On 7/23/20 6:14 PM, Rui Correia wrote:>
>
> On Thu, Jul 23, 2020 at 10:36 PM Rui Correia <rdscorreia74@gmail.com
> <mailto:rdscorreia74@gmail.com>> wrote:
>
>
> Thanks for the headsup. I'll ask the Manjaro guys about the nft.
> Hopefully they'll know if nft is installed and running.
>
> Well, that was fast.
> I've asked the guys and they told me Manjaro KDE doesn't come with
'nft'
> installed by default.
> Then I searched the installed packages by nft and the only thing
> installed is the libnftnl package which seems to be related to nft but
> not nft itself.
> So, I guess my system only has firewall iptables and ufw installed.
> Hope this helps. I could run wireshark but I wouldn't know what to look
for.
> Any tips?
>
Back in your original message, you said this:
On 7/19/20 6:54 AM, Rui Correia wrote:> The host can ping the Debian VM and the Debian VM can ping the host but
> the Debian VM cannot ping the router 10.0.0.1 or any ip address on the
internet.
But in a later message you say this:
On 7/23/20 10:34 AM, Rui Correia wrote:
> But, for testing purposes (trying to reach the VM's from the KVM host)
> I don't need those static routes, right? Because right now I'd be
ok
> if I could reach the VM's from the KVM host and right now I can't.
So which is correct?
> <forward dev="wlo1" mode="route">
> <interface dev="wlo1"/>
> </forward>
It will probably make no difference (unless traffic leaving your "KVM
Host" isn't actually using the interface named "wlo1", and in
that case
it makes *all* the difference!), but I would change this to simply:
<forward mode='route'/>
The purpose of the "forward dev" is commonly misunderstood as having
something to do with routine, but it doesn't - it only serves to add an
iptables rule that will block traffic if it's coming from or going to
any interface other than (in this case) "wlo1". ie. it's a
security
knob, not a routing knob; if you're not concerned about rogue guests
then at best it's just creating extra overhead for each packet, and at
worst it could be blocking traffic if it's misconfigured.
As for checking with wireshark/tcpdump, mainly the intent is just to
see, when you send a packet from one end or the other, whether a
corresponding packet shows up in the output of wireshark/tcpdump. As an
example, let's say that you are trying to ping (from your original
diagram) "desktop manjaro" (10.0.0.11) from "debian 10 VM"
(10.2.2.10).
First start a ping in a shell on debian 10 VM", then run a command like
(as root) this on the KVM Host:
tcpdump -i virbr2 -n host 10.2.2.10
You should at least see one icmp "echo request" packet for each ping
that is sent. You might even see an icmp response (and if so, hopefully
is is an icmp echo reply, rather than destination unreachable or
something like that).
If you see the outbound icmp echo request and an echo reply, then the
problem is on your host or in the guest. If you see an echo request but
no echo reply, then look at the next step out - wlo1 interface on the
KVM host:
tcpdump -i wlo1 -n host 10.2.2.10
You should still see the outbound echo request. If not, then again your
problem is on the KVM host. If you see the echo request, but no reply,
then you need to go look on "manjaro desktop". Run the same tcpdump
command there (as root), but replace "wlo1" with whatever is the name
of
the ethernet device on that host connecting it to the network.
At this point you may see an echo request *and* an outgoing echo
response, but not see that response back at the KVM host. That's when
you'll want to rerun tcpdump telling it to display the MAC address of
the packets:
tcpdump -i <whatever-interface-name> -e -n host 10.2.2.10
Now you can look at the MAC address in the tcpdump output - it should
contain the MAC of the KVM host, *not* the MAC of your router. If it has
the MAC of your router, then you haven't added a routing table entry to
the manjaro desktop's network config. Do that.
(or, possibly you just want to add a route to the router. That will
work, but will result it a lot of duplicated traffic and ICMP redirect
packets from the router to the manjaro desktop).
Anyway, there are many paths this can take, but that gives you an idea
of how to use tcpdump. (you could do the same thing with wireshark, it's
just a lot more overhead and lots of info when you really need very
little (and also requires that wireshark be installed and a desktop
session open, on all the machines involved).