Arch Linux

ulixes

Member

Registered: 2010-02-09

Posts: 18

[SOLVED] Qemu and host-only networking

Hi,

I want to setup qemu with one Windows 7 guest. This guest should be able to connect to the hosts samba and postgres server, except external networks such the internet. I've read the archlinux qemu wiki page and it seems i need to use a bridge and a tap device to accomplish this. So far i've did as root:

brctl addbr br0
ip tuntap add dev tap0 mode tap user me
ip link set tap0 up
brctl addif br0 tap0

'brctl show' gives

bridge name     bridge id               STP enabled     interfaces
br0             8000.16cad3ab6bda       no              tap0

When i start the vm as a user i get

qemu-system-x86_64 -enable-kvm -m 1024 -vga std -device e1000,netdev=tap0,mac=DE:AD:BE:EF:96:32 -netdev tap,id=tap0,script=no,downscript=no hdd1.qcow2
qemu-system-x86_64: -netdev tap,id=tap0: could not configure /dev/net/tun: Operation not permitted
qemu-system-x86_64: -netdev tap,id=tap0: Device 'tap' could not be initialized

Ok. Need to handle some permission issues. If i launch the above command as root, the VM (Windows 7) starts, but i don't have any connection to the host (Windows 7 complains about an unindentified network).

With the example scripts 'qemu-ifup', 'qemu-ifdown', the ip forwarding and the sudo configuration as described in the QEMU - ArchWiki - Creating bridge manually section, Windows 7 can indeed connect to the host, but also to the internet, what i simply don't want. The reason might sound silly, but everytime a Windows guest tries to connect to the internet, thus trying to obtain an ip from the dhcp server, the host completely looses its connection to the router. It seems my network hardware doesn't like this.

Anyway, i think i'm only missing one little thing. I would appreciate any help.

Last edited by ulixes (2014-06-09 20:51:52)

Rob_H

Member

Registered: 2012-06-19

Posts: 72

Re: [SOLVED] Qemu and host-only networking

I have a similar setup, but I'm not using a Tap device. Instead, I configured a virtual network for my VMs using libvirt. (If you don't know, libvirt is a very nice shell that manages QEMU/KVM and other virtualization packages.) The host sees a new virtual network interface that serves as the bridge to the virtual network. You can then use regular iptables filewall rules to restrict access to the outside world from any VM connecting out through the bridge interface. I use ufw for that part.

Unsolicited inbound connections to the VM are automatically blocked because the virtual bridge functions as a NAT-based firewall. That may or may not work for you. If not, you can forward ports through it to inidividual VMs.

ulixes

Member

Registered: 2010-02-09

Posts: 18

Re: [SOLVED] Qemu and host-only networking

Thanks for the suggestion with virsh. But there are also issues with libvirt and virt-manager and its tools. First virt-manager is almost unuseable, because it's frequently complaining about non supported functions by the connection driver, e.g. virInterfaceDefineXML. So i had to edit some XML files manually. Someone should really fix this. Second, for some reason the virbrX interfaces are inactive and i can't start them in virt-manager because of the previously mentioned error. And the interfaces are indeed down:

> ip addr show virbr1
7: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 52:54:00:55:9c:fa brd ff:ff:ff:ff:ff:ff
    inet 192.168.101.1/24 brd 192.168.101.255 scope global virbr0
       valid_lft forever preferred_lft forever

> ip addr show virbr1-nic
8: virbr0-nic: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 500
    link/ether 52:54:00:55:9c:fa brd ff:ff:ff:ff:ff:f

Doing

ip link set dev virbr1 up

does absolutely nothing, not even outputing any warning or error but the inteface is still down!

This is the config xml for the 'isolated' network

<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
  virsh net-edit isolated
or other application using the libvirt API.
-->

<network>
  <name>isolated</name>
  <uuid>fc09f5cf-117f-4d1a-bc8b-051b0c02de4c</uuid>
  <bridge name='virbr1' stp='on' delay='0'/>
  <mac address='52:54:00:64:22:49'/>
  <domain name='isolated'/>
  <ip address='192.168.100.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.100.128' end='192.168.100.254'/>
    </dhcp>
  </ip>
</network>

With every virbrX inactive on the host, i don't have any net interface besides 'lo' on the guest side. So the question is, why the virbrX interfaces can't be set up by the ip utility.

EDIT: If i run the VM at least the used interface virbr1 gets active, but virbr1-nic still resides inactive no mather what i do. Thus, there's still no ethernet device on the guest system.

Last edited by ulixes (2014-06-09 11:34:50)

ulixes

Member

Registered: 2010-02-09

Posts: 18

Re: [SOLVED] Qemu and host-only networking

Ok, found a solution. It's surprisingly simple. I've discarded the libvirt way, because the official archlinux virt-manager package is pretty unusable and configuring a working vlan for libvirt seems pretty complicated. I still couldn't get a working network device on the guest side.

