Symptoms

Two Virtual Environments belong to different customers, however, they can communicate to each other over backnet. Configuration on Instance Manager Node side is correct. On Virtualization Node, the following can be seen:

# prlsrvctl privnet list
Name G Netmasks
LEGACY x 192.168.0.0/16
vlan1 192.168.0.1/30 192.168.0.2/30 *
vlan2 192.168.0.10/30 *

UUID STATUS IP_ADDR T NAME
{e98ecb39-3014-4e8c-1111-a9de9ca3bc8c} running 192.168.0.3 CT 1000000.server-1000123-1
{15d65703-c603-485b-2222-780285e288c6} running 192.168.0.2 VM 1000001.server-1000456-1
{1dc48b8e-74a5-42ff-3333-b90f08c35c17} running 192.168.0.1 VM 1000001.server-1000789-1

According to weak privnet logic described in Weak Private Networks, the Virtual Environment with IP 192.168.0.1 should not be able to ping IP 192.168.0.3, but should be able to reach 192.168.0.2. In the case, it can reach both.

The issue can be reproduced by configuring private networks manually:

# prlsrvctl privnet del vlan2
# prlctl exec e98ecb39-3014-4e8c-1111-a9de9ca3bc8c ping 192.168.0.2 # pinging 192.168.0.2 from 192.168.0.3
PING 192.168.0.2 (192.168.0.2) 2(84) bytes of data.
64 bytes from 192.168.0.2: icmp_seq=1 ttl=127 time=192 ms

# prlsrvctl privnet add vlan2 --ipadd '192.168.0.10/30'
<ping works>

# prlsrvctl privnet set vlan2 --ipadd '*'
<ping works>

Cause

The root cause of the issue lies on Virtuozzo side and related to Virtuozzo 7 version. The same configuration on Virtuozzo 6 does not allow VEs from different 'vlans' to ping each other. Direct network connectivity is possible only within one 'vlan'. The issue is reproduced only in Virtuozzo 7.

Resolution

Please contact Virtuozzo Support.

Internal content

Link on internal Article