[libvirt-users] bridge and route without IP

[Laine Stump]

On 03/31/2011 04:29 PM, Robert Šmol wrote:
> Hi,
> I want to forward all traffic received on eth1 into virtual domain 
> 'firewall' (where I want to configure public IP+shorewall)
>
> I've created following network:
>
> node002 qemu # cat networks/int-001.xml
> <network>
> <name>int-001</name>
> <bridge name="intbr0" />
> <forward mode="route" device="eth1"/>
> </network>
>
> virsh # net-create networks/int-001.xml
> error: Failed to create network from networks/int-001.xml
> error: internal error Forwarding requested, but no IP address provided

You don't want to setup a virtual network for this type of configuration 
- a libvirt virtual network is in reality a bridge device that is only 
connected to guest interfaces, not to any physical interface. Because no 
physical device is connected to that bridge, the only way out to the 
rest of the world is via the host's IP routing, and in order for the 
bridge to participate in routing, it must have an IP address assigned to 
it (and the guests must be on the same subnet as that IP address). So, 
not only will a virtual network not give you the functionality you want, 
also you are trying to configure the virtual network in an unusable 
manner (you say you want it to forward, but you don't give it an IP 
address, which it needs in order to participate in IP routing).

>
> But wan to set the public IP on the Firewall side. How do I do that? 
> Would the macvtap help me?

Yes, you need to either use macvtap (if your kernel supports it) and 
don't configure an IP address for eth1 on the host, or configure a 
bridge that's directly connected to eth1, don't supply that bridge with 
any IP address (so the host can't directly talk through it), and connect 
the guest to the bridge. macvtap will be simpler and more efficient (if 
you have it :-))