between networks 172 and 192 in this scheme?
Снимок экрана в 2020-04-16 11-45-39

The problem is that default gateway in the network already uses in the Virtual Router 48. So when i’m creating a new Virtual Router for networks 172 and 192 i should add force ip, but ip the dafault gateway uses on the VR48.
For the network 198 the same situation.


hmm, I am not certain what am I looking at - why do you have two vrouters and each with only one attached NIC/network - why don’t you just have one vrouter with two interfaces which connects these two subnets?

UPDATE: ok, sorry, I see now you have there that public network on each of those vrouters…

In that case you just add to each of those vrouters that other network/NIC - default gateway will be different for each subnet but that is not a problem - it will just add a new route to each vrouter so they will know how to route traffic between those private networks.

Does it work like that?


Hello @osp,
I have a similar issue. I have use the VR image “Service Virtual Router” which I have downloaded from the opennebula app.
I have two VNetwork “Vnet NEW-VN-Private” and “VNet Private-Vnet-188.40” . The first VNetwork has network of and other one has network. These both VNetwork are attached to different KVM node. In the first KVM node there is also VNetwork for the public IP. So how can I get access in these two different Vnetwork VM through the private IP? How can I add the route to this VR template? Can you guide on this issue.

Why it is also giving this Error “Error allocating a virtual route” while creating a VR?

Here is my vrouter details from frontend.

$onevrouter show 13

ID : 13
USER : oneadmin
GROUP : oneadmin
LOCK : None

OWNER : um-

0 Private-VNet-188.40. YES -




sorry for late reply. Do your vnets have correct default gateways?

E.g. your first vnet: will have gw and that IP will be assigned to vrouter.

In such case VM1 should route everything over this default gw and vrouter should be able to forward the traffic.

It would be more helpful to me if you could show the output of the following commands from all VMs including vrouter:

  • ip a
  • ip r

And on VM1:

  • ip r g <ip of VM2>

And on VM2:

  • ip r g <ip of VM1>

I don’t know from where exactly is that error coming from which you are getting - is that from virtual console, sunstone, oned log?

You must either setup vnet without the gw and at the same time setup the default gw per VM by some other means - OR better - set gw for the vnet and configure vrouter in such way that it gets those IPs (vrouter must own the gw IPs).

NOTE: to get inside the vrouter - setup SSH key in the context and use that instead of PASSWORD.

Let me know what you have found


Hello @osp , can you suggest any document. As I am not able to find proper document for the VR. As I have to make reachable the connection between two private Vnetwork which are in two different KVM node. As show in the diagram below. I need to make a connection between VM1 and VM2 through private network.


there is the documentation of the appiance itself: Virtual Network Functions (VNF) and Virtual Router — OpenNebula Appliances 1.0 documentation

There is small vrouter doc on the official OpenNebula docs: Virtual Routers — OpenNebula 6.0.2 documentation

And I recommend to read also: Virtual Networks — OpenNebula 6.0.2 documentation

I fail to see anything special in your example which would prevent the routing between VM1 and VM2.

I think that you just have wrongly setup default gw in your vnets and/or your vrouter has assigned wrong addresses.

This scenario from the picture is the basic use-case which should definitively work.

When you are instantiating the vrouter you must add two interfaces for each vnet and force on each of this new interface an ip which will match the particular vnet’s gateway:

That means - if your vnet1 has GATEWAY= then vrouter must have forced the same IP on the NIC of this vnet. And the same goes for the vnet2.

You still did not give me the output of those commands so I cannot further help you in any meaningful way.