Can ping but cannot wget on host with bridge interface

Question

This is driving me mad, since I have spent the las two days trying to solve this.

I have an Ubuntu Server 14.04.2 LTS with KVM and libvirt. I have two guests virtual machines:

pfSense-2.2: virtio network interfaces, WAN1 - cable, WAN2: aDSL and LAN IP:192.168.2.13
Ubuntu Server 14.10: ne2000 network interface, IP:192.168.2.10 (Hostname: deathstar)

The host have bridged interfaces as follows:

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
#auto eth0
#iface eth0 inet manual

auto br0
iface br0 inet static
        address 192.168.2.10
        netmask 255.255.255.0
        network 192.168.2.0
        broadcast 192.168.2.255
        gateway 192.168.2.13
        bridge_ports eth0
        bridge_stp on
        bridge_fd 0
        bridge_maxwait 0
        # dns-* options are implemented by the resolvconf package, if installed
        dns-nameservers 192.168.2.13
        dns-search localdomain

auto br1
iface br1 inet manual
        bridge_ports eth1
        bridge_stp off
        bridge_fd 0
        bridge_maxwait 0

auto br2
iface br2 inet manual
        bridge_ports eth2
        bridge_stp off
        bridge_fd 0
        bridge_maxwait 0

The pfSense guest with virtio bridged interfaces is working perfectly but the second guest with Ubuntu works ok only with ne2000 interface, if instead I use virtio bridged interface, it can ping and resolve DNS perfectly, buy cannot access any site with wget or apt-get.

No big deal, I can live with it with ne2000, but the host machine now cannot access the internet, same symthoms as the before, I can ping and resolve DNS, but cannot access with wget or apt-get.

The funny thing is that this was working perfectly till around 10 days ago, probably some system update "broke" something in the host machine and now it cannot be updated or access any site.

I've searched many times different forums, tried disabling IPv6 (many people reported this fixed the problem), changed bridge_stp on and off, included and excluded "auto eth0" from the /etc/network/interfaces file, etc, but nothing works, I'm stucked with this.

As you can see DNS and ping works ok...

pablot@deathstar:~$ ping google.com
PING google.com (173.194.42.14) 56(84) bytes of data.
64 bytes from eze03s05-in-f14.1e100.net (173.194.42.14): icmp_seq=1 ttl=51 time=26.0 ms
64 bytes from eze03s05-in-f14.1e100.net (173.194.42.14): icmp_seq=2 ttl=51 time=27.4 ms
64 bytes from eze03s05-in-f14.1e100.net (173.194.42.14): icmp_seq=3 ttl=51 time=24.9 ms
64 bytes from eze03s05-in-f14.1e100.net (173.194.42.14): icmp_seq=4 ttl=51 time=24.7 ms
^C
--- google.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 24.732/25.798/27.421/1.071 ms
pablot@deathstar:~$

But everything else fails...

pablot@deathstar:~$ sudo apt-get update
0% [Connecting to ar.archive.ubuntu.com (200.236.31.4)]

This just ends like this...

Err http://ar.archive.ubuntu.com trusty InRelease

Err http://ar.archive.ubuntu.com trusty-updates InRelease

Err http://ar.archive.ubuntu.com trusty Release.gpg
  Unable to connect to ar.archive.ubuntu.com:http:
Err http://ar.archive.ubuntu.com trusty-updates Release.gpg
  Unable to connect to ar.archive.ubuntu.com:http:
Reading package lists... Done
W: Failed to fetch http://ar.archive.ubuntu.com/ubuntu/dists/trusty/InRelease

W: Failed to fetch http://ar.archive.ubuntu.com/ubuntu/dists/trusty-updates/InRelease

W: Failed to fetch http://ar.archive.ubuntu.com/ubuntu/dists/trusty/Release.gpg  Unable to connect to ar.archive.ubuntu.com:http:

W: Failed to fetch http://ar.archive.ubuntu.com/ubuntu/dists/trusty-updates/Release.gpg  Unable to connect to ar.archive.ubuntu.com:http:

W: Some index files failed to download. They have been ignored, or old ones used instead.

