IP forwarding across Virtual Machine Network Interfaces

Question

IP forwarding across Virtual Machine Network Interfaces

An Vo 1

I have two Virtual Machines set up, VM1 has 1 network interface and VM2 has 2 network interfaces. Both use the same virtual network that I created that has an address space of 192.168.0.0/16. The NIC, eth0, on VM1 has a private IP of 192.168.5.200 while the NICs on VM2 have private IPs of 192.168.5.20 (eth1) and 192.168.1.20 (eth2). The two NICs with the 192.168.5.0/24 addresses are on the same subnet and I am able to ping from one interface to the other. I am trying to then use the 192.168.5.20 assigned NIC for IP forwarding, which I have set in both the azure options as well as within the operating system of the VM.

I added the following IP route onto VM1:
192.168.1.20 via 192.168.5.20

The aim is that if I ping 192.168.1.20 from VM1, the eth1 on VM2 will be used to forward the traffic to the 192.168.1.20 interface. In both cases where I ping directly to 192.168.5.20 and 192.168.1.20 and observing wireshark on the interfaces of VM1 and VM2, I see that VM1 sends out ARP requests for 192.168.5.20 as expected. For both cases a MAC address is returned as a response and VM1 sends out a packet to 192.168.5.20 with this MAC address as the destination. It should be noted that this MAC address is not the same as the one I see attached to the 192.168.5.20 interface as seen when running ifconfig. In the case of the direct ping to 192.168.5.20, this packet is received by eth1 on VM2, however in the IP forwarding case, the packet never reaches the interface.

Thanks

SaiKishor-MSFT 17,336 Reputation points

2021-12-01T09:32:19.357+00:00

@An Vo Thank you for reaching out to Microsoft Q&A. I understand that you are trying to reach from VM1 to VM2 via VM2's primary NIC. However, you cannot access the same although you have forwarding enabled both on Azure and the O.S.

Can you verify if the NSG on the secondary NIC on VM2 is allowing traffic from VM1? If not, please add this rule and let me know if that helps. Thank you!
An Vo 1 Reputation point

2021-12-01T13:17:06.807+00:00

@SaiKishor-MSFT Thank you for your response. Your understanding is correct regarding what I want to achieve. I have checked the NSG and used the IP flow verify application on the Network Watcher and it came back saying that 192.168.5.200 has allowed access to the remote IP address of 192.168.1.20 so I do not believe this is the problem.

Thanks
An Vo 1 Reputation point

2021-12-07T10:04:30.867+00:00

@SaiKishor-MSFT It has been some days now and I haven't received a response from you and was wondering if you got any further looking into my situation.

Thanks

1 answer

Your answer

SaiKishor-MSFT 17,336 Reputation points

2021-12-01T09:32:19.357+00:00

@An Vo Thank you for reaching out to Microsoft Q&A. I understand that you are trying to reach from VM1 to VM2 via VM2's primary NIC. However, you cannot access the same although you have forwarding enabled both on Azure and the O.S.

Can you verify if the NSG on the secondary NIC on VM2 is allowing traffic from VM1? If not, please add this rule and let me know if that helps. Thank you!
An Vo 1 Reputation point

2021-12-01T13:17:06.807+00:00

@SaiKishor-MSFT Thank you for your response. Your understanding is correct regarding what I want to achieve. I have checked the NSG and used the IP flow verify application on the Network Watcher and it came back saying that 192.168.5.200 has allowed access to the remote IP address of 192.168.1.20 so I do not believe this is the problem.

Thanks
An Vo 1 Reputation point

2021-12-07T10:04:30.867+00:00

@SaiKishor-MSFT It has been some days now and I haven't received a response from you and was wondering if you got any further looking into my situation.

