Ip Packets not being forwarded


I have a virtual machine running under VirtualBox with Leap15 and firewalld active. Ethernet card is bridged to the physical ethernet card in VirtualBox.

Trying to diagnose an issue (actually with an IPsec VPN) I wanted to check that ip packets were being forwarded between interfaces as they seem not to be. So I added a second interface (eth1). Both interfaces are now bridged to the same physical ethernet card on the host via VirtualBox. I have the following setup:

eth0: [] with a default gateway of all set by DHCP from my router.
eth1: []

“ip route” gives:
default via dev eth0 proto dhcp dev eth1 proto kernel scope link src dev eth0 proto kernel scope link src

On this machine I have full internet access via the router and can access both the 192.168.25.* and 10...* networks. All network machines respond to pings.

On a separate machine (ip: with a default gateway of I can ping (gateway) and (local ip on the VirtualBox machine) but not or anything else on that subnet (192.168.25.*) including the internet (I know I don’t have DNS on this machine so have been pinging ip addresses directly). As such I can see both local addresses on my VirtualBox machine but nothing beyond that. It feels like forwarding is turned off or not working.

Yes I have enabled IP-forwarding in Yast (and ‘sysctl net.ipv4.ip_forward’ gives: ‘net.ipv4.ip_forward = 1’) and have no ipv6 options activated. I get the same result with firewalld active (both interfaces set to ‘trust’) and with the firewalld service stopped. I also have fail2ban active but that makes no difference if I kill that service too. If I turn off forwarding on the VirtualBox machine (i.e. net.ipv4.ip_forward=0) I get exactly the same results including responses from

What the heck am I doing wrong or not doing?

Thanks in advance …….

Additionally, from machine

traceroute to (, 30 hops max, 60 byte packets
1 ( 7.611 ms 7.574 ms 7.577 ms

traceroute to (, 30 hops max, 60 byte packets
1 ( 12.620 ms 12.525 ms 12.455 ms

traceroute to (, 30 hops max, 60 byte packets
1 ( 5.473 ms 5.382 ms 5.313 ms
2 * * *
3 * * *

Please post output ( incl. command invoked ) between CODE tags, the # in the editor layout

You network topology description is a bit confusing to me. (In particular, your comment that both virtual interfaces were connected to the same physical interface). Is this actually what you have?

Gateway router(<VB guest>eth1(<Host>

That’s correct. I am trying to access the router from <host> and can’t get routing to happen through <VB guest>. The part about being a bridged connection is simply a VirtualBox configuration feature for <VB guest> with respect to eth0 and eth1 and how they connect over the physical network and should be irrelevant.

Unless you intend to bond network interfaces (actually devices), you should never configure more than one interface to a given network… You’ll typically only get grief as packets are sent to one interface, your machine rejects those packets because they were expected on the other interface… etc. Remember, although we humans want to simplify how we see things work, machines aren’t intimidated by strange numbers and in the case of networking primarily identify themselves by MAC addresses.

If you want to test forwarding, you should configure your network interfaces pointing to different networks… In most virtualization technologies like Virtualbox, you are pre-configured with 3 different virtual networks, Bridging, NAT and Host-only. If you configured NAT, you’re automatically forwarding between your physical network and your private network, so there’s nothing much to test and learn there.

So, you’ll likely want to use the Bridging (actually NAT can work in place of bridging, too but I won’t cover that here for simplicity) and your Host-only networks, because they are completely different networks.

When you set up your Guest with bridging, you can probably access the Internet so this becomes your “external” network.
Next, add a second network device (likely eth1).
When booted, go into YaST and configure eth1, since there is no DHCP for the Host-only network, you’ll need to configure a static IP address, do not configure any new DNS or routing gateways.
Go into YaST > Firewall and configure IPv4 forwarding (if using SUSEfirewall2) or select your public facing interface (likely eth0) and check the Masquerading checkbox.

Now that you have a VM which should be configured to forward from the Host-only network to the public interface and beyond, you need to be able to test functionality.

While your first VM is running, create a new VM, but this time configure the VM networking for the Hot-only network.
Remembering that the Host-only network doesn’t have DHCP, when you boot this VM you should go into YaST and configure a static IP address (It has to comply with the NetworkID of the Host-only network), a DNS (Can be any but recommend Google’s and Default Gateway (set to the IP address of your first VM’s Host-only address0.

When completed, your new, second VM should be pointing to your first VM for networking to anywhere besides the two machines.
And, if IP forwarding is working your second machine will be able to access the Internet through the first machine.


Hi tsu2,

Thanks for the constructive comments. Actually the description by deano_ferrari is not quite right and <host> is actually a virtual machine too. Maybe I/we should call it <VB guest #2>. This mimics exactly the system design that I think you are suggesting. i.e.

Gateway router(<VB guest>eth1(<VB guest #2>

I have now moved the link from <VB guest #2> to <VB guest> to an “Internal network” and so providing more isolation from the physical ethernet interface on the system that hosting both <VB guest> to <VB guest #2> virtual machines.

Still no joy. Exactly the same as before.

OK solved …. well kind of. The destination has no known return route. Set up another Virtual machine on and I could not ping it. Adding a rout to that machine back to with

 ip route add via

made it all work. Now I see why I need to add masquerading to eth0 or have return routes to subnets like from machines on

Thanks for the pointers.

It was your description that was not quite right, and hence my post guessing as to how it really might be configured, and seeking further clarification. :wink:

If you’re doing simple routing(no NAT/Masquerading which should activate the conntrack module), then you will have to configure each machine where is the “gateway” to a foreign network if it’s not somewhere beyond the Default Gateway.