On Fri, Mar 31, 2017 at 05:06:53PM +0200, Sven Kieske wrote:> On 31/03/17 15:55, C. L. Martinez wrote: > > I need to attach two physical interfaces to a guest and these phy interfaces have IP and routes assigned and I need to get them off the main routing table. > > I do not understand this. > > You can attach a physical (or virtual, doesn't matter), interface to any > given vm, without assigning routes or IPs to these interfaces directly.No, I can't because this host doesn't support PCI passthrough. One of these interfaces is a wireless nic.> > Just do the network configuration inside the vm, and the routing, well > on your router? You will just need the route for the vm networks on your > host, but what is your attack scenario to keep this separated from other > routes on this host? you need at least CAP_NET_ADMIN to fiddle with those.How? If the same host routes Internet traffic in the main routing table I expose host's services to Internet.> > -- > Mit freundlichen Gr??en / Regards > > Sven Kieske > > Systemadministrator > Mittwald CM Service GmbH & Co. KG > K?nigsberger Stra?e 6 > 32339 Espelkamp > T: +495772 293100 > F: +495772 293333 > https://www.mittwald.de > Gesch?ftsf?hrer: Robert Meyer > St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen > Komplement?rin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen >> _______________________________________________ > CentOS-virt mailing list > CentOS-virt at centos.org > https://lists.centos.org/mailman/listinfo/centos-virt-- Greetings, C. L. Martinez
Just create a bridge, hook the host physical interface that you want in it, hook the VMs interface in it, done. No need for passthrough. This can be done via libvirt/virsh or if a UI is wanted then virt-manager makes this really easy. Now assign an IP in the VM and it should work. You don't need to assign any IP on he host interface itself. Rinse and repeat for the rest of the interfaces. -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro ----- Original Message -----> From: "C. L. Martinez" <carlopmart at gmail.com> > To: "Discussion about the virtualization on CentOS" <centos-virt at centos.org> > Sent: Friday, 31 March, 2017 19:18:43 > Subject: Re: [CentOS-virt] Network isolation for KVM guests> On Fri, Mar 31, 2017 at 05:06:53PM +0200, Sven Kieske wrote: >> On 31/03/17 15:55, C. L. Martinez wrote: >> > I need to attach two physical interfaces to a guest and these phy interfaces >> > have IP and routes assigned and I need to get them off the main routing table. >> >> I do not understand this. >> >> You can attach a physical (or virtual, doesn't matter), interface to any >> given vm, without assigning routes or IPs to these interfaces directly. > > No, I can't because this host doesn't support PCI passthrough. One of these > interfaces is a wireless nic. > >> >> Just do the network configuration inside the vm, and the routing, well >> on your router? You will just need the route for the vm networks on your >> host, but what is your attack scenario to keep this separated from other >> routes on this host? you need at least CAP_NET_ADMIN to fiddle with those. > > How? If the same host routes Internet traffic in the main routing table I expose > host's services to Internet. > >> >> -- >> Mit freundlichen Gr??en / Regards >> >> Sven Kieske >> >> Systemadministrator >> Mittwald CM Service GmbH & Co. KG >> K?nigsberger Stra?e 6 >> 32339 Espelkamp >> T: +495772 293100 >> F: +495772 293333 >> https://www.mittwald.de >> Gesch?ftsf?hrer: Robert Meyer >> St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen >> Komplement?rin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen >> > > > > >> _______________________________________________ >> CentOS-virt mailing list >> CentOS-virt at centos.org >> https://lists.centos.org/mailman/listinfo/centos-virt > > > -- > Greetings, > C. L. Martinez > _______________________________________________ > CentOS-virt mailing list > CentOS-virt at centos.org > https://lists.centos.org/mailman/listinfo/centos-virt
C. L. Martinez
2017-Apr-04 10:27 UTC
[CentOS-virt] Network isolation for KVM guests (SOLVED)
This can be if one of these interfaces isn't a wireless nic. But I need to use a wireless nic and another phys nic. At least, I have solved the problem using network namespaces. All works ok and expected now. Many thanks to all for your help On Tue, Apr 04, 2017 at 10:39:05AM +0100, Nux! wrote:> Just create a bridge, hook the host physical interface that you want in it, hook the VMs interface in it, done. > No need for passthrough. > > This can be done via libvirt/virsh or if a UI is wanted then virt-manager makes this really easy. > > Now assign an IP in the VM and it should work. You don't need to assign any IP on he host interface itself. Rinse and repeat for the rest of the interfaces. > > -- > Sent from the Delta quadrant using Borg technology! > > Nux! > www.nux.ro > > ----- Original Message ----- > > From: "C. L. Martinez" <carlopmart at gmail.com> > > To: "Discussion about the virtualization on CentOS" <centos-virt at centos.org> > > Sent: Friday, 31 March, 2017 19:18:43 > > Subject: Re: [CentOS-virt] Network isolation for KVM guests > > > On Fri, Mar 31, 2017 at 05:06:53PM +0200, Sven Kieske wrote: > >> On 31/03/17 15:55, C. L. Martinez wrote: > >> > I need to attach two physical interfaces to a guest and these phy interfaces > >> > have IP and routes assigned and I need to get them off the main routing table. > >> > >> I do not understand this. > >> > >> You can attach a physical (or virtual, doesn't matter), interface to any > >> given vm, without assigning routes or IPs to these interfaces directly. > > > > No, I can't because this host doesn't support PCI passthrough. One of these > > interfaces is a wireless nic. > > > >> > >> Just do the network configuration inside the vm, and the routing, well > >> on your router? You will just need the route for the vm networks on your > >> host, but what is your attack scenario to keep this separated from other > >> routes on this host? you need at least CAP_NET_ADMIN to fiddle with those. > > > > How? If the same host routes Internet traffic in the main routing table I expose > > host's services to Internet. > > > >> > >> -- > >> Mit freundlichen Gr??en / Regards > >> > >> Sven Kieske > >> > >> Systemadministrator > >> Mittwald CM Service GmbH & Co. KG > >> K?nigsberger Stra?e 6 > >> 32339 Espelkamp > >> T: +495772 293100 > >> F: +495772 293333 > >> https://www.mittwald.de > >> Gesch?ftsf?hrer: Robert Meyer > >> St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen > >> Komplement?rin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen > >> > > > > > > > > > >> _______________________________________________ > >> CentOS-virt mailing list > >> CentOS-virt at centos.org > >> https://lists.centos.org/mailman/listinfo/centos-virt > > > > > > -- > > Greetings, > > C. L. Martinez > > _______________________________________________ > > CentOS-virt mailing list > > CentOS-virt at centos.org > > https://lists.centos.org/mailman/listinfo/centos-virt > _______________________________________________ > CentOS-virt mailing list > CentOS-virt at centos.org > https://lists.centos.org/mailman/listinfo/centos-virt-- Greetings, C. L. Martinez