OpenVZ alongside ISPConfig - networking issue

Discussion in 'HOWTO-Related Questions' started by kuckus, Sep 14, 2008.

  1. kuckus

    kuckus New Member

    Hi all,

    I recently installed OpenVZ on a server that is also running ISPConfig and am having some trouble getting virtual envs set up in a way that they can reach the world outside the host node.
    My system is a Debian Etch, and OpenVZ was installed as described by falko.

    My ISP/hosting provider (a German one called Strato) gave me a 2nd IP address from a different subnet which I'd like to use for a OpenVZ VE. So, the host node's IP is 81.a.b.c, the VE's IP 85.x.y.z/32.

    Now after creating a VE and assigning it the 85.x.y.z IP, I can ping and ssh from host to VE and from VE to host just fine, but that's about it - the VE cannot reach the Internet and can't be reached from elsewhere either.

    On your average ISPC installation, would there be any firewall roules or something else that I'd need to adjust to allow this traffic?

    What else could I be missing?

    One thing I noticed is, when rebooting the server, at one point it actually is possible to ping the VE's 85.x.y.z IP. But it seems that's just until the remaining services (and ISPC) have finished starting up.

    Any and all help would be appreciated... thanks!


    Some configuration details:

    - `ip route` on host node

    81.a.b.c dev eth0  scope link
    81.a.b.1 via 81.a.b.c dev eth0  scope link
    85.x.y.z dev venet0  scope link
    default via 81.a.b.1 dev eth0
    - `ip route` in VE

    Code: dev venet0  scope link 
    default via dev venet0
    - `ip -V` in VE

    ip utility, iproute2-ss071016
    - Kernel version running on HN: 2.6.18-12-fza-686

    - `sysctl -p` on HN

    net.ipv4.conf.default.forwarding = 1
    net.ipv4.conf.default.proxy_arp = 0
    net.ipv4.ip_forward = 1
    net.ipv4.icmp_echo_ignore_broadcasts = 1
    net.ipv4.conf.all.rp_filter = 1
    kernel.sysrq = 1
    net.ipv4.conf.default.send_redirects = 1
    net.ipv4.conf.all.send_redirects = 0
  2. falko

    falko Super Moderator ISPConfig Developer

    Please set NEIGHBOUR_DEVS to all in /etc/vz/vz.conf and reboot the system.
  3. kuckus

    kuckus New Member

    Sorry, I forgot to mention that - I've got the NEIGHBOUR_DEVS=all setting in place already.

  4. falko

    falko Super Moderator ISPConfig Developer

    Do you use a firewall on the host? If so, switch it off.
  5. kuckus

    kuckus New Member

    Yes, iptables as "shipped" with ISPConfig.

    Disabling it through the web interface or manually doing an `iptables -F` temporarily didn't help so far.

    I think I followed one of the "Perfect Debian setup" tutorials pretty closely back then too, if that gives you a hint...

    Doesn't it almost have to be some kind of service if I can ping the 2nd IP for a bit during bootup? :confused:
  6. falko

    falko Super Moderator ISPConfig Developer

    Do you see any errors in the logs on the host and the guest?
  7. kuckus

    kuckus New Member

    Sorry for the late reply, I've been ill and somewhat sidetracked...

    In the VZ logs, there aren't any errors (on the host).

    The "strange" thing is, the VE's IP can be pinged for a short time during boot (after the OpenVZ daemon starts up). What else could I check on the host or guest to see what's blocking the way to the outside world?


  8. falko

    falko Super Moderator ISPConfig Developer

    To be honest I'm running out of ideas... :(
  9. aronkule

    aronkule New Member

    Hi Falko,

    I am also having exactly the same problem. In my case, I have four NICS.

    I installed openvz using the excellent gui available through My external IP is and I have given the VE an IP from a VLAN - The VE can see the HN and vice versa. I can ssh into the VE from the HN. The VE can also see the external NIC But beyond that, it cannot see any other nodes that are in the VLAN.
    However it can see all the other working nodes of the VLAN, which are in other HN´s (XEN) and some of the VLAN. The node that it cannot ping to, can be seen by the HN.

    NEIGHBOUR_DEVS=all is in place. iptables -L lists nothing. Scratching my head....

Share This Page