MetalLB VIP Connectivity Issues When Accessing VIP Externally

Problem

In environments where port security features are enforced, users may observe that external VIPs assigned by MetalLB (in Layer 2 mode) are not accessible from other virtual machines or hosts (hypervisors).

Error
    
 
curl: (7) Failed to connect: No route to host
Copy

This typically occurs when attempting to connect to a service exposed via a MetalLB-assigned external IP.

Environment

Private Cloud Director - v2025.4 and Higher
Self-Hosted Private Cloud Director Virtualization – v2025.4 and Higher
Component - Networking

Cause

When using MetalLB in Layer 2 mode, it responds to ARP requests using the MAC address of one of the Kubernetes nodes. However, with strict port security settings often block traffic from IP/MAC combinations that are not explicitly permitted, resulting in dropped ARP replies or traffic not being routed correctly.
This is a known bug and is reported internally with ID - KAAP-677.

Resolution

To allow the specific IP and MAC address combinations used by MetalLB for VIPs. The fix involves adding Allowed Address Pairs for each MetalLB VIP and the corresponding VM node MAC address.

Steps to Add IP/MAC Allowed Address Pairs:

Identify the MetalLB VIP that is not reachable.
Determine the MAC address of the VM Node
Now, to add the IP/MAC Pair navigate to Network and Security page and select Physical Networks
Select Ports section and click on edit the Port (Kubernetes worker node VM)
Now go to the Allowed Address Pairs section. Add a new entry with: IP Address: The MetalLB VIP (e.g., 192.168.1.240) MAC Address: MAC address of the VM Node
Click Update Port to save changes.
Repeat this for all worker nodes in the cluster.

Additional Information

The fix for the bug is currently planned for future releases.
For further questions/concerns regarding the bug, reach out to the Platform9 Support Team.

Last updated on

Was this page helpful?