Eduardo LĂșcio Amorim Costa
2021-Jun-11 23:22 UTC
KVM Virtual Machine Network - Guest-guest/VM-VM only network (no host/hypervisor access, no outbound connectivity)
I know that with the *virsh* command I can create several types of networks
(a "NAT network", for example) as we can see in these URLs...
KVM network management <https://programmersought.com/article/52213715009/>
KVM default NAT-based networking
<https://www.ibm.com/downloads/cas/ZVJGQX8E> (page 33)
*QUESTION:* How can I create a network (*lan_n*) where only guests/VMs have
connectivity, with no outbound connectivity and no host/hypervisor
connectivity?
*NOTE:* The connectivity to other resources will be provided by a
*pfSense* firewall
server that will have access to another network (*wan_n*) with outbound
connectivity and other resources.
Network layout...
[N]wan_n
?
[I]wan_n
[V]pfsense_vm
[I]lan_n
?
[N]lan_n
?
.............................
? ? ?
[V]some_vm_0 [V]some_vm_1 [V]some_vm_4
[V]some_vm_2 [V]some_vm_5
[V]some_vm_3
_ [N] - Network;
_ [I] - Network Interface;
_ [V] - Virtual Machine.
*Thanks! =D*
*ORIGINAL QUESTION: *https://serverfault.com/q/1066478/276753
<https://programmersought.com/article/52213715009/>
--
*Eduardo L?cio*
Tecnologia, Desenvolvimento e Software Livre
LightBase Consultoria em Software P?blico
eduardo.lucio at lightbase.com.br <eduardo.lucio at LightBase.com.br>
*+55-61-3347-1949* - http://brlight.org <eduardo.lucio at
LightBase.com.br> -
*Brasil-DF*
*Software livre! Abrace essa id?ia!*
*"Aqueles que negam liberdade aos outros n?o a merecem para si
mesmos."*
*Abraham Lincoln*
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://listman.redhat.com/archives/libvirt-users/attachments/20210611/1bcf73fb/attachment.htm>
Laine Stump
2021-Jun-14 15:51 UTC
KVM Virtual Machine Network - Guest-guest/VM-VM only network (no host/hypervisor access, no outbound connectivity)
On 6/11/21 7:22 PM, Eduardo L?cio Amorim Costa wrote:> I know that with the *virsh*?command I can create several types of > networks (a "NAT network", for example) as we can see in these URLs... > > KVM network management <https://programmersought.com/article/52213715009/> > KVM default NAT-based networking > <https://www.ibm.com/downloads/cas/ZVJGQX8E>?(page 33) > > *QUESTION:*?How can I create a network (*lan_n*) where only guests/VMs > have connectivity, with no outbound connectivity and no host/hypervisor > connectivity?(Just to be sure I'm understanding correctly - you want the guests on this network to have connectivity to each other, but not guest<->host, and nothing beyond the host, correct?) Normally the guests would get their DHCP-assigned IP address from the host, and use the host for DNS, but since you want to forbid guest<->host communication, that implies that either one of the guests on the network will act as DHCP/DNS server, or that the guests will have statically configured IP addresses. That being the case, all you really need is to define a libvirt virtual network that has no IP address on the host, e.g.: <network> <name>super-isolated</name> </network> (It *might* be necessary to add "ipv6='yes'" immediately after "network" in order for IPv6 connectivity to work, but I'm not sure and don't have a setup to try it right now).> > *NOTE:*?The connectivity to other resources will be provided by a > *pfSense*?firewall server that will have access to another network > (*wan_n*) with outbound connectivity and other resources.Yes, this is a common config - have a "super-isolated" network for all the guests + the firewall VM, and then the firewall VM has a 2nd interface that connects everyone to the outside.> > |Network layout... [N]wan_n ? [I]wan_n [V]pfsense_vm [I]lan_n ? [N]lan_n > ? ............................. ? ? ? [V]some_vm_0 [V]some_vm_1 > [V]some_vm_4 [V]some_vm_2 [V]some_vm_5 [V]some_vm_3 _ [N] - Network; _ > [I] - Network Interface; _ [V] - Virtual Machine. |Sigh. Stupid email client formatting - your original ASCII diagram looked nice, but just look at what Thunderbird did to it when I hit reply :-/ (fortunately I didn't need to refer to it)