In environments where port security features are enforced, users may observe that external VIPs assigned by MetalLB (in Layer 2 mode) are not accessible from other virtual machines or hosts (hypervisors).
curl: (7) Failed to connect: No route to hostThis typically occurs when attempting to connect to a service exposed via a MetalLB-assigned external IP.
Private Cloud Director - till 2025.7-47
Self-Hosted Private Cloud Director Virtualization – till 2025.7-47
Component - Networking
When using MetalLB in Layer 2 mode, it responds to ARP requests using the MAC address of one of the Kubernetes nodes. However, strict port security settings often block traffic from IP/MAC combinations that are not explicitly permitted, resulting in dropped ARP replies or traffic not being routed correctly.
This was a known limitation tracked KAAP-677 is now fixed in 2025.8-92 and above versions.
To allow the specific IP and MAC address combinations used by MetalLB for VIPs. The fix involves adding Allowed Address Pairs for each MetalLB VIP and the corresponding VM node MAC address.
Steps to Add IP/MAC Allowed Address Pairs:
Identify the MetalLB VIP that is not reachable.
Determine the MAC address of the VM Node
Now, to add the IP/MAC Pair navigate to Network and Security page and select Physical Networks
Select Ports section and click on edit the Port (Kubernetes worker node VM)
Now go to the Allowed Address Pairs section. Add a new entry with: IP Address: The MetalLB VIP (e.g., 192.168.1.240) MAC Address: MAC address of the VM Node
Click Update Port to save changes.
Repeat this for all worker nodes in the cluster.
The fix for the bug is currently planned for future releases.
For further questions/concerns regarding the bug, reach out to the Platform9 Support Team.
Last updated