And this is what I get with wget...

pablot@deathstar:~$ wget google.com
--2015-03-17 10:13:20--  http://google.com/
Resolving google.com (google.com)... 173.194.42.0, 173.194.42.1, 173.194.42.9, ...
Connecting to google.com (google.com)|173.194.42.0|:80... failed: Connection timed out.
Connecting to google.com (google.com)|173.194.42.1|:80... failed: Connection timed out.
Connecting to google.com (google.com)|173.194.42.9|:80... failed: Connection timed out.
Connecting to google.com (google.com)|173.194.42.3|:80... failed: Connection timed out.
Connecting to google.com (google.com)|173.194.42.7|:80... failed: Connection timed out.
Connecting to google.com (google.com)|173.194.42.14|:80... failed: Connection timed out.
Connecting to google.com (google.com)|173.194.42.4|:80... failed: Connection timed out.
Connecting to google.com (google.com)|173.194.42.2|:80... failed: Connection timed out.
Connecting to google.com (google.com)|173.194.42.8|:80...

I've replaced my firewall with a fresh new pfSense install (just in case I've blocked my self without knowing) and the same results. I've also installed the same Ubuntu version on a Virtualbox on my notebok and tryed it with both bridged and not bridged interfaces and works perfectly well on both cases trhough the same firewall.

So everything makes me think that my host machine have a wrong configuration that also affects only the ubuntu installation with bridged interface, but cannot find it.

Any help will be greatly appreciated.

Thanks in advance, Pablo

Sorry, when I pointed the network adapter that is working, it's e1000, not ne2000. — pablot, Mar 17 '15 at 17:40

Matthias Lang · Answer 1 · 2015-10-01T14:07:25.287

I had the same problem whether I used standard linux bridges or open virtualbridges on the kvm server. Finally I found the answer on the pfSense webpage under VirtIO Driver Support:

Disable Hardware Checksum Offloading With the current (2014-06-11) state of VirtIO network drivers in FreeBSD, it is necessary to check the Disable hardware checksum offload box under System > Advanced on the Networking tab and to manually reboot pfSense after saving the setting, even though there is no prompt instructing to do so to be able to reach systems (at least other VM guests, possibly others) protected by pfSense directly from the VM host. The issue seems to be related to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=165059

This worked for me.

This is still required on CentOS 8, KVM, and pfSense 2.4.5-RELEASE-p1. Thank you. — Andrew Bobulsky, Oct 30 '20 at 16:43

score 0 · Answer 2 · edited Apr 13 '17 at 12:25

0

I had an issue with the same symptoms, my setup was as follows: Lenovo laptop running native Ubuntu. I manually created a bridge with USB-Enet interfaces that use the ax88179_178a driver. I am using the bridge in order to simulate poor network conditions to everything attached to the "other side" of the bridge.

I was able to ping and ssh into a device through the bridge, but wget would not work.

I tried disabling IPv6 as described here with no luck. I also tried messing around with the mtu settings, but had no luck.

What finally worked for me was to use the native Ethernet port on the laptop as one of the bridge interfaces, and use the dongle as the second port in the bridge. Once I did this, everything worked fine. So for me, the issue is a bug in the driver for the interfaces that I was using.

edited Apr 13 '17 at 12:25

Community

1

answered Aug 01 '16 at 23:42

BenB

1

1

The OP is asking how to fix it on the OS with that network interface. This does not attempt to answer the question, and assuming you are using are not running 14.10, this bug could be introduced in a later version. – fosslinux Aug 02 '16 at 00:07
@ubashu, understood. I found this thread because I googled "linux bridge wget not working". Even though my response doesn't answer the exact question of the OP, it is likely to help people who find this thread but aren't suffering from the exact same issue as the OP. – BenB Aug 03 '16 at 17:54

Can ping but cannot wget on host with bridge interface

2 Answers2