I need some help with a Virtual Router.
I downloaded the image - Vrouter Alpine - KVM. Created two virtual networks - 192.168.10.10/24 and 172.16.10.10/24 and connected it to the Virutal Router.
Then created two VMs each one connected to a different network.
But ping between VMs doesn’t work.
I want to see network configuration on Vrouter Alpine - KVM, but context parameters - USERNAME and CRYPTED_PASSWORD_BASE64 doesn’t work.
Can please help me?
Did you use 192.168.10.10/24 and 172.16.10.10/24 as network addresses? Take into account that those network addresses are not correct. You should use 192.168.10.0/24 and 172.16.10.0/24 instead.
Thank you for reply.
I mean that 192.168.10.10/24 and 172.16.10.10/24 there are IPs on the Virtual Route.
Networks of course are 192.168.10.0/24 and 172.16.10.0/24.
Do you have any ideas why it not work?
Maybe you don’t the VM routes properly configured.
I would try the following:
- Use the router IP for each network as
GATEWAYin Virtual Networks configuration.
- Remove the default route set in Virtual Router. You can do it, for instance, with
ip route del defaultin
Start scriptof VM Context.
- Also in VM Context, you can set
Custom vars. Doing that, you should be able to login with
Hi. Thank you for reply.
I’ve done all, but ping between networks isn’t working.
- Gateway in each Virtual Network is IP the Virtual Router
- I’ve added start script to VM Context -
ip route del default
- I’ve added a custom vars
Name/Value, but i can’t login.
I haven’t got any ideas
I am jumping here to just let you know guys that login will NOT work for the vrouter - it does not support full contextualization as a regular VM - so setting
PASSWORD env. variable will not set the root password.
The idea behind it was that vrouter is a blackbox well enough integrated with the UI and there is no reason to actually log inside and tweak it. BUT I fully understand that enabling the full contextualization would so much help in a debugging session…
In your case - verify that your vnets are properly setup, e.g.:
default via 192.168.10.1 dev eth0
and verify that the default gateway (
192.168.10.1) is the ip which your vrouter has on that same network (e.g.: attached
172.16.10.0/24 do the same:
default via 172.16.10.1 dev eth0
and verify that its default gateway (
172.16.10.1) is the ip on your vrouter on the other network (e.g.: attached
NOTE: the actual default gateway IPs can differ in your case - it depends on how you did set them in the relevant vnet…
Thank you for reply.
I very hope you help me.
So, I’ve created one more physical public network for checking work the Vitrual Router.
My physical public network, let it be 100.100.100.0/24, has gateway 100.100.100.1. The first IP-address is 100.100.100.10, range 10.
I’ve created for this physical network Virtual Network in vlan 101:
BRIDGE = "onebr.101" BRIDGE_TYPE = "linux" DNS = "188.8.131.52" FILTER_IP_SPOOFING = "YES" FILTER_MAC_SPOOFING = "YES" GATEWAY = "100.100.100.1" NETWORK_ADDRESS = "100.100.100.0" NETWORK_MASK = "255.255.255.0" OUTER_VLAN_ID = "" PHYDEV = "eth0" SECURITY_GROUPS = "0" VLAN_ID = "101" VN_MAD = "802.1Q"
After that created a Vitrual Machine and attach the vitrual public network to it.
Everything is ok, my Vitrual Machine has access to Internet.
Then I created private networks - 192.168.10.0/24 and 172.16.10.0/24.The first IPs in each one networks are: 192.168.10.10 and 172.16.10.10. Range 20.
These private Vitrual Networks working in Bridged network mode:
BRIDGE = "onebr39" BRIDGE_TYPE = "linux" GATEWAY = "172.16.10.10" NETWORK_ADDRESS = "172.16.10.0" NETWORK_MASK = "255.255.255.0" OUTER_VLAN_ID = "" PHYDEV = "eth0" SECURITY_GROUPS = "0" VLAN_ID = "" VN_MAD = "bridge"
The main task have access to the Internet from the networks 172, 192.
For this I’m creating the Vitrual Router.
One network interface from the public network (without Force IP)
Other network interface from the private network 172 (with Force IP - 172.16.10.10).
