This is driving me mad, since I have spent the las two days trying to solve this.
I have an Ubuntu Server 14.04.2 LTS with KVM and libvirt. I have two guests virtual machines:
- pfSense-2.2: virtio network interfaces, WAN1 – cable, WAN2: aDSL and LAN IP:192.168.2.13
- Ubuntu Server 14.10: ne2000 network interface, IP:192.168.2.10 (Hostname: deathstar)
The host have bridged interfaces as follows:
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
#auto eth0
#iface eth0 inet manual
auto br0
iface br0 inet static
address 192.168.2.10
netmask 255.255.255.0
network 192.168.2.0
broadcast 192.168.2.255
gateway 192.168.2.13
bridge_ports eth0
bridge_stp on
bridge_fd 0
bridge_maxwait 0
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 192.168.2.13
dns-search localdomain
auto br1
iface br1 inet manual
bridge_ports eth1
bridge_stp off
bridge_fd 0
bridge_maxwait 0
auto br2
iface br2 inet manual
bridge_ports eth2
bridge_stp off
bridge_fd 0
bridge_maxwait 0
The pfSense guest with virtio bridged interfaces is working perfectly but the second guest with Ubuntu works ok only with ne2000 interface, if instead I use virtio bridged interface, it can ping and resolve DNS perfectly, buy cannot access any site with wget or apt-get.
No big deal, I can live with it with ne2000, but the host machine now cannot access the internet, same symthoms as the before, I can ping and resolve DNS, but cannot access with wget or apt-get.
The funny thing is that this was working perfectly till around 10 days ago, probably some system update "broke" something in the host machine and now it cannot be updated or access any site.
I've searched many times different forums, tried disabling IPv6 (many people reported this fixed the problem), changed bridge_stp on and off, included and excluded "auto eth0" from the /etc/network/interfaces file, etc, but nothing works, I'm stucked with this.
As you can see DNS and ping works ok…
pablot@deathstar:~$ ping google.com
PING google.com (173.194.42.14) 56(84) bytes of data.
64 bytes from eze03s05-in-f14.1e100.net (173.194.42.14): icmp_seq=1 ttl=51 time=26.0 ms
64 bytes from eze03s05-in-f14.1e100.net (173.194.42.14): icmp_seq=2 ttl=51 time=27.4 ms
64 bytes from eze03s05-in-f14.1e100.net (173.194.42.14): icmp_seq=3 ttl=51 time=24.9 ms
64 bytes from eze03s05-in-f14.1e100.net (173.194.42.14): icmp_seq=4 ttl=51 time=24.7 ms
^C
--- google.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 24.732/25.798/27.421/1.071 ms
pablot@deathstar:~$
But everything else fails…
pablot@deathstar:~$ sudo apt-get update
0% [Connecting to ar.archive.ubuntu.com (200.236.31.4)]
This just ends like this…
Err http://ar.archive.ubuntu.com trusty InRelease
Err http://ar.archive.ubuntu.com trusty-updates InRelease
Err http://ar.archive.ubuntu.com trusty Release.gpg
Unable to connect to ar.archive.ubuntu.com:http:
Err http://ar.archive.ubuntu.com trusty-updates Release.gpg
Unable to connect to ar.archive.ubuntu.com:http:
Reading package lists... Done
W: Failed to fetch http://ar.archive.ubuntu.com/ubuntu/dists/trusty/InRelease
W: Failed to fetch http://ar.archive.ubuntu.com/ubuntu/dists/trusty-updates/InRelease
W: Failed to fetch http://ar.archive.ubuntu.com/ubuntu/dists/trusty/Release.gpg Unable to connect to ar.archive.ubuntu.com:http:
W: Failed to fetch http://ar.archive.ubuntu.com/ubuntu/dists/trusty-updates/Release.gpg Unable to connect to ar.archive.ubuntu.com:http:
W: Some index files failed to download. They have been ignored, or old ones used instead.
And this is what I get with wget…
pablot@deathstar:~$ wget google.com
--2015-03-17 10:13:20-- http://google.com/
Resolving google.com (google.com)... 173.194.42.0, 173.194.42.1, 173.194.42.9, ...
Connecting to google.com (google.com)|173.194.42.0|:80... failed: Connection timed out.
Connecting to google.com (google.com)|173.194.42.1|:80... failed: Connection timed out.
Connecting to google.com (google.com)|173.194.42.9|:80... failed: Connection timed out.
Connecting to google.com (google.com)|173.194.42.3|:80... failed: Connection timed out.
Connecting to google.com (google.com)|173.194.42.7|:80... failed: Connection timed out.
Connecting to google.com (google.com)|173.194.42.14|:80... failed: Connection timed out.
Connecting to google.com (google.com)|173.194.42.4|:80... failed: Connection timed out.
Connecting to google.com (google.com)|173.194.42.2|:80... failed: Connection timed out.
Connecting to google.com (google.com)|173.194.42.8|:80...
I've replaced my firewall with a fresh new pfSense install (just in case I've blocked my self without knowing) and the same results. I've also installed the same Ubuntu version on a Virtualbox on my notebok and tryed it with both bridged and not bridged interfaces and works perfectly well on both cases trhough the same firewall.
So everything makes me think that my host machine have a wrong configuration that also affects only the ubuntu installation with bridged interface, but cannot find it.
Any help will be greatly appreciated.
Thanks in advance,
Pablo
Best Answer
I had the same problem whether I used standard linux bridges or open virtualbridges on the kvm server. Finally I found the answer on the pfSense webpage under VirtIO Driver Support:
Disable Hardware Checksum Offloading With the current (2014-06-11) state of VirtIO network drivers in FreeBSD, it is necessary to check the Disable hardware checksum offload box under System > Advanced on the Networking tab and to manually reboot pfSense after saving the setting, even though there is no prompt instructing to do so to be able to reach systems (at least other VM guests, possibly others) protected by pfSense directly from the VM host. The issue seems to be related to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=165059
This worked for me.