1

I know that with the virsh command I can create several types of networks (a "NAT network", for example) as we can see in these URLs...

KVM network management
KVM default NAT-based networking (page 33)

QUESTION: How can I create a network (lan_n) where only guests/VMs have connectivity, with no outbound connectivity and no host/hypervisor connectivity?

NOTE: The connectivity to other resources will be provided by a pfSense firewall server that will have access to another network (wan_n) with outbound connectivity and other resources.

Network layout...

                [N]wan_n
                 ↕
                [I]wan_n
            [V]pfsense_vm
                [I]lan_n
                 ↕
                [N]lan_n
                 ↕
   .............................
   ↕             ↕             ↕
  [V]some_vm_0  [V]some_vm_1  [V]some_vm_4
                [V]some_vm_2  [V]some_vm_5
                [V]some_vm_3

 _ [N] - Network;
 _ [I] - Network Interface;
 _ [V] - Virtual Machine.

NOTE: The host/hypervisor OS is CentOS 7.

Thanks! =D

Eduardo Lucio
  • 1,194
  • 2
  • 24
  • 48
  • This is a cross-post: https://serverfault.com/questions/1066478/kvm-virtual-machine-network-guest-guest-vm-vm-only-network-no-host-hypervisor. – berndbausch Jun 12 '21 at 02:09
  • 1
    You can at least use a bridge without assigning an IP and/or enslaving a physical NIC to it. (There's sysctl setting that turns off IPv6 link-local addressing for it btw.) – Tom Yan Jun 12 '21 at 04:44
  • @TomYan What would be the procedure to do this in CentOS 7? You can provide an answer and I will accept it if it works! Thanks! =D – Eduardo Lucio Jun 12 '21 at 19:47
  • @berndbausch It is true! Sorry about that! I'm going to delete the other thread. =D – Eduardo Lucio Jun 12 '21 at 19:49
  • Would an isolated network satisfy your requirement? (By @berndbausch) https://libvirt.org/formatnetwork.html#examplesPrivate – Eduardo Lucio Jun 12 '21 at 19:49
  • @berndbausch The problem is "and the host OS"... Anyway, thanks! =D – Eduardo Lucio Jun 12 '21 at 19:50
  • 1
    The very last example on that page disables host access (and access to the VMs from the host, too): https://libvirt.org/formatnetwork.html#examplesNoGateway. I suppose this is achieved by not giving the bridge an IP address, though the details are a bit dark to me. – berndbausch Jun 12 '21 at 23:44
  • @berndbausch Yes! It seems that the option "Network config with at gateway addresses" solves the problem! I will perform some tests and give you a feedback. If it works, we'll consolidate everything with an answer here in this thread. This type of configuration can be done with a `virsh net-define ""` command which is quite secure for KVM/QEMU administration and distribution (Linux) independent. Good one! Thanks! =D – Eduardo Lucio Jun 13 '21 at 18:39

1 Answers1

0

Create a new network config with no gateway addresses on KVM ("very private" or "very isolated")

This type of network can be used for a very private or very isolated network since it will not be possible to communicate with the virtualization host via this network. However, this virtual network interface can be used for communication between virtual guest systems. This works for IPv4 and IPv6. However, the new ipv6='yes' must be added for guest-to-guest IPv6 communication.

  • Check networks status in KVM and OS

Check networks in use by KVM...

brctl show

Check KVM Virtual Networks...

virsh net-list

Check networks in OS...

ip a
  • Create a new network config with no gateway addresses

MODEL

read -r -d '' FILE_CONTENT << 'HEREDOC'
BEGIN
<network>
  <name>[MY_NETWORK_NAME]</name>
  <uuid>[MY_NETWORK_UUID]</uuid>
  <bridge name='virbr[MY_NETWORK_NUMBER]' stp='on' delay='0'/>
  <mac address='52:54:00:[MY_NETWORK_MAC_FINAL]'/>
</network>

END
HEREDOC
echo -n "${FILE_CONTENT:6:-3}" > '/usr/share/libvirt/networks/[MY_NETWORK_NAME].xml'
  1. "[MY_NETWORK_NAME]" - Name in lowercase without spaces and special characters;
  2. "[MY_NETWORK_UUID]" ("uuid" is OPTIONAL) - You can generate a new one at the URL https://www.uuidgenerator.net/version4 ;
  3. "[MY_NETWORK_NUMBER]" - We use the "virbr" prefix to follow the existing naming "convention";
  4. "[MY_NETWORK_MAC_FINAL]" ("mac" is OPTIONAL) - The prefix "52:54:00:" is always the same, otherwise the error "Invalid multicast bridge mac address" will happen. You can generate a new one at the URL https://miniwebtool.com/mac-address-generator/ .

EXAMPLE

read -r -d '' FILE_CONTENT << 'HEREDOC'
BEGIN
<network>
  <name>okd_very_private</name>
  <uuid>cbc4be8a-1fc5-4e1a-8065-e12dab7d4175</uuid>
  <bridge name='virbr1' stp='on' delay='0'/>
  <mac address='52:54:00:CB:8A:F0'/>
</network>

END
HEREDOC
echo -n "${FILE_CONTENT:6:-3}" > '/usr/share/libvirt/networks/okd_very_private.xml'

Add the new network definition XML file to libvirt...

MODEL

virsh net-define "/usr/share/libvirt/networks/[MY_NETWORK_NAME].xml"

EXAMPLE

virsh net-define "/usr/share/libvirt/networks/okd_very_private.xml"

NOTE: The "net-define" is an alternative to "net-create". Use this when you want a persistent virtual network that will last through reboots and shutdowns, rather than a transient one created using "net-create".

Start the new network...

MODEL

virsh net-start [MY_NETWORK_NAME]

EXAMPLE

virsh net-start okd_very_private

To set the new network to automatically startup each time the KVM host is rebooted...

MODEL

virsh net-autostart [MY_NETWORK_NAME]

EXAMPLE

virsh net-autostart okd_very_private

TIP: To view configuration details of a specific network defined in libvirt, use the command...

MODEL

virsh net-dumpxml [MY_NETWORK_NAME]

EXAMPLE

virsh net-dumpxml okd_very_private

.

[Ref(s).: https://libvirt.org/formatnetwork.html#examplesNoGateway ]

Especial thanks to @berndbausch ! =D

Eduardo Lucio
  • 1,194
  • 2
  • 24
  • 48
  • 1
    Btw, you might want to set the sysctl `disable_ipv6` of virbr1 to 1, so that no ipv6 link-local address will be assigned to the bridge on the host. – Tom Yan Jun 29 '21 at 04:10