DISK_ID = "1", ETH0_CONTEXT_FORCE_IPV4 = "", ETH0_DNS = "184.108.40.206", ETH0_EXTERNAL = "", ETH0_GATEWAY = "100.100.100.1", ETH0_IP = "100.100.100.11", ETH0_MASK = "255.255.255.0", ETH0_NETWORK = "100.100.100.0", ETH0_VLAN_ID = "101", ETH0_VROUTER_MANAGEMENT = "", ETH1_CONTEXT_FORCE_IPV4 = "", ETH1_DNS = "", ETH1_EXTERNAL = "", ETH1_GATEWAY = "172.16.10.10", ETH1_IP = "172.16.10.10", ETH1_MASK = "255.255.255.0", ETH1_MTU = "", ETH1_NETWORK = "172.16.10.0", ETH1_SEARCH_DOMAIN = "", ETH1_VLAN_ID = "", ETH1_VROUTER_MANAGEMENT = "", NETWORK = "YES", TARGET = "hda", VROUTER_ID = "28", VROUTER_KEEPALIVED_ID = "28" ] NIC = [ AR_ID = "0", BRIDGE = "onebr.101", BRIDGE_TYPE = "linux", CLUSTER_ID = "0", FILTER_IP_SPOOFING = "YES", FILTER_MAC_SPOOFING = "YES", IP = "100.100.10.11", MODEL = "virtio", NAME = "NIC0", NETWORK = "public", NETWORK_ID = "37", NIC_ID = "0", PHYDEV = "eth0", SECURITY_GROUPS = "0", TARGET = "one-405-0", VLAN_ID = "101", VN_MAD = "802.1Q" ] NIC = [ AR_ID = "0", BRIDGE = "onebr39", BRIDGE_TYPE = "linux", CLUSTER_ID = "0", IP = "172.16.10.10", MODEL = "virtio", NAME = "NIC1", NETWORK = "172", NETWORK_ID = "39", NIC_ID = "1", PHYDEV = "eth0", SECURITY_GROUPS = "0", TARGET = "one-405-1", VN_MAD = "bridge" ] NIC_DEFAULT = [ MODEL = "virtio" ]
And finally I’m creating a VM in the network 172.
But here I get a failure. The VM hasn’t got access to the Internet.
But from the VMs I successfully ping a gateway with network 172 and successfully ping a public IP on the Vitrual Router - 100.100.100.11.
Ping to the gateway for public network - 100.100.100.1 is not successful
ip r on the VMs is:
dafaul via 172.16.10.10 dev eth0 172.16.10.0/24 dev eth0 proto kernel scope link src 172.16.10.11
Maybe, do you have any decision?
so the first issue you had: two VMs on separate networks (vnets) connected via vrouter do not ping each other is now solved - right? VM1 pings VM2 and vice versa? Is that correct?
For the other issue: are you certain that your gateway
100.100.100.1 is NOT dropping packets due to them being on a non-routable private non-public network ranges? In that case you need to have
NAT. If you are certain that it cannot be the problem then because the vlan is involved I suspect that vlan tag is not set on that interface and it is ignored on the public network…not sure - it needs further debugging.
There is a way how to get inside the vrouter - passwordless login via ssh key… Prepare ssh key pair and insert the public key in the context tab like is described here: https://docs.opennebula.io/appliances/service/wordpress.html#ssh-keys
then you can do:
apk add tcpdump
tcpdump -i eth0 -n -e -vvv icmp # or something similar
Now let VM1 or VM2 ping the public gateway
100.100.100.1 and investigate if the packet is truly leaving the public interface on the vrouter and if it has vlan tag assigned (from the tcpdump output)
If it looks all ok then go to the public gateway and run tcpdump there (in the same way just adjust the interface) and look if you see the packets there arriving…
I am not sure if vrouter was tested with a vlan configuration, so I am just trying to point you to the right direction.
UPDATE: maybe my previous tcpdump example was not ideal (https://christian-rossow.de/articles/tcpdump_filter_mixed_tagged_and_untagged_VLAN_traffic.php) so I would try it also like this:
tcpdump -i eth0 -n -e -vvv 'icmp or (vlan and icmp)' # or something similar
Thank you so much for reply.
You are right - the first issue is solved.
About the second problem.
I connected to the VR via ssh and installed tcpump.
On the VR i also added:
net.ipv4.ip_forward = 1
And rules for iptables:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
After that i got successful ping to my public gateway and the Internet.
Can I add settings for NAT via Start script or as Custom Vars?
glad to hear that your issue was solved! In the near future your use-case may be already covered and no need to setup these iptables rules manually
As for your question - I think the Start script is the right place - but because you are already inside the vrouter vm - you can just install iptables-persistent and do it the right way (alpine way) or via rc.local etc.
Many ways how to do that - pick what works for you.
net.ipv4.ip_forward = 1 I think was not necessary - that is implied in the vrouter but if you want to have it there nonetheless - you can verify that it was not already set by
sysctl -a | grep net.ipv4.ip_forward. If you still want to setup
net.ipv4.conf.eth?.forwarding manually you can do that in
/etc/sysctl.conf or a similar place.
I apologize, could you, please, tell me how can i create a VR between networks 172 and 192 in this scheme?
The problem is that default gateway in the network 172.16.10.1 already uses in the Virtual Router 48. So when i’m creating a new Virtual Router for networks 172 and 192 i should add force ip, but ip the dafault gateway uses on the VR48.
For the network 198 the same situation.
hmm, I am not certain what am I looking at - why do you have two vrouters and each with only one attached NIC/network - why don’t you just have one vrouter with two interfaces which connects these two subnets?
UPDATE: ok, sorry, I see now you have there that public network on each of those vrouters…
In that case you just add to each of those vrouters that other network/NIC - default gateway will be different for each subnet but that is not a problem - it will just add a new route to each vrouter so they will know how to route traffic between those private networks.
Does it work like that?
i have also same kind of problem, my router not giving signal
Hello, I am also facing the same issue so please help me to get the best solution