Thanks

Answer 1

SaiKishor-MSFT 17,336

@An Vo Apologize for the delay in responding to this issue. I had to perform some lab tests so determine the cause of this and understand the solution for this problem. I tested this scenario and see that doing the below fixes the issue:

Find the Interface No. of Nic2 of VM2 using the route print command which will give a similar output as shown below:

===========================================================================

Interface List
3...00 0d 3a 10 92 ce ......Microsoft Hyper-V Network Adapter
7...00 0d 3a 10 9b 2a ......Microsoft Hyper-V Network Adapter #2

===========================================================================

-- Here the #2 Network Adapter has the Interface# 7

On VM2, please add the following routes:

route add -p 0.0.0.0 MASK 0.0.0.0 192.168.1.1 METRIC 5015 IF <Interface No. of NIC2>

Now add another route specifically for VM1's IP address as shown below:

route add -p 192.168.5.200 MASK 255.255.255.255 192.168.5.20 METRIC 5000 IF <Interface No. of NIC2>

Once you add these routes, it will give you an "Ok!" for every command once it adds the same. You can verify if these are added by doing a "Route Print". After adding these routes, you should be able tp ping the VM2's NIC2 IP from VM1 as expected and also vice-versa. Hope this helps!
Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.

An Vo 1 Reputation point

2021-12-09T11:52:59.023+00:00

@SaiKishor-MSFT Thank you for your response. I have tried your solution however I could not follow it through completely. I should have mentioned that both these VMs are running on Linux so I had to adjust the formatting for the commands:

Running ifconfig on VM2 gave me:

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.20 netmask 255.255.255.0 broadcast 192.168.3.255
inet6 fe80::20d:3aff:fed5:e6ff prefixlen 64 scopeid 0x20<link>
ether 00:0d:3a:d5:e6:ff txqueuelen 1000 (Ethernet)
RX packets 13929 bytes 10013188 (10.0 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10412 bytes 2689765 (2.6 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.5.20 netmask 255.255.255.0 broadcast 192.168.5.255
inet6 fe80::20d:3aff:fed5:e865 prefixlen 64 scopeid 0x20<link>
ether 00:0d:3a:d5:e8:65 txqueuelen 1000 (Ethernet)
RX packets 2 bytes 762 (762.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 17 bytes 1844 (1.8 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

I then tried to run the two add route commands you suggested:

sudo ip route add default gw 192.168.1.1 metric 5015 dev eth0
sudo ip route add 192.168.5.200 via 192.168.5.20 metric 5000 dev eth0
An Vo 1 Reputation point

2021-12-09T11:53:19.95+00:00

The first line command worked however the second one did not. I wasn't sure if you had put in a typo for the interface number when you specified NIC2 (eth0). With this, I would get an Error: Nexthop has invalid gateway. If I change it to NIC1 (eth1), then I can create the route and my following route table looks like:

default via 192.168.1.1 dev eth0 metric 5015
168.63.129.16 via 192.168.1.1 dev eth0 proto dhcp src 192.168.1.20 metric 100
169.254.169.254 via 192.168.1.1 dev eth0 proto dhcp src 192.168.1.20 metric 100
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.20
192.168.5.0/24 dev eth1 proto kernel scope link src 192.168.5.20
192.168.5.200 via 192.168.5.20 dev eth1 metric 5000

With this routing on VM2, I am still not able to ping to 192.168.1.20 through 192.168.5.20 from VM1.
SaiKishor-MSFT 17,336 Reputation points

2021-12-09T16:34:36.727+00:00

@An Vo

Please remove the routes you previously added and please add the following routes:
sudo ip route add default gw 192.168.5.1 metric 5015 dev eth1
sudo ip route add 192.168.5.200 via 192.168.5.20 metric 5000 dev eth1

Let me know if that helps. Thank you!
An Vo 1 Reputation point

2021-12-20T16:05:07.217+00:00

@SaiKishor-MSFT

Thank you for your suggestion however I am still not able to get them to communicate with each other.

For VM2 I have routing table:
default via 192.168.5.1 dev eth0 metric 5015
192. 168.5.200 via 192.168.5.20 dev eth0 metric 5000

For VM 1 I have routing table:
default via 192.168.5.1 dev eth0 metric 5015
192. 168.1.20 via 192.168.5.20 dev eth0 metric 5000

I removed all other routes, including the generated ones on start up for 168.63.129.16 and 169.254.169.254 and yet was not able to ping 192.168.1.20 through 192.168.5.20.

I should also note when I created the two VMs, I chose the 192.168.5.0/24 for both as the subnet.

Thanks

Share via

IP forwarding across Virtual Machine Network Interfaces

1 answer

Your answer