Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[Solved] Basic virtual network with VMs to get internet
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Pipeng
Tux's lil' helper
Tux's lil' helper


Joined: 23 Jul 2013
Posts: 117

PostPosted: Mon Jul 15, 2024 1:20 am    Post subject: [Solved] Basic virtual network with VMs to get internet Reply with quote

Hi all!, I'm new in all this about network, as a linux user I knows some basics, but I lack a of knowledge, actually the idea rn is not about where to learn, but a way for a basic user to be able to get working some basic network for VMs.

To fully understand how will works the solutions... we can get to know a lot of things, I have done some research, the main point is, we can create several VMs, but they are usually on NAT, so we can't access them from the host, the point is be able to create a network, connect the VMs and be able to access to them.

Reading, seems the best option is use a bridge (which seems to be very similar to a virtual switch), most of docs describe how to perform this, but there is a tricky part, the docs uses ehternet interface to do it to works, so there is some problems

If we don't have a ethernet connection we will can't route the devices, so no ip will be assigned to any place.
Does not works for Wifi.
We need to use a physical device, which is far from ideal.

Rn in my limitated experience, seems the point is create a bridge, create a virtual device, give internet to it, put the bridge as master to give internet to the bridge, and then use that network on the VMs.

How I'm trying to do it without ethernet (a dummy interface just does not does the trick on the bridge), is hard to test the actal info, there is some good videos and docs like https://www.youtube.com/watch?v=6435eNKpyYw&t=1234s

So here the points, is bridge the best solution? (best not easier), How can we create this network?

In the previous video, here is the used config for a bridge using ethernet, how can we change/update it using a virtual one:

/etc/systemd/network/br.netdev
Code:

[NetDev]
Name=br0
Kind=bridge


/etc/systemd/network/1-br0-bind.netdev
Code:

[Match]
Name=eno1 #ethernet interface

[Network]
Bridge=br0


/etc/systemd/network/2-br0-dhcp.netdev
Code:

[Match]
Name=br0

[Network]
DHCP=ipv4


Solution

After check everything, using the default NAT configuration of VIRSH we can access to all the guest by their Ip, and they will have internet.

Just be cautious with the guest firewalls, some distros can enable https and not http or other ones who can do harder access from the host to their services!

Thx!


Last edited by Pipeng on Tue Jul 23, 2024 1:57 pm; edited 1 time in total
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 556

PostPosted: Mon Jul 15, 2024 2:56 pm    Post subject: Reply with quote

Some of the extensions are wrong. 1-br0-bind.netdev and 2-br0-dhcp.netdev should end in .network, not .netdev.
Back to top
View user's profile Send private message
Pipeng
Tux's lil' helper
Tux's lil' helper


Joined: 23 Jul 2013
Posts: 117

PostPosted: Mon Jul 15, 2024 4:04 pm    Post subject: Reply with quote

Hi yes, sorry I wrote them wrong on the post, they are using the right names.

Still the files are a example using a physical interface, instead a virtual one to achieve this.
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 556

PostPosted: Mon Jul 15, 2024 4:36 pm    Post subject: Reply with quote

I don;'t think wifi support bridging. The problem is the MAC (BSSID) address is part of the wifi association, so its not possible to carry "foreign" MACs over it .You have to use a routed network. If you libvirt, it has optional firewalld integration for help with poking holes in the NAT.
Back to top
View user's profile Send private message
Pipeng
Tux's lil' helper
Tux's lil' helper


Joined: 23 Jul 2013
Posts: 117

PostPosted: Mon Jul 15, 2024 4:47 pm    Post subject: Reply with quote

Yes, we can't use wifi, that is why I thought in a virtual interface isntead, I tryied it but didn't worked, how we can do what you suggests?
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 556

PostPosted: Mon Jul 15, 2024 6:19 pm    Post subject: Reply with quote

If you are using libvirt, it already creates a 192.168.122.0/24 NAT network for you, along with an interface: virbr0. IF you also use virt-manager you can delete it and create a new one Edit->Connection Details->Virtual Networks.

