0

I have two servers in play here, one is a Qemu VM host, the other being a storage box of sorts.

They are hetzner machines, and I have them connected via a vSwitch.

Server1 vSwitch interface:

3: local@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 10:7b:44:b1:5b:7d brd ff:ff:ff:ff:ff:ff inet 192.168.100.1/24 brd 192.168.100.255 scope global local valid_lft forever preferred_lft forever

Server1(VM host) ip route:

default via <redacted-public-ip> dev eth0 proto static metric 100 <redacted-public-ip> dev eth0 proto static scope link metric 100 192.168.10.0/24 dev virbr0 proto kernel scope link src 192.168.10.254 metric 425 <-- virbr0 network 192.168.10.253 via 192.168.100.2 dev local <-- srv02 IP to fit in virbr0 net space

Server2 vSwitch interface:

3: local@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1400 qdisc noqueue state UP group default qlen 1000 link/ether 08:60:6e:44:d6:2a brd ff:ff:ff:ff:ff:ff inet 192.168.100.2/24 brd 192.168.100.255 scope global local valid_lft forever preferred_lft forever inet 192.168.10.253/24 brd 192.168.10.255 scope global local valid_lft forever preferred_lft forever

Server2 ip route:

default via <redacted-public-ip> dev eth0 proto static metric 100 <redacted-public-ip> dev eth0 proto static scope link metric 100 192.168.10.0/24 dev local proto kernel scope link src 192.168.10.253 <-- to access virbr0 via vSwitch

I have the routes setup correctly, I guess - since everything works a-ok with the firewalld service off.

However, if I turn it on, the issues start.

These are the firewall zones on Server1 (on which when I disable firewalld everything works)

libvirt (active) target: ACCEPT icmp-block-inversion: no interfaces: virbr0 sources: services: dhcp dhcpv6 dns ssh tftp ports: protocols: icmp ipv6-icmp forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule priority="32767" reject public (active) target: default icmp-block-inversion: no interfaces: eth0 local sources: services: cockpit dhcpv6-client ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:

I have tried turning on masquerade on each of those, both of those at the same time, to no avail. I am "testing" this with a simple ping from Server2, toward one of the VMs on virbr0

Is there anything obvious that I am missing here ?

Thank you all in advance.

Improve this question

1 Answer 1

Reset to default
0

I have managed to resolve this, using the following two rules on the QEMU host

firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -o local -i virbr0 -j ACCEPT firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -o virbr0 -i local -j ACCEPT
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.