Routing via bridged interface? (solved)

[H.Z.]

I have a linux guest (vm1 - debian squeeze, x64) on a windows7 home premium with two NICs:
eth0: bridged (172.26.0.1/16) - physical interface is the windows's wifi adapter
eth1: internal network (named intnet1) 192.168.1.1/24

The router runs Tomato fw.
On the router I've set 172.26.0.1 as gateway to subnet 192.168.1.0/24:
route add -net 192.168.1.0/24 gw 172.26.0.1

The router can access the vm at 172.26.0.1, but can't at 192.168.1.1...

But... if I start a new vm (vm2) which have only a bridged adapter, and set vm1 as router to subnet 192.168.1.0, then I can ping 192.168.1.1 and... after pinging from vm2, I can ping 192.168.1.1 from the router too... Hmmm??? Any idea, what is it?

[noteirak]

Internal network is, as explained into the user manual and by the name itself, an internal network to Virtualbox, only accessable by the VMs.
So if you setup a VM being a link between the Internal network and your router, yes you will be able to see it from outside, but it also defies the point of Internal Network

More info here

[H.Z.]

Internal network is, as explained into the user manual and by the name itself, an internal network to Virtualbox, only accessable by the VMs.
So if you setup a VM being a link between the Internal network and your router, yes you will be able to see it from outside, but it also defies the point of Internal Network

More info here

I'm afraid, you don't understand me...
I'd like to use vm1 as a router to internal network. (Yes, I know what is "internal network". I want to simulate a real network, with firewall, router, DNS, DHCP etc)
Internal network is perfect for this purpose, because only vm1 can access it.
If I use the same config on a linux host instead of win7, it works without any problems.
But currently I must use win7, and I have no idea, what's wrong with it.

ps: I don't want to use any workaround - for example host only interfaces, and use win7 as router etc...

[BillG]

That should work fine as long as you configure it correctly. I have no idea why you thing the static route you added will work.

The "public" or outer NIC of the router vm should have your Internet router as its gateway if you are using bridged mode (the same as the host itself). The private or inner NIC is the gateway for the private LAN on the internal network.

Internet
|
DSL router
|
bridged NIC
IP in physical LAN subnet (same subnet as host OS and same gateway)
router vm
internal NIC
192.168.1.254 dg blank
|
other vms
192.168.1.x dg 192.168.1.254

[H.Z.]

That should work fine as long as you configure it correctly. I have no idea why you thing the static route you added will work.

Because I can see the icmp packets on the bridged interface with tcpdump, running on vm1.

Current setup:
(br0 = LAN, some addresses were changed since I started this topic)

root@router:/tmp/home/root# route add -net 192.168.2.0/24 gw 172.26.1.141
root@router:/tmp/home/root# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
x.x.x.x         *               255.255.255.255 UH    0      0        0 ppp0
192.168.2.0     172.26.1.141    255.255.255.0   UG    0      0        0 br0
172.26.0.0      *               255.255.0.0     U     0      0        0 br0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         xxxxxxxxxxxxxxx 0.0.0.0         UG    0      0        0 ppp0

If I start tcpdump on vm1 (current IP 172.26.1.141), or run a wireshark on the host (current IP 172.26.1.xxx), I see all incoming packets addressed to 192.168.2.xxx, but nobody answers them...

Plus... If I start a new vm (vm2 IP=192.168.2.22) which has no access to LAN directly, but can access it via vm1, then...
First I try to ping 192.168.2.22 from the router (172.26.1.1) - no answer
Next on vm2: ping 172.26.1.1 - it's working
Next I try again "ping 192.168.2.22" at the router and... yes, it's working too...
Hmmm... WTF???
And I can't ping 192.168.2.1 (which is vm1's internal interface - alias eth1)

[noteirak]

After re-reading this conversation, I can only conclude this is purely a configuration issue, and not a virtualbox issue since you actually can manage to ping both your guests, under certain conditions that are not related to Virtualbox.

As for your issue directly, I can only think that you've miss-configured something or have some iptables rules that prevent some traffic (icmp typically) unless first initiated from your internal network.

Did you try anything else except ping? maybe try to connect via SSH to both your guests using the internal network IPs?

[H.Z.]

As for your issue directly, I can only think that you've miss-configured something or have some iptables rules that prevent some traffic (icmp typically) unless first initiated from your internal network.

Did you try anything else except ping? maybe try to connect via SSH to both your guests using the internal network IPs?

The virtual machines are newly installed debian servers. I've changed only ip_forward value (0->1), and the interface settings.
No netfilter rules (all policies are ACCEPT) and no other software which can cause this.
And I tell you again: the same config was run without problems on a linux host!

