[clug] [CLUG] KVM Bridge networking - Update 1

George at Clug Clug at goproject.info
Sun Apr 12 10:52:51 UTC 2020 

Steve,

Thank you for responding, below are some links I found that refer to what I call  “KVM Bridged Networking”. 

At one time Virt-Manager had the ability to create bridges from its GUI, in "Network Interfaces", but that functionality has been removed, and now I need to create the bridges outside of Virt-Manager.

While reading the below link I found a text diagram that gave me the idea for my diagram below, which shows the networking configuration what I want to run on my KVM host. I am hoping this might more clearly show what I want to achieve. Does it help you understand? 

Note: The diagram does not show the routers which will be employed to allow, for example, the internal LAN access to the Internet, or the DMZ's firewall/router to the Internet. 

I once worked where the networking was similar to the diagram, it used VMware for virtual networking, which I found quiet easy to configure using the GUI, as I did when Virt-Manager used to manage the creation of bridges. I am not particularly good at command line utilities, I prefer where I can use GUI menus and graphically visualise things (e.g. connections). I think OpenStack does network visualisation well.

Concept borrowed from https://www.cyberciti.biz/faq/rhel-linux-kvm-virtualization-bridged-networking-with-libvirt/
===KVM HOST=================================================================
		        +------+           +-----+
Internet -->	| eth1 |  <==> | br1 |       -> KVM VMs connected to Directly the Internet (high risk, but for example BigBlueButton, requests to be directly connected to the Internet)
		        +------+           +-----+
                              59.51.2.0/28

                +------+           +-----+
DMZ-->	| eth2 |  <==> | br2 |       -> KVM VMs connected to DMZ for isolated Internet facing servers (for web and email servers)
		+------+            +-----+
                               123.1.2.0/24 


	        +------+       +-----+
LAN  -->	| eth2 |  <==> | br2 |       -> KVM VMs connected to the companies internal LAN (DHCP server, file servers, workstations, etc)
		+------+       +-----+
                               123.2.2.0/24 


	               +------+       +-----+
LAN      -->	| eth0 |  <==> | br0 |       -> KVM VMs connected to LAN for SAN/NFS/BACKUP and management network
		         +------+       +-----+
                               10.10.x.y/24 
====================================================================
	
While reading one of links, it states "brctl (deprecated, use ip link instead)", this is a bit sad for me, I have yet to learn brctl, I guess the good news is that  I can focus on learning "ip" instead?

To answer Bob's question about the Linux Distribution I am currently using, it is Debian Buster, for a number of reasons, including; I can understand /etc/network/interfaces configuration easier than using brctl or ip or NetworkManager or systemd.network. I do have some familiarity with /etc/sysconfig/network-scripts from using CentOS previously.


https://www.cyberciti.biz/faq/rhel-linux-kvm-virtualization-bridged-networking-with-libvirt/
		+------+       +-----+
LAN      -->	| eth0 |  <==> | br0 |       -> KVM VMs connected to LAN for SAN/NFS
		+------+       +-----+
                               10.10.x.y/24 


		+------+       +-----+
Internet -->	| eth1 |  <==> | br1 |       -> KVM VMs connected to the Internet
		+------+       +-----+
                              123.1.2.0/28
Where,

    All other clients can reached to all VMs via br1 which is connected to public interface. br1 is our default gateway.
    br0 is connected to private LAN to access other servers, services and storage devices such as SAN/NAS or NFS servers. br0 route is configured via route-br0 static networking configuration file.


https://wiki.libvirt.org/page/Networking#Bridged_networking_.28aka_.22shared_physical_device.22.29
Bridged networking (aka "shared physical device")
More advanced users will want to use full bridging, where the guest is connected directly to the LAN. The instructions for setting this up vary by distribution, and even by release. 
Libvirt will add iptables rules to allow traffic to/from guests attached to the virbr0 device in the INPUT, FORWARD, OUTPUT and POSTROUTING chains. It will also attempt to enable ip_forward. Some other applications may disable it, so the best option is to add the following to /etc/sysctl.conf
 net.ipv4.ip_forward = 1


https://www.linux-kvm.org/page/Networking
Public Bridge
Use case:
    You want to assign IP addresses to your virtual machines and make them accessible from your local network
    You also want performance out of your virtual machine
The following commands must be installed on the host system and executed as root:
ip
brctl (deprecated, use ip link instead)
tunctl (deprecated, use ip tuntap instead)

https://www.lisenet.com/2016/configure-public-bridge-guest-networking-in-kvm-on-debian-jessie/


https://www.dedoimedo.com/computers/kvm-bridged.html
How to setup bridged networking in KVM - Tutorial 

https://computingforgeeks.com/how-to-create-and-configure-bridge-networking-for-kvm-in-linux/
How To Create and Configure Bridge Networking For KVM in Linux

https://serverfault.com/questions/614455/linux-bridging-for-kvm
Linux bridging for KVM

https://access.redhat.com/discussions/1286653
KVM Bridge networking is a real pain 

