libvirt users - Jun 2023 - Starting guest VM with default NAT network breaks host routing

I'm running libvirt 9.0.0 on a Debian 12 bookworm host, setting up a
Windows 11 guest using qemu-kvm and the default NAT network[1]. When I
start the guest VM, it successfully acquires a DHCP lease, and I can
ping other hosts on my local network subnet, but something then happens
which messes up routing on the *host* machine, resulting in no access
to anything beyond my LAN. If I shutdown the VM, network access returns
to normal on the host system.

  I've been unable to figure out how to fix this, and unfortunately the
terms are generic enough that Google isn't much help -- most of the
results are about issues with NAT setup (which is working), not route
configuration of the host. I did find one similar report[2], but
there's no reported solution.

  I feel like this should be a very common use case, so maybe I've just
setup something wrong. Since I haven't been able to solve it on my own,
I'm hoping someone will have a pointer to get me going in the right
direction.

  Further details are below, and I'm happy to provide anything else
that might prove useful.

Thanks,
Mathias

  Before starting the guest VM, routes on the host are:
> $ ip route
> default via 172.20.1.1 dev wlan0 proto dhcp src 172.20.1.110 metric 600 
> 169.254.0.0/16 dev virbr0 scope link metric 1000 linkdown 
> 172.20.1.0/24 dev wlan0 proto kernel scope link src 172.20.1.110 metric 600
> 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
linkdown
  A few seconds after the guest finishes booting, the host gets some
new routes, and connectivity outside of the local LAN subnet breaks:
> $ ip route
> 0.0.0.0 dev vnet0 scope link 
> default dev vnet0 scope link 
> default via 172.20.1.1 dev wlan0 proto dhcp src 172.20.1.110 metric 600 
> 169.254.0.0/16 dev vnet0 proto kernel scope link src 169.254.103.112 
> 169.254.0.0/16 dev virbr0 scope link metric 1000 
> 172.20.1.0/24 dev wlan0 proto kernel scope link src 172.20.1.110 metric 600
> 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
  Within the guest, I can ping the NAT gateway (192.168.122.1), the
host's IP (172.20.1.110), and another computer on the network
(172.20.1.105), so NAT appears to be working correctly:
> C:\Users\user>ipconfig /all
> 
> Windows IP Configuration
> 
>    Host Name . . . . . . . . . . . . : DESKTOP-LGNEPEC
>    Primary Dns Suffix  . . . . . . . :
>    Node Type . . . . . . . . . . . . : Hybrid
>    IP Routing Enabled. . . . . . . . : No
>    WINS Proxy Enabled. . . . . . . . : No
> 
> Ethernet adapter Ethernet:
> 
>    Connection-specific DNS Suffix  . :
>    Description . . . . . . . . . . . : Red Hat VirtIO Ethernet Adapter
>    Physical Address. . . . . . . . . : 52-54-00-AE-05-B2
>    DHCP Enabled. . . . . . . . . . . : Yes
>    Autoconfiguration Enabled . . . . : Yes
>    Link-local IPv6 Address . . . . . :
fe80::2881:98b7:34b8:fe2%11(Preferred)
>    IPv4 Address. . . . . . . . . . . : 192.168.122.203(Preferred)
>    Subnet Mask . . . . . . . . . . . : 255.255.255.0
>    Lease Obtained. . . . . . . . . . : Monday, June 19, 2023 14:03:57
>    Lease Expires . . . . . . . . . . : Monday, June 19, 2023 15:03:57
>    Default Gateway . . . . . . . . . : 192.168.122.1
>    DHCP Server . . . . . . . . . . . : 192.168.122.1
>    DHCPv6 IAID . . . . . . . . . . . : 340939776
>    DHCPv6 Client DUID. . . . . . . . :
00-01-00-01-2C-0E-E6-F4-52-54-00-AE-05-B2
>    DNS Servers . . . . . . . . . . . : 192.168.122.1
>    NetBIOS over Tcpip. . . . . . . . : Enabled
> 
> C:\Users\user>ping 192.168.122.1
> 
> Pinging 192.168.122.1 with 32 bytes of data:
> Reply from 192.168.122.1: bytes=32 time<1ms TTL=64
> Reply from 192.168.122.1: bytes=32 time<1ms TTL=64
> Reply from 192.168.122.1: bytes=32 time<1ms TTL=64
> Reply from 192.168.122.1: bytes=32 time<1ms TTL=64
> 
> Ping statistics for 192.168.122.1:
>     Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
> Approximate round trip times in milli-seconds:
>     Minimum = 0ms, Maximum = 0ms, Average = 0ms
> 
> C:\Users\user>ping 172.20.1.110
> 
> Pinging 172.20.1.110 with 32 bytes of data:
> Reply from 172.20.1.110: bytes=32 time<1ms TTL=64
> Reply from 172.20.1.110: bytes=32 time<1ms TTL=64
> Reply from 172.20.1.110: bytes=32 time<1ms TTL=64
> Reply from 172.20.1.110: bytes=32 time<1ms TTL=64
> 
> Ping statistics for 172.20.1.110:
>     Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
> Approximate round trip times in milli-seconds:
>     Minimum = 0ms, Maximum = 0ms, Average = 0ms
> 
> C:\Users\user>ping 172.20.1.105
> 
> Pinging 172.20.1.105 with 32 bytes of data:
> Reply from 172.20.1.105: bytes=32 time=49ms TTL=63
> Reply from 172.20.1.105: bytes=32 time=31ms TTL=63
> Reply from 172.20.1.105: bytes=32 time=26ms TTL=63
> Reply from 172.20.1.105: bytes=32 time=26ms TTL=63
> 
> Ping statistics for 172.20.1.105:
>     Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
> Approximate round trip times in milli-seconds:
>     Minimum = 26ms, Maximum = 49ms, Average = 33ms
-----

[1] -- Here's the NAT configuration:
> <network>
>   <name>default</name>
>   <uuid>ff6cd6ed-a8fe-4e50-8852-3c93a169e156</uuid>
>   <forward mode="nat">
>     <nat>
>       <port start="1024" end="65535"/>
>     </nat>
>   </forward>
>   <bridge name="virbr0" stp="on"
delay="0"/>
>   <mac address="52:54:00:4e:80:30"/>
>   <ip address="192.168.122.1"
netmask="255.255.255.0">
>     <dhcp>
>       <range start="192.168.122.2"
end="192.168.122.254"/>
>     </dhcp>
>   </ip>
> </network>
[2] --
https://unix.stackexchange.com/questions/723091/kvm-booting-guest-breaks-network-on-host-still-reachable-within-lan-but-no-in
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL:
<http://listman.redhat.com/archives/libvirt-users/attachments/20230619/f34f7405/attachment.sig>