You have 2 choices: either routing with NAT (called "nat" in libvirt) , or routing without NAT (called "routed" in libvirt). In NAT mode, all traffic appears to come from the VM host. In route mode, traffic appears to come from a different network. In both cases, no configuration is necessary via systemd-networkd: libvirt will manage the interface on its own.
Back to top
View user's profile Send private message
Pipeng
Tux's lil' helper
Tux's lil' helper


Joined: 23 Jul 2013
Posts: 117

PostPosted: Mon Jul 15, 2024 10:00 pm    Post subject: Reply with quote

Hi, yes, the main issue with the default configurations is that we can't reach them from the host, which is one of the points of the post.
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 556

PostPosted: Tue Jul 16, 2024 12:34 am    Post subject: Reply with quote

How exactly are you trying to reach them? You won't be able to directly reach NAT'ed guests from the outside without forwarding rules, but routed guests should be reachable normally.

Fist, shut down all virtual machines.

If you want to use a routed network, use a file like this one:

local.xml:
Code:
<network>
  <name>local</name>
  <bridge name="virbr1"/>
  <forward mode="route" dev="${IFACE}"/>
  <ip address="192.168.122.1" netmask="255.255.255.0">
    <dhcp>
      <range start="192.168.122.2" end="192.168.122.254" />
    </dhcp>
  </ip>
</network>


Replace ${IFACE} with you wireless network interface (like wlo1 and customize the file as you see fit (If you network already has a 192.168.122.0 network, pick a different one)

Then do:
Code:
virsh -c qemu:///system net-autostart default --disable
virsh -c qemu:///system net-destroy default
virsh -c qemu:///system net-define local.xml
virsh -c qemu:///system net-start local
virsh -c qemu:///system net-autostart local


This will disable the default network and enable yours.

Then, for each guest, change the network source on the NIC to be the new network (Virtual network 'local'). Then restart your guests. They should now be accessible from any host on your network.

If their still not accessible off the host, check to see whether the guests can access the Internet and whether the host can reach the guests.
Back to top
View user's profile Send private message
Pipeng
Tux's lil' helper
Tux's lil' helper


Joined: 23 Jul 2013
Posts: 117

PostPosted: Tue Jul 16, 2024 2:35 am    Post subject: Reply with quote

Hi! thx for the help.

Sadly there is some issues... from the VMs... I don't have access to internet, I try a ubuntu iso and seems I got an ip from what the ui shows, but ip link list does not agree with it, shows no ip.

Code:

2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 52:54:00:eb:f4:52 brd ff:ff:ff:ff:ff:ff


Maybe because of the same reason, the routed networks put all the vms veeery slow, maybe this shows more on the rocky linux because it waits for the network to be ready, while in ubuntu is in the background.

Edited:

Here the final network file

Code:

<network>
  <name>local</name>
  <uuid>3188b327-2375-4251-90d8-71065a926256</uuid>
  <forward dev="wlo1" mode="route">
    <interface dev="wlo1"/>
  </forward>
  <bridge name="virbr2" stp="on" delay="0"/>
  <mac address="52:54:00:b0:ac:9c"/>
  <ip address="192.168.123.1" netmask="255.255.255.0">
    <dhcp>
      <range start="192.168.123.2" end="192.168.123.254"/>
    </dhcp>
  </ip>
</network>
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 556

PostPosted: Tue Jul 16, 2024 3:56 pm    Post subject: Reply with quote

That's normal. You won't see the IP from the "outside". Only the "inside" adapter sees the IP.

If you don;t have access to the Internet from your guests, make sure IP Forwarding is enabled on the host.
Back to top
View user's profile Send private message
Pipeng
Tux's lil' helper
Tux's lil' helper


Joined: 23 Jul 2013
Posts: 117

PostPosted: Tue Jul 16, 2024 5:06 pm    Post subject: Reply with quote

Hi, the adapter I post is from the VM, they are not getting an ip.

How can I check the forwading is enabled?

thx.
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 556

PostPosted: Tue Jul 16, 2024 7:44 pm    Post subject: Reply with quote

Ok, the guests should be getting DHCP leases from the host, and the in-guest network adapters should have IP addresses. IF it doesn't, it could be one of 2 things: either there's something wrong with libvirt's network configuration, or the client is stuck on it old IP address.