I think, the windows or the virtualbox network driver do something wrong... (I've tried to disable windows firewall, but it didn't help)
Tomorrow I will try it with vmware player.

[noteirak]

Did you try anything else except ping? maybe try to connect via SSH to both your guests using the internal network IPs?

Could you try this please? It might actaully give more insight. Ping is good, but not always reliable (firewalls, etc).
if you at least try to connect to an open port, more info could come out of it.

[H.Z.]

Did you try anything else except ping? maybe try to connect via SSH to both your guests using the internal network IPs?

Could you try this please? It might actaully give more insight. Ping is good, but not always reliable (firewalls, etc).
if you at least try to connect to an open port, more info could come out of it.

Try to read again please!

I have a router: named router, IP 172.26.1.1/16
I have a host: named host, IP 172.26.1.222/16
I have a guest: named vm1, with two interfaces: eth0 is a bridged, currently with IP 172.26.1.141/16, and an other eth1, it is on internal network, IP 192.168.2.1/24
I have another guest: named vm2, it has only one NIC on internal network IP 192.168.2.22/24

OK? OK...

Now:
Login to router, and vm2.

router:
ping 192.168.2.1 - no answer
ping 192.168.2.2 - no anser

vm2:
ping 172.26.1.1 ---- I get answer, there is a living connection between 192.168.2.22 and 172.26.1.1 (do you see? WORKING!)

on the router again
ping 192.168.2.1 - no answer
ping 192.168.2.2 - WORKING!!!!

If there were any firewall, packetfilter, iptables rule etc, then how can it work now??
And yes, I've tried ssh, telnet to opened ports, but nothing...

[noteirak]

Try to read again please!

I understood it, that was fine, I only wanted info about you trying to connect to a service running on the guests, ICMP didn't give us more info at all here.

If there were any firewall, packetfilter, iptables rule etc, then how can it work now??

This actually sounds to me like a typical firewall/NAT/power saving issue : nothing can come "in" unless the "out" happened - But I give you that it shouldn't happen like this.

And yes, I've tried ssh, telnet to opened ports, but nothing...

If your SSH daemon is running and listening on the port in your guest, but you cannot connect to it from the bridged interface itself, then there is definitly something blocking it.

So, basic network troubleshooting :
Can you ping 127.0.0.1 on the host and the guests?
Can you ping each guest network interface from itself?
Can you ping each host network interfaces from itself?
Can you ping between guests?
Can you ping from the host to the VM01 (the one with the bridged interface)?

[H.Z.]

[quote="noteirakCan you ping 127.0.0.1 on the host and the guests?
Can you ping each guest network interface from itself?
Can you ping each host network interfaces from itself?
Can you ping between guests?
Can you ping from the host to the VM01 (the one with the bridged interface)?[/quote]

127.0.0.1 - yes
No, can't ping any interfaces/IPs on the internal network, until connecting from the internal machine to the router.
Yes, guests are work perfectly.
Yes, the bridged interface is accessible.
So...
If I've tried an other setup:

...
                     vm1 (172.26.1.141) (192.168.2.1) - vm2 (192.168.2.22)
                   /
router (172.26.1.1)
                   \
                     vm3 (172.26.1.99)

router:
route add -net 192.168.2.0/24 gw 172.26.1.141
ping 192.168.2.22 - no reply

vm3:
ping 192.168.2.22 - no reply

vm3:
route add -net 192.168.2.0/24 gw 172.26.1.141
ping 192.168.2.22 - vm2 replied!

router:
ping 192.168.2.22 - replied too!!!

Hm?
Now I've tried to test it with vmware player, but it not work with my wifi adapter in bridged mode, so I have no more idea.

[noteirak]

Do you have a route to 172.26.x.x from VM02?

[noteirak]

127.0.0.1 - yes
No, can't ping any interfaces/IPs on the internal network, until connecting from the internal machine to the router.

I don't understand that. You canont ping interfaces/IPs belong to a VM from that VM directly?

[H.Z.]

127.0.0.1 - yes
No, can't ping any interfaces/IPs on the internal network, until connecting from the internal machine to the router.

I don't understand that. You canont ping interfaces/IPs belong to a VM from that VM directly?

Oh, sorry...
The VMs can ping own interfaces directly.
And all VMs behind vm1 can access all other IPs...

[H.Z.]

Do you have a route to 172.26.x.x from VM02?

Yes, via 172.26.1.141...
vm2 has only internal interface, which phisically inaccessible from LAN (for example from the router, or from the host)