Cole Robinson
2018-Oct-02 13:53 UTC
Re: [libvirt-users] [virt-tools-list] Virt-manager: Restricted networks
On 10/02/2018 08:50 AM, Olivier Léobal wrote:> Hello, > > 'Isolated' networks created in VMM (I’m running 1.4.3) still connect to > the host (as gateway). Is it possible to avoid this? It is my > understanding that QEMU provides a 'restrict' option for that, but I > don't understand it well, and can’t find it in VMM. >ccing libvirt-users That's expected of isolated mode, according to this: https://wiki.libvirt.org/page/VirtualNetworking#Isolated_mode I'm not sure if/how to go about creating a network that only VMs can communicate on - Cole
Laine Stump
2018-Oct-02 14:43 UTC
Re: [libvirt-users] [virt-tools-list] Virt-manager: Restricted networks
On 10/02/2018 09:53 AM, Cole Robinson wrote:> On 10/02/2018 08:50 AM, Olivier Léobal wrote: >> Hello, >> >> 'Isolated' networks created in VMM (I’m running 1.4.3) still connect >> to the host (as gateway). Is it possible to avoid this? It is my >> understanding that QEMU provides a 'restrict' option for that, but I >> don't understand it well, and can’t find it in VMM. >> > > ccing libvirt-users > > That's expected of isolated mode, according to this: > > https://wiki.libvirt.org/page/VirtualNetworking#Isolated_mode > > I'm not sure if/how to go about creating a network that only VMs can > communicate onIf you want a network that doesn't even allow connections between the host and the guests, then you won't want DNS or DHCP running on the host for that network either, and for that matter, you will want the host to not have any IP address for that network. (Of course in this case the guests on the network will need to have their IP addresses statically configured, or you'll need to run your own dhcp server on one of the guests). If that is what you want, then you want a network declared like this: <network> <name>reallyisolated</name> </network> This will setup a bridge that has no IP address on the host, no DHCP server, and no DNS server, but the guests will still be able to communicate among themselves. If you want the host to handle dhcp requests from the guests, but not allow any traffic, then you can add in an IP address with a <dhcp> section, but configure the firewall of the host to reject all traffic on the bridge interface other than dhcp; guests will still be able to communicate with each other.