Fir the first case, execute
Code:
virsh -c qemu:///system net-list
and verify your network ("local") is active, autostarted and persistent. Second, make sure each guest is attached to the cxorrect interface. For each guest:
Code:
virsh -c qemu:///system domiflist <domainname>


It should display your bridge "vibr2" in the "Source" column

If its correct, but its still nto working, shut down your VM are restart the libvirtd service.

If it doesn't work after that, the client may have a "stuck" lease - it wants the old least and refuses the DHCPNAK. In htat case,, you'll need to release and renew the current lease in the gueast, but instructions for that vary dependong on the guest. For Linux guests, you may need to shut down network service and delete the least files by hand.

For IP Forwarding,use the following command to show it:
Code:
sysctl net.ipv4.ip_forward
It'll output the current value. To change it:
Code:
sysctl -w net.ipv4.ip_forward=1


This, however, will not perist across a reboot. To make it persist varies depending on your init system (systemd or OpenRC).
Back to top
View user's profile Send private message
Pipeng
Tux's lil' helper
Tux's lil' helper


Joined: 23 Jul 2013
Posts: 117

PostPosted: Wed Jul 17, 2024 1:20 am    Post subject: Reply with quote

Hi!

I can confirm virsh is using the right network (is not active by default, by I start it manually from the gui before create the VM), and forwading is active.

About the vms:

Code:

virsh -c qemu:///system domiflist ubuntu24.04
 Interface   Type      Source   Model    MAC
------------------------------------------------------------
 vnet0       network   local    virtio   52:54:00:b1:56:3c


Why it should show "virbr2" in the source? actually is showing the actual network we have configured, which is "local".

Thx!
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 556

PostPosted: Wed Jul 17, 2024 2:51 am    Post subject: Reply with quote

OK, its looks different on mine because mine is Ethernet and bridged. Your looks correct for a routed network. The guests should be getting IP address from the host's dnsmasq (which by started by libvirtd). Is it still not working?

IF its still not working and you haven't already done it, shut down libvirtd, make sure dnsmasq is not running, then restart libvirtd and see if your guests can get IP's after that.
Back to top
View user's profile Send private message
Pipeng
Tux's lil' helper
Tux's lil' helper


Joined: 23 Jul 2013
Posts: 117

PostPosted: Wed Jul 17, 2024 12:36 pm    Post subject: Reply with quote

Hi, still does not works.

I have not enabled dnsmasq service.
Libvirt is using dnsmasq to assign ip, even in the logs we can see it already assigned an ip to the guest:

Code:

jul 17 08:26:02 pipe-pc dnsmasq[6478]: using nameserver 200.75.0.5#53
jul 17 08:26:02 pipe-pc dnsmasq[6478]: read /etc/hosts - 4 names
jul 17 08:26:02 pipe-pc dnsmasq[6478]: read /var/lib/libvirt/dnsmasq/local.addnhosts - 0 names
jul 17 08:26:02 pipe-pc dnsmasq-dhcp[6478]: read /var/lib/libvirt/dnsmasq/local.hostsfile
jul 17 08:27:17 pipe-pc dnsmasq-dhcp[6478]: DHCPDISCOVER(virbr2) 52:54:00:51:2a:e9
jul 17 08:27:17 pipe-pc dnsmasq-dhcp[6478]: DHCPOFFER(virbr2) 192.168.123.188 52:54:00:51:2a:e9
jul 17 08:27:17 pipe-pc dnsmasq-dhcp[6478]: DHCPDISCOVER(virbr2) 52:54:00:51:2a:e9
jul 17 08:27:17 pipe-pc dnsmasq-dhcp[6478]: DHCPOFFER(virbr2) 192.168.123.188 52:54:00:51:2a:e9
jul 17 08:27:17 pipe-pc dnsmasq-dhcp[6478]: DHCPREQUEST(virbr2) 192.168.123.188 52:54:00:51:2a:e9
jul 17 08:27:17 pipe-pc dnsmasq-dhcp[6478]: DHCPACK(virbr2) 192.168.123.188 52:54:00:51:2a:e9 ubuntu


But when we check the guest, there is ip if we check the gui, but.. when we ping something, there is 100% of package lost.
Sorry, the ip link list command does not shows the actual ip of the interfaces, I get confused with it.

