Hi all, I recently installed OpenVZ on a server that is also running ISPConfig and am having some trouble getting virtual envs set up in a way that they can reach the world outside the host node. My system is a Debian Etch, and OpenVZ was installed as described by falko. My ISP/hosting provider (a German one called Strato) gave me a 2nd IP address from a different subnet which I'd like to use for a OpenVZ VE. So, the host node's IP is 81.a.b.c, the VE's IP 85.x.y.z/32. Now after creating a VE and assigning it the 85.x.y.z IP, I can ping and ssh from host to VE and from VE to host just fine, but that's about it - the VE cannot reach the Internet and can't be reached from elsewhere either. On your average ISPC installation, would there be any firewall roules or something else that I'd need to adjust to allow this traffic? What else could I be missing? One thing I noticed is, when rebooting the server, at one point it actually is possible to ping the VE's 85.x.y.z IP. But it seems that's just until the remaining services (and ISPC) have finished starting up. Any and all help would be appreciated... thanks! kuckus Some configuration details: - `ip route` on host node Code: 81.a.b.c dev eth0 scope link 81.a.b.1 via 81.a.b.c dev eth0 scope link 85.x.y.z dev venet0 scope link default via 81.a.b.1 dev eth0 - `ip route` in VE Code: 192.0.2.1 dev venet0 scope link default via 192.0.2.1 dev venet0 - `ip -V` in VE Code: ip utility, iproute2-ss071016 - Kernel version running on HN: 2.6.18-12-fza-686 - `sysctl -p` on HN Code: net.ipv4.conf.default.forwarding = 1 net.ipv4.conf.default.proxy_arp = 0 net.ipv4.ip_forward = 1 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.conf.all.rp_filter = 1 kernel.sysrq = 1 net.ipv4.conf.default.send_redirects = 1 net.ipv4.conf.all.send_redirects = 0
Sorry, I forgot to mention that - I've got the NEIGHBOUR_DEVS=all setting in place already. Thanks, kuckus
Yes, iptables as "shipped" with ISPConfig. Disabling it through the web interface or manually doing an `iptables -F` temporarily didn't help so far. I think I followed one of the "Perfect Debian setup" tutorials pretty closely back then too, if that gives you a hint... Doesn't it almost have to be some kind of service if I can ping the 2nd IP for a bit during bootup?
Sorry for the late reply, I've been ill and somewhat sidetracked... In the VZ logs, there aren't any errors (on the host). The "strange" thing is, the VE's IP can be pinged for a short time during boot (after the OpenVZ daemon starts up). What else could I check on the host or guest to see what's blocking the way to the outside world? Thanks, kuckus
Hi Falko, I am also having exactly the same problem. In my case, I have four NICS. I installed openvz using the excellent gui available through http://proxmox.com/. My external IP is xxx.175.xxx.132 and I have given the VE an IP from a VLAN 10.10.10.0/24 - 10.10.10.31. The VE can see the HN and vice versa. I can ssh into the VE from the HN. The VE can also see the external NIC xxx.175.xxx.132. But beyond that, it cannot see any other nodes that are in the xxx.175.xxx.128/29 VLAN. However it can see all the other working nodes of the 10.10.10.0/24 VLAN, which are in other HN´s (XEN) and some of the 10.20.10.0/26 VLAN. The node that it cannot ping to, 10.20.10.11 can be seen by the HN. NEIGHBOUR_DEVS=all is in place. iptables -L lists nothing. Scratching my head....