I have an issue with one host at a customer's site. I think this cannot work, but I would like to ask you just in case I am confused.

eno1: 172.20.10.x/24 management interface gw
tun0: openvpn tunnel to external data center
internal-bridge: x.x.x.x/28 ; routed subnet that goes to openvpn tun0

on vm:
eth0: x.x.x.x/28 on internal-bridge (default gw)
eth1: 172.20.10.x/24 bridge-service gw (same as eno1)

Connectivity to and from openvpn (from and to datacenter) is perfect. All vms are directly reachable from our management services, no natting.

From hypervisor I can ping the gw, from vm I cannot ping

My gut feeling is that this cannot work because traffic for the hypervisor for subnet 172.20.10.x/24 flows through eno1, but for vm through the bridge-loggin interface. So that cannot work.

Should we just ask the customer to give us different subnets for the host and the vm?


