MetalLB VIP Connectivity Issues When Accessing VIP Externally

Problem

• In environments where port security features are enforced, users may observe that external VIPs assigned by MetalLB (in Layer 2 mode) are not accessible from other virtual machines or hosts (hypervisors).

curl: (7) Failed to connect: No route to host

• This typically occurs when attempting to connect to a service exposed via a MetalLB-assigned external IP.

Environment

• Private Cloud Director - v2025.4 and Higher
• Self-Hosted Private Cloud Director Virtualization – v2025.4 and Higher
• Component - Networking

Cause

• When using MetalLB in Layer 2 mode, it responds to ARP requests using the MAC address of one of the Kubernetes nodes. However, with strict port security settings often block traffic from IP/MAC combinations that are not explicitly permitted, resulting in dropped ARP replies or traffic not being routed correctly.
• This is a known bug and is reported internally with ID - KAAP-677.

Resolution

To allow the specific IP and MAC address combinations used by MetalLB for VIPs. The fix involves adding Allowed Address Pairs for each MetalLB VIP and the corresponding VM node MAC address.

Steps to Add IP/MAC Allowed Address Pairs:

1. Identify the MetalLB VIP that is not reachable.
2. Determine the MAC address of the VM Node
3. Now, to add the IP/MAC Pair navigate to Network and Security page and select Physical Networks
4. Select Ports section and click on edit the Port (Kubernetes worker node VM)
5. Now go to the Allowed Address Pairs section. Add a new entry with: IP Address: The MetalLB VIP (e.g., 192.168.1.240) MAC Address: MAC address of the VM Node
6. Click Update Port to save changes.
7. Repeat this for all worker nodes in the cluster.

Additional Information

• The fix for the bug is currently planned for future releases.
• For further questions/concerns regarding the bug, reach out to the Platform9 Support Team.