[libvirt-users] Routing isolated network

Laine Stump laine at laine.org
Thu Jul 28 19:07:46 UTC 2016 

On 07/28/2016 02:55 AM, Erwin Straver wrote:
>
>
> I want to create a network like this:
>
>
> Internet -- physical router -- host (network 192.168.178.x)
>
>                                 -- virtual machine dmz -- eth0 
> (connected to pyshical router)
>
>                      -- eth1 (connect to isolated network 10.0.0.x)
>
>                                 -- virtual machine www - eth0 (connect 
> to isolated network 10.0.0.x)
>
> network design <http://i.stack.imgur.com/QoCz9.png>
>
> I have a virtual host which is conntected to my physical router with 
> eth0 and ip4 address 192.168.178.100. I create a virtual machine dmz 
> which connects 'direct' to my router via my physical device eth0 on 
> the virtual host:
>
> |<network connections='1'> <name>direct</name> 
> <uuid>379d4687-445e-4bc6-8354-b555c7f18b15</uuid> <forward dev='eth0' 
> mode='bridge'> <interface dev='eth0' connections='1'/> </forward> 
> </network> |
>
> On my virtual machine i create a second nic eth1 which is connected on 
> a virtual network virbr-local:
>
> |<network> <name>local</name> 
> <uuid>d31b2e0d-810b-4ba0-8ac4-02bc53746142</uuid> <bridge 
> name='virbr-local' stp='on' delay='0'/> <mac 
> address='52:54:00:92:06:5c'/> <domain name='local.box'/> <dns> 
> <forwarder addr='192.168.178.1'/> </dns> <ip address='10.0.0.1' 
> netmask='255.0.0.0'> <dhcp> <range start='10.0.0.100' 
> end='10.0.0.255'/> <host mac='52:54:00:51:31:86' ip='10.0.0.30'/> 
> </dhcp> </ip> <route address='10.0.0.0' prefix='8' 
> gateway='10.0.0.30'/> </network> |
>
> Now I want to create a second virtual machine which connects to the 
> internet through the virtual machine dmz on the virbr-local subnet. Is 
> there a way to accomplish this kind of setup?
>

A libvirt "isolated" virtual network is intended for situations where 
you want communication between guests and the host, but not beyond. It 
will have iptables rules automatically loaded that prevent any traffic 
on that network from "escaping" to the outside. That's not what you want 
though - you want the traffic to get out, but only via the virtual 
machine named "dmz".

The most straightforward way to do this is to:

1) create a libvirt virtual network with *no IP* address on the host (so 
that it's impossible for any traffic from this network to get out 
directly via the host)

then setup your "dmz" guest just as you would a real hardware firewall:

2) manually assign an  IP address (probably 10.0.0.1) in the "dmz" 
guest's network config for eth1

3) enable ip_forwarding on dmz

4) enable dnsmasq service on dmz's eth1 (rather than relying on a 
dnsmasq on the host) to provide each additional guest on the "local" 
network with
     a) an IP address
     b) a DNS proxy listening on dmz's eth1
     c) a default route pointing to 10.0.0.1 (i.e. dmz's eth1)

The libvirt virtual network definition is as simple as it gets:

   <network>
     <name>local</name>
   </network>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20160728/ab13af48/attachment.htm>

More information about the libvirt-users mailing list