:: Re: [DNG] Can't ping outside of my …
Page principale
Supprimer ce message
Répondre à ce message
Auteur: Mario Marietto
Date:  
CC: dng
Sujet: Re: [DNG] Can't ping outside of my network after having configured a tun tap device
---> The only reason you can't ping 8.8.8.8 even from the host system is
messy routes

I realized that I can ping 8.8.8 from the host os,but only if the guest os
(freebsd) does not start. Before to start it,I have the following ip route
situation :

# iptables -t nat -A POSTROUTING -o wlx98ded00b7106 -j MASQUERADE

# ip route
default via 192.168.1.1 dev wlx98ded00b7106 proto dhcp src 192.168.1.6
metric 600
192.168.1.0/24 dev wlx98ded00b7106 proto kernel scope link src 192.168.1.6
metric 600

(I have changed wi-fi adapter,now I'm using a realtek)

when the freebsd vm starts,the route situation change like this one :

# ip route

0.0.0.0 dev tap0 scope link
default dev tap0 scope link
default via 192.168.1.1 dev wlx98ded00b7106 proto dhcp src 192.168.1.6
metric 600
169.254.0.0/16 dev tap0 proto kernel scope link src 169.254.192.128
192.168.1.0/24 dev wlx98ded00b7106 proto kernel scope link src 192.168.1.6
metric 600

Now what should I do ? following your suggestion,I have removed these
routes :

ip route del default dev tap0 scope link
ip route del 0.0.0.0 dev tap0 scope link

Since I haven't created any tap0,the first one hasn't been deleted,but the
second one has. Now this is the situation :

# ip route

default dev tap0 scope link
default via 192.168.1.1 dev wlx98ded00b7106 proto dhcp src 192.168.1.6
metric 600
169.254.0.0/16 dev tap0 proto kernel scope link src 169.254.192.128
192.168.1.0/24 dev wlx98ded00b7106 proto kernel scope link src 192.168.1.6
metric 600

the result is that I can't ping google.com inside the vm and even on the
host os. So,I presume that I should create the tap0 interface if I want to
delete it later.

On Fri, Oct 6, 2023 at 7:03 PM Axy via Dng <dng@???> wrote:

> Okay, let me try to explain (Friday is the excuse)
>
> I know nothing about qemu-kvm-libvirt, but at a glance it should
> facilitate networking a lot, but I don't know how. Let's turn to the
> basics instead.
>
> If you chose tap, which afaik is a way to handle ethernet frames in
> userspace, the handler could be any userspace process (e.g.
> qemu-kvm-libvirt). So your tap0 is actually one end of the wire. The
> opposite end is somewhere in qemu-kvm-libvirt (again, I know nothing
> about it, I'm an LXC user) and to reach that end you need the following
> route on your host system:
>
>
> ip route add 192.168.99.0/24 dev tap0
>
> So if you ping some IP address in 192.168.99.0networkfrom the host
> system, packets will be routed to your virtualized system and if it has
> that IP address it will respond. Of course that system should have the
> default route back to 192.168.99.1
>
> Same in LXC, where we use veth, which is a pair of linked interfaces:
> one is on the host system, another is assigned to the container .
>
> You do not need a bridge interface.
>
> Once again:
>
> You do not need a bridge interface. In this configuration packets come
> from a virtualized system and go through NAT to mlan0. Your NAT rule
>
> iptables -t nat -A POSTROUTING -o mlan0 -j MASQUERADE
>
> looks correct.
>
> The only reason you can't ping 8.8.8.8 even from the host system is
> messy routes. Assuming your mlan0 is the way to the Internet, the only
> default route should be:
>
> default via 192.168.1.1 dev mlan0
>
> With these ones
>
> 0.0.0.0 dev tap0 scope link
>
> default dev tap0 scope link
>
> packets will be directed to the wrong interface and embarrass your
> virtualized system. Drop these routes.
>
> You would need a bridge if you wanted your host system and virtualized
> system to be on the same ethernet network (domain, segment,...) However,
> bear in mind: wifi interfaces in client mode cannot be bridged. In
> access point mode that does work, but does not work in client mode. Only
> wired interfaces can be freely bridged.
>
> Axy
>
> On 10/6/23 13:37, Mario Marietto via Dng wrote:
> > As long as I don't have any routing rules in my home network (static
> > or done by routing protocols such as OSPF or RIP), my KVM server will
> > be the only host in my network that knows how to reach 192.168.20.0/24
> > <http://192.168.20.0/24> (because it has 192.168.20.1 itself). That
> > means, my VMs will not be able to reach any other network. The
> > simplest approach to get this to work is to do NAT for /outgoing/
> > traffic. Now this kind of NAT is an SNAT, not a DNAT. While classic
> > SNAT is a one-to-one-mapping, MASQUERADE simply means "replace every
> > source IP with the IP on the outgoing interface".
> >
> > On Fri, Oct 6, 2023 at 8:51 AM Mario Marietto <marietto2008@???>
> > wrote:
> >
> >     Thanks.

> >
> >     so,maybe this is the solution :

> >
> >     |# iptables -t nat -A POSTROUTING -o mlan0 -j DNAT # ip tuntap add
> >     tap0 mode tap # ip link set dev tap0 up # ifconfig tap0
> >     192.168.99.1/24 <http://192.168.99.1/24> # echo 1 >
> >     /proc/sys/net/ipv4/ip_forward|

> >
> >
> >     iptables v1.8.9 (nf_tables): DNAT: option "--to-destination" must
> >     be specified

> >
> >     What could be the destination ? thanks.

> >
> >     On Fri, Oct 6, 2023 at 1:44 AM Gregory Nowak <greg@???> wrote:

> >
> >         On Thu, Oct 05, 2023 at 02:20:47PM +0200, Mario Marietto via
> >         Dng wrote:
> >         > I'm trying to set up a bridge on Linux Devuan 5 (host os)
> >         with the
> >         > goal to give the connectivity to FreeBSD 13.2,that I have
> >         virtualized
> >         > with qemu-kvm-libvirt.

> >
> >         If you're trying to setup a bridge, then you're going about it
> the
> >         wrong way.. You'd set that up in /etc/network/interfaces, or
> >         in a file
> >         under /etc/network/interfaces.d where you bridge your mlan0 to
> >         your
> >         tap0. This is more involved when using wifi, but it can be
> >         done. See
> >         man interfaces, the bridge-utils package, and the wpasupplicant
> >         package. You mentioned
> >         you're using network manager. If so, then you will probably
> >         want to
> >         dump network manager if you go this route.

> >
> >         > on Devuan I did :
> >         >
> >         > # iptables -t nat -A POSTROUTING -o mlan0 -j MASQUERADE

> >
> >         If you want to keep going the way you are, then I think you
> >         want the
> >         DNAT target, not MASQUERADE.

> >
> >         Greg

> >
> >
> >         --
> >         web site: http://www.gregn.net
> >         gpg public key: http://www.gregn.net/pubkey.asc
> >         skype: gregn1
> >         (authorization required, add me to your contacts list first)
> >         If we haven't been in touch before, e-mail me before adding me
> >         to your contacts.

> >
> >         --
> >         Free domains: http://www.eu.org/ or mail dns-manager@???

> >
> >
> >
> >     --
> >     Mario.

> >
> >
> >
> > --
> > Mario.
> >
> > _______________________________________________
> > Dng mailing list
> > Dng@???
> > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
> _______________________________________________
> Dng mailing list
> Dng@???
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
>



--
Mario.