OpenVZ multiple networks on CTs

Same problem, but different solution. The two ports were not connected to the same network and needed to appear from the IP address of the virtual machine, so masquerading did not work.

The main issue here is that the openvz container sets the subnet of all of the ips on venet to 255.255.255.255. There is no preference of one interface. There is no preference on which router it should go through, so it sometimes uses eth0, and sometimes uses eth1. The result was random failures for certain IP addresses when the request goes out on the wrong interface.

One solution was to add a route that specified the source like so:

ip route add 10.20.0.0/16 dev venet0 src 10.20.0.xxx
ip route add a.b.c.241/24 dev venet0 src a.b.c.xxx

I found that the simplest solution for now was to set set the subnets just after they've been brought up (on an ubuntu/debian container in /etc/network/if-up.d):

#!/bin/sh
if [ "$IFACE" = "venet0:1" ]; then
        ifconfig venet0:1 netmask 255.255.0.0 up
fi
if [ "$IFACE" = "venet0:0" ]; then
        ifconfig venet0:0 netmask 255.255.255.0 up
fi
exit 0

Both solutions should have the same affect. Both solutions makes me a little concerned that when accessing the internet (to update or for DNS), it may unintentionally use the 10.x.x.x address that has no route to the internet. The default route is default via 192.0.2.1 dev venet0, so I'm not quite sure how it gets to there, but it appears to work as intended after several reboots of both the container and the host.

UPDATE For a more rubust solution: I used bash to check the IP and figure out what subnet to add it to.

Ubuntu/Debian (/etc/network/if-up.d):

#!/bin/bash
if [ "${IF_ADDRESS:0:6}" = "xx.yy." ]; then
        echo "AlReece45: $IFACE, IP Address $IF_ADDRESS marked as internal"
        ifconfig "$IFACE" netmask 255.255.0.0 up
fi
if [ "${IF_ADDRESS:0:11}" = "xxx.yy.zzz." ]; then
        echo "AlReece45: $IFACE, IP address $IF_ADDRESS marked as external"
        ifconfig "$IFACE" netmask 255.255.255.0 up
fi
exit 0

CentOS/Redhat (/sbin/ifup-local):

#!/bin/bash
IFACE="$1"
IF_ADDRESS=$(ifconfig $IFACE | grep "inet addr" | awk '{print $2}' | cut -d':' -f2);
if [ "${IF_ADDRESS:0:6}" = "xx.yy." ]; then
        echo "AlReece45: $1, IP Address $IF_ADDRESS marked as internal"
        ifconfig "$1" netmask 255.255.0.0 up
fi
if [ "${IF_ADDRESS:0:11}" = "xxx.yy.zzz." ]; then
        echo "AlReece45: $1, IP address $IF_ADDRESS marked as external"
        ifconfig "$1" netmask 255.255.255.0 up
fi
exit 0

The problem was in between chair and keyboard. I did not set masquerading on the other device. So for everyone having the same issue: Try to set masquerade on every interface on HN.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE # I forgot this line

I figured this out thanks to: OpenVZ wiki


I recently setup an OpenVZ server with two Ethernet network adaptors each on their own subnet with masquerading on the HN.

Discovered the following: If a CT has two IPs on different subnets, the first IP to be set in the vzid.conf file must be the one that shares the default gateway with the HN. Switching the order of the IPs and restarting the CT fixed the routing issue for me.