CentOS - Jan 2012 - Connecting ethX devices directly to a KVM/QEMU guest OS (no bridging)

Hello CentOS gurus, and a belated Happy New Year (or an early Happy 
Chinese New Year).

I'm in the process of building a CentOS-6 KVM host machine whose only 
function will be to run four independent 'm0n0wall' firewall guest 
instances. I have a couple of quad-port Intel NICs to provide four 
WAN-side and four LAN-side ports, which will not be shared with any 
other guests. Remote access to the host CentOS is via a separate 
on-board NIC, so the Intel ports are free to assign.

I've Googled until I'm blue in the face, but haven't found a clear 
explanation of how I can assign each ethX device directly to the guest 
OS rather than going thru the usual bridge configuration. I need to 
allow the m0n0wall OS to assign the LAN and WAN IP addresses, if that's 
possible without using a bridge.

Using the Virtual Machine Manager GUI to create the VM guests (which 
boot up and run nicely), the drop-down list shows all of the ethX 
devices greyed out. Do I need to somehow start the NICs without 
assigning IP addresses, so that they show up in 'ifconfig'?

Can anyone provide a clear, easy-to-understand procedure for doing this? 
If necessary, I don't mind using the command-line to create the VMs but 
the docs aren?t totally clear (to me, at least) regarding NIC assignment.

Thanking you in advance for your suggestions,
Chuck

> 
> I've Googled until I'm blue in the face, but haven't found a
clear
> explanation of how I can assign each ethX device directly to the guest 
> OS rather than going thru the usual bridge configuration. I need to 
> allow the m0n0wall OS to assign the LAN and WAN IP addresses, if that's
> possible without using a bridge.
I would think that it is a little easier to setup a bridge but not
assign an IP address for it on the CentOS host.

eg.

/etc/sysconfig/network-scripts/ifcfg-br0

DEVICE="br0"
TYPE="Bridge"
BOOTPROTO="none"
ONBOOT="yes"
NM_CONTROLLED="no"

/etc/sysconfig/network-scripts/ifcfg-ethX (where X is the interface
number of one of your intel ports and the HWADDR is the MAC address)

DEVICE="ethX"
ONBOOT="yes"
BRIDGE="br0"
HWADDR="xx:xx:xx:xx:xx:xx"
NM_CONTROLLED="no"


Restart the network service, then run brctl show - the new bridges
should show up.

Create the 8 bridges that you need and go from there, you should be able
to assign them in Virtual Machine Manager to the VMs.

Then in your VM guests you should be able to assign the IPs that you
want.

On 01/19/2012 09:00 AM, Tait Clarridge wrote:
>> >
>> >  I've Googled until I'm blue in the face, but haven't
found a clear
>> >  explanation of how I can assign each ethX device directly to the
guest
>> >  OS rather than going thru the usual bridge configuration. I need
to
>> >  allow the m0n0wall OS to assign the LAN and WAN IP addresses, if
that's
>> >  possible without using a bridge.
> I would think that it is a little easier to setup a bridge but not
> assign an IP address for it on the CentOS host.
>
> eg.
>
> /etc/sysconfig/network-scripts/ifcfg-br0
>
> DEVICE="br0"
> TYPE="Bridge"
> BOOTPROTO="none"
> ONBOOT="yes"
> NM_CONTROLLED="no"
>
> /etc/sysconfig/network-scripts/ifcfg-ethX (where X is the interface
> number of one of your intel ports and the HWADDR is the MAC address)
>
> DEVICE="ethX"
> ONBOOT="yes"
> BRIDGE="br0"
> HWADDR="xx:xx:xx:xx:xx:xx"
> NM_CONTROLLED="no"
>
>
> Restart the network service, then run brctl show - the new bridges
> should show up.
>
> Create the 8 bridges that you need and go from there, you should be able
> to assign them in Virtual Machine Manager to the VMs.
>
> Then in your VM guests you should be able to assign the IPs that you
> want.
>
Thanks for your reply, Tait.  I came to much the same conclusion after I 
eventually found an article about tinkering with the host kernel device 
tables to remap each NIC instance.  I was going to try it until I 
discovered that the new motherboard I'm using doesn't properly support 
IOMMU in the BIOS, which the mapping trick requires.  So much for that idea.

Your method of not configuring a bridge IP address gets around having 
the NIC appear to my ISP as having some sort of rogue IP (even if I 
assign something in the 172.16... range).  I wasn't aware that I could 
bring up the bridge without an IP.

But a new problem arises ... one of the m0n0wall instances needs to use 
DHCP to get a dynamic IP from my ISP (the others are static, so they're 
ok).  How do I get the bridge to proxy the DHCP request and forward the 
response to the VM guest?  I brought up a test instance of m0n0wall but 
when it asks for an IP on its WAN side, the result is  0.0.0.0/8  so it 
would appear the request never makes it to the ISP.

As a sanity check, I configured the WAN-side bridge to use DHCP and that 
worked, but it's the m0n0wall VM guest that needs to make the request, 
not the CentOS host.

Suggestions anyone?  In the mean time, I'll keep looking for a solution.

Thanks,
Chuck