https://www.howtoforge.com/how-to-install-kvm-and-libvirt-on-centos-6.2-with-bridged-networking
Prevent bridged traffic from being processed by iptables rules, this improves the bridge’s performance. In /etc/sysctl.conf append the following lines:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/5/html/virtualization/sect-virtualization-network_configuration-bridged_networking_with_libvirt
Alternatively, prevent bridged traffic from being processed by iptables rules. In /etc/sysctl.conf append the following line

https://help.ubuntu.com/community/KVM/Networking


On Sunday, 12-04-2020 at 17:45 steve jenkin wrote:
> > On 11 Apr 2020, at 12:07, George at Clug via linux <linux at lists.samba.org> wrote:
> > 
> > Hi,
> > 
> > In my quest for isolated bridges for a KVM host, I have had some success, but only by disabling IPv6 on the bridge itself (thanks Bob for the suggestion of disabling IPv6).
> > 
> > If you understand this stuff better than myself, please point out any stupid errors may have made.  (this has been a four day intensive research journey for myself).
> > 
> > I would prefer not to have had to disable IPv6 on the bridge, but until I learn how to stop "systemd-networkd" from re-enabling my efforts to disable autoconfiguration on the bridge, it will have to do as a solution.
> > 
> > First I found this statement, which if true explains why I was not able to disable IPv6 addresses, even after setting IPv6 autoconfiguration as disabled.
> > 
> > "The problem with Ubuntu 18 and ipv6 is that systemd-networkd controls kernel parameters, so though one might disable ipv6 with sysctl, networkd will be more than happy switching them on for you, if the configuration does not state otherwise."
> > 
> > The below web page provided some help ful suggestions
> > https://hsmr.cc/Freifunk/GatewayKonfiguration
> 
> ======
> 
> I’ve never heard of “KVM Bridged Networking” before and searching for a description, simple or not, didn’t enlighten me.
> Perhaps after you’ve solved your problem you might send the list a link to a page or two that covers this.
> 
> I understand the need to bridge interfaces and have done that occasionally, but not with VM’s. Have relied on the default NAT interface and a single NIC in my simple VM’s.
> 
> As a general point, default IPv6 configuration is often not what people want or need, generally because they don’t use it on their LAN and their ISP doesn’t route it.
> 
> IPv6 defaults have been the source of significant intrusions in the past, disabling it altogether is good security practice at the moment.
> 
> Hope these notes help.
> 
> stevej
> 
> ======
> 
> 0, I’ve no idea of “what" you’re trying to do, though you keep repeating to the list the same “how I want to do things”. repeating something in the same words doesn’t make others get the point.
> 
> 	See #3 for an example of someone who described his problem clearly and succinctly.
> 	Perhaps elements of his solution (MAC addresses that changed) might work for you.
> 
> 
> 1. Do either of these recent pages match your environment and problem? [Note, no mention of IPv6] 
> 
> How to Install and Configure KVM on Ubuntu 18.04 LTS Server. 
> <https://www.linuxtechi.com/install-configure-kvm-ubuntu-18-04-server/>
> 
> 
> KVM: Creating a bridged network with NetPlan on Ubuntu bionic
> <https://fabianlee.org/2019/04/01/kvm-creating-a-bridged-network-with-netplan-on-ubuntu-bionic/>
> 
> 
> 
> 2. This youtube video (mute it or go mad) is a step-by-step for old-style sysinit (pre-systemd & services).
> to be clear: DO NOT FOLLOW THIS
> 
>  Included because the screen capture is quite through and easy enough for me to follow & be confident.
> Perhaps you could find such a tutorial for netplan / systemd + services
> 
> KVM Bridge Networking in Ubuntu
> 2012 
> 	 warning, NOT systemd
> <https://www.youtube.com/watch?v=AcdMhEzu36o>
> 
> 
> 3. A problem + solution using  RHEL 6.5, co-incidentally ’systemd’ + service.
> 	I like the clear way he outlines his problem, the hardware setup and his intended outcome.
> 	Leaves out extraneous details.
> 
> KVM Bridge networking is a real pain
> <https://access.redhat.com/discussions/1286653>
> 
> 
> 4. An old article, pre-systemd, but does try to explain for the likes of me, what  “KVM Bridged Networking” is,
> and why I might be interested.
> 
> How to setup bridged networking in KVM - Tutorial
> 	2011
> <https://www.dedoimedo.com/computers/kvm-bridged.html>
> 
> There are two ways we can try doing this.
> 
> One, we will create a bridge. 
> Two devices will be bridged. 
> Our physical device eth1 and the virtual device called vnet0. 
> After we ascertain that our bridge works properly, 
> we will commit the changes to a network configuration file on the disk. 
> Virtual machines will lease their IP addresses from the router. 
> This is similar to what we did with VirtualBox. 
> This is the method we will cover here.
> 
> Limitations
> 
> There are many things that can go wrong. 
> Your router may not support bridging. 
> Your network interface may not support bridging. 
> Your available pool of IP address leases may be limited. 
> You may have a firewall interfering. 
> Lastly, specifically for Ubuntu, you might encounter problems and conflicts if the Network Manager is managing the bridged interface.
> 
> 
> 
> 
> --
> Steve Jenkin, IT Systems and Design 
> 0412 786 915 (+61 412 786 915)
> PO Box 38, Kippax ACT 2615, AUSTRALIA
> 
> mailto:sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin
> 
>

More information about the linux mailing list