So, there is ip, but no internet.
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 556

PostPosted: Wed Jul 17, 2024 2:22 pm    Post subject: Reply with quote

ok, check a few things:

From the guest, ping:

The host
Another device on the LAN
Your router
An Internet host

See which one succeed and which ones fail.
Back to top
View user's profile Send private message
Pipeng
Tux's lil' helper
Tux's lil' helper


Joined: 23 Jul 2013
Posts: 117

PostPosted: Wed Jul 17, 2024 3:42 pm    Post subject: Reply with quote

Hi, here the results:

Host Ip: 192.168.5.130 (Ok)
Host Lan: 192.168.5.22 (100% packet lost)
Host Router: 192.168.5.1 (Destination Host Unreachable)

Guest Ip: 192.168.123.253
Guest router (?: 192.168.123.1 (Ok)

Ping to google: 100% packet lost
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 556

PostPosted: Wed Jul 17, 2024 6:39 pm    Post subject: Reply with quote

Ok so it looks like packets are correct being routed off the host,, but they can't get back.

In your router, try adding a static route. You want to route everything to the 192.168.123.0/24 network to your VM's host address (192.168.5.130) in your case.
Back to top
View user's profile Send private message
Pipeng
Tux's lil' helper
Tux's lil' helper


Joined: 23 Jul 2013
Posts: 117

PostPosted: Wed Jul 17, 2024 7:44 pm    Post subject: Reply with quote

Is there a way to achieve that locally? The router belongs to the internet company, I don't have access to it.
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 556

PostPosted: Thu Jul 18, 2024 1:35 am    Post subject: Reply with quote

That's a problem. Without a route, you can get packets out, but when they come into the router, the router will send them to its default gateway (the ISP) rather then your network. In addition the router may have a firewall that prevent anything not in its network (192.168.5.024) is rejected on the internal interfaces.

The only way top make it work transparently to other hosts is through NAT or bridging. Routing required control of the main router. The mainrouter also needs to send ICMP REDIRECT packets to the internal hosts telling them how to find the guest network (most will do this if the have a static route), otherwise a route will need to be added to all clients on the networks in addition to the guest network.
Back to top
View user's profile Send private message
Pipeng
Tux's lil' helper
Tux's lil' helper


Joined: 23 Jul 2013
Posts: 117

PostPosted: Thu Jul 18, 2024 2:57 am    Post subject: Reply with quote

Which one could we try? the default NAT has the guest hide, while bridging, should be done with a virtual interface instead of a physical one, even if I know it, I does not know how to configure it.
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22648

PostPosted: Thu Jul 18, 2024 2:20 pm    Post subject: Reply with quote

NAT is generally easier to set up. When set up properly, the host can connect to the guests without issue. Other physical machines will need to connect to the host and let a NAT rule on the host pass the traffic to the guest.
Back to top
View user's profile Send private message
Pipeng
Tux's lil' helper
Tux's lil' helper


Joined: 23 Jul 2013
Posts: 117

PostPosted: Thu Jul 18, 2024 2:29 pm    Post subject: Reply with quote

how can we configure it? can you guide me plis? thx!
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 556

PostPosted: Thu Jul 18, 2024 5:00 pm    Post subject: Reply with quote

If you still have the default network, we need to re-enable it:

Code:

virsh -c qemu:///system net-autostart local --disable
virsh -c qemu:///system net-destroy local
virsh -c qemu:///system net-start ldefault
virsh -c qemu:///system net-autostart default


Then attach all your VMs the the "default" network. That will restore NAT. Your guests should be able to get out, but if you have any servers on the guests, they won't be accessible without additional configuration.

If you undefined the "default" network, you can redefine it by using the file at https://github.com/libvirt/libvirt/blob/master/src/network/default.xml.in

Code:

virsh -c qemu:///system net-define /dev/stdin
[Paste the content from  default.xml.in]
[Press Control+D]
Back to top
View user's profile Send private message
Pipeng
Tux's lil' helper
Tux's lil' helper


Joined: 23 Jul 2013
Posts: 117

PostPosted: Thu Jul 18, 2024 7:31 pm    Post subject: Reply with quote

Hi, thx, and how can we do the host access to the guest with NAT? Hu said is possible to do.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum