Arch Linux

posop

Member

Registered: 2019-05-14

Posts: 13

Proper Isolation of Bridge Networks

Proper Isolation of Bridge Networks

I am trying to set up a private network space, isolated from a public network space.

In the public space, I want my guest OS NIC to get it's IP address via DHCP Server.

Here is the network topology I have in mind:

The Problem

The issue I am having is ens3 and ens4 are not properly isolated. When I start my Guest VM:

ens3 IP: 192.168.1.60  <-- Good, ens3 is getting it's IP via DHCP server!

ens4 IP: 192.168.1.61  <-- Uh-Oh, ens4 is also getting IP via DHCP Server.  Networks are not properly isolated!

Traffic must be getting from ens3 to ens4 OR from br0 to br1 somehow.

br0 setup via iproute2

Here is how I set up br0 (Should not allow traffic between Host Server & Guest VM):

# ip link set eth3 up
# ip link add br0 type bridge
# ip link set dev eth3 master br0
# ip tuntap add dev tap0 mode tap
# ip link set tap0 master br0
# ip link set dev br0 type bridge vlan_filtering 1
# bridge vlan del dev br0 vid 1 self
# ip link set dev br0 up

br1 setup via iproute2

Here is how I set up br1 (Allows traffic between Host Server & Guest VM):

# ip link set eth2 up
# ip link add br1 type bridge
# ip link set dev eth2 master br1
# ip tuntap add dev tap1 mode tap
# ip link set dev tap1 master br1
# ip link set dev br1 up

Guest VM launch via qemu

Here is my qemu launch command:

$ qemu-system-x86_64 \
   -m 4G \
   -enable-kvm \
   -cpu host \
   -smp 2 \
   -net nic,macaddr=52:54:00:00:00:05 \
   -net tap,ifname="tap0",script=no,downscript=no \
   -net nic,macaddr=52:54:00:00:00:10 \
   -net tap,ifname="tap1",script=no,downscript=no \
   -vga virtio -display gtk,gl=on \
   -drive format=qcow2,file=disk.cow,index=0,if=virtio

Once my Guest VM is running, I set my taps to up

# ip link set dev tap0 up
# ip link set dev tap1 up

Question

How do I properly set up this network using iproute2 to isolate br0 (eth3, tap0, & ens3) from the rest of the Host Server and my Private Network Space?