1

I know that with the virsh command I can create several types of networks (a "NAT network", for example) as we can see in these URLs...

KVM network management
KVM default NAT-based networking (page 33)

QUESTION: How can I create a network (lan_n) where only guests/VMs have connectivity, with no outbound connectivity and no host/hypervisor connectivity?

NOTE: The connectivity to other resources will be provided by a pfSense firewall server that will have access to another network (wan_n) with outbound connectivity and other resources.

Network layout...

            [N]wan_n
             ↕
            [I]wan_n
        [V]pfsense_vm
            [I]lan_n
             ↕
            [N]lan_n
             ↕



.............................
   ↕             ↕             ↕
  [V]some_vm_0  [V]some_vm_1  [V]some_vm_4
                [V]some_vm_2  [V]some_vm_5
                [V]some_vm_3


_ [N] - Network;
 _ [I] - Network Interface;
 _ [V] - Virtual Machine.

NOTE: The host/hypervisor OS is CentOS 7.

Thanks! =D

Eduardo Lúcio
  • 1,314

1 Answers1

0

Create a new network config with no gateway addresses on KVM ("very private" or "very isolated")

This type of network can be used for a very private or very isolated network since it will not be possible to communicate with the virtualization host via this network. However, this virtual network interface can be used for communication between virtual guest systems. This works for IPv4 and IPv6. However, the new ipv6='yes' must be added for guest-to-guest IPv6 communication.

  • Check networks status in KVM and OS

Check networks in use by KVM...

brctl show

Check KVM Virtual Networks...

virsh net-list

Check networks in OS...

ip a
  • Create a new network config with no gateway addresses

MODEL

read -r -d '' FILE_CONTENT << 'HEREDOC'
BEGIN
<network>
  <name>[MY_NETWORK_NAME]</name>
  <uuid>[MY_NETWORK_UUID]</uuid>
  <bridge name='virbr[MY_NETWORK_NUMBER]' stp='on' delay='0'/>
  <mac address='52:54:00:[MY_NETWORK_MAC_FINAL]'/>
</network>

END
HEREDOC
echo -n "${FILE_CONTENT:6:-3}" > '/usr/share/libvirt/networks/[MY_NETWORK_NAME].xml'
  1. "[MY_NETWORK_NAME]" - Name in lowercase without spaces and special characters;
  2. "[MY_NETWORK_UUID]" ("uuid" is OPTIONAL) - You can generate a new one at the URL https://www.uuidgenerator.net/version4 ;
  3. "[MY_NETWORK_NUMBER]" - We use the "virbr" prefix to follow the existing naming "convention";
  4. "[MY_NETWORK_MAC_FINAL]" ("mac" is OPTIONAL) - The prefix "52:54:00:" is always the same, otherwise the error "Invalid multicast bridge mac address" will happen. You can generate a new one at the URL https://miniwebtool.com/mac-address-generator/ .

EXAMPLE

read -r -d '' FILE_CONTENT << 'HEREDOC'
BEGIN
<network>
  <name>okd_very_private</name>
  <uuid>cbc4be8a-1fc5-4e1a-8065-e12dab7d4175</uuid>
  <bridge name='virbr1' stp='on' delay='0'/>
  <mac address='52:54:00:CB:8A:F0'/>
</network>

END
HEREDOC
echo -n "${FILE_CONTENT:6:-3}" > '/usr/share/libvirt/networks/okd_very_private.xml'

Add the new network definition XML file to libvirt...

MODEL

virsh net-define "/usr/share/libvirt/networks/[MY_NETWORK_NAME].xml"

EXAMPLE

virsh net-define "/usr/share/libvirt/networks/okd_very_private.xml"

NOTE: The "net-define" is an alternative to "net-create". Use this when you want a persistent virtual network that will last through reboots and shutdowns, rather than a transient one created using "net-create".

Start the new network...

MODEL

virsh net-start [MY_NETWORK_NAME]

EXAMPLE

virsh net-start okd_very_private

To set the new network to automatically startup each time the KVM host is rebooted...

MODEL

virsh net-autostart [MY_NETWORK_NAME]

EXAMPLE

virsh net-autostart okd_very_private

TIP: To view configuration details of a specific network defined in libvirt, use the command...

MODEL

virsh net-dumpxml [MY_NETWORK_NAME]

EXAMPLE

virsh net-dumpxml okd_very_private

.

[Ref(s).: https://libvirt.org/formatnetwork.html#examplesNoGateway ]

Especial thanks to @berndbausch ! =D

Eduardo Lúcio
  • 1,314