For completeness, here is what i've done. I use a tap and a bridge device and dnsmasq. I did not activate ipv4 forwarding like mentioned in the wiki! The following steps need to be done as root.

First i've created the bridge, set an ip address and started it

brctl addbr br0
ip addr add 192.168.179.1/24 broadcast 192.168.179.255 dev br0
ip link set br0 up

The subnet should differ from any other device. In my case the only other device eth0 has the ip 192.168.178.xxx.

Next i've created the tap device for use by qemu respectively the guest

ip tuntap add dev tap0 mode tap
ip link set tap0 up promisc on

I don't know if 'promics' is really necessary, but there's no need to assign an ip to the tap device.

Now i've connected the tap device to the bridge

brctl addif br0 tap0

Until now this was approximately my first try. I've tried to use static ip on the guest side, but had no succeess. The important point was to run dnsmasq on the bridge

dnsmasq --interface=br0 --bind-interfaces --dhcp-range=192.168.179.10,192.168.179.254

In effect, i finally got working ip on the guest network devices (this may take some seconds). Pinging the host succeded and neither of my guests (SliTaz Linux, Windows 7) were able to connect to external networks, thus the internet.

I've started the guests with

qemu-system-x86_64 -enable-kvm -m 1024 -netdev tap,id=t0,ifname=tap0,script=no,downscript=no -device e1000,netdev=t0,id=nic0 <imagefile>

In my case, i had to omit the automated exection of scripts. This way i was also able to execute the above qemu command as an ordinary user.

Just to finalize this description for samba:
By adding 'br0' to 'interfaces' in smb.conf, guests were able to connect to the host samba service as usual.

zylx

Member

Registered: 2015-02-05

Posts: 2

Re: [SOLVED] Qemu and host-only networking

Thank you for this, I've tried lots of docs&tutorial, finnaly got this and success.

Ok, found a solution. It's surprisingly simple. I've discarded the libvirt way, because the official archlinux virt-manager package is pretty unusable and configuring a working vlan for libvirt seems pretty complicated. I still couldn't get a working network device on the guest side.

For completeness, here is what i've done. I use a tap and a bridge device and dnsmasq. I did not activate ipv4 forwarding like mentioned in the wiki! The following steps need to be done as root.

First i've created the bridge, set an ip address and started it

brctl addbr br0
ip addr add 192.168.179.1/24 broadcast 192.168.179.255 dev br0
ip link set br0 up

The subnet should differ from any other device. In my case the only other device eth0 has the ip 192.168.178.xxx.

Next i've created the tap device for use by qemu respectively the guest

ip tuntap add dev tap0 mode tap
ip link set tap0 up promisc on

I don't know if 'promics' is really necessary, but there's no need to assign an ip to the tap device.

Now i've connected the tap device to the bridge

brctl addif br0 tap0

Until now this was approximately my first try. I've tried to use static ip on the guest side, but had no succeess. The important point was to run dnsmasq on the bridge

dnsmasq --interface=br0 --bind-interfaces --dhcp-range=192.168.179.10,192.168.179.254

In effect, i finally got working ip on the guest network devices (this may take some seconds). Pinging the host succeded and neither of my guests (SliTaz Linux, Windows 7) were able to connect to external networks, thus the internet.

I've started the guests with

qemu-system-x86_64 -enable-kvm -m 1024 -netdev tap,id=t0,ifname=tap0,script=no,downscript=no -device e1000,netdev=t0,id=nic0 <imagefile>

In my case, i had to omit the automated exection of scripts. This way i was also able to execute the above qemu command as an ordinary user.

Just to finalize this description for samba:
By adding 'br0' to 'interfaces' in smb.conf, guests were able to connect to the host samba service as usual.

netskink

Member

Registered: 2013-02-18

Posts: 9

Re: [SOLVED] Qemu and host-only networking

I used this method as a basis for arm.  Here is the summary procedure:

Host-only Networking with ARM virtual machines

vjlinux

Member

Registered: 2016-01-26

Posts: 1

Re: [SOLVED] Qemu and host-only networking

Excellent ulixes!!
With this you don't need anything else but qemu-kvm and ip (iproute2)!!

I ran ubuntu cloud image as described in http://ubuntu-smoser.blogspot.fr/2013/0 … cloud.html

sudo kvm -hda ubuntu-14.04-server-cloudimg-amd64.img -hdb my-seed.img -m 1024 -netdev tap,id=t0,ifname=tap0,script=no,downscript=no -device e1000,netdev=t0,id=nic0

And added following iptables rule on host to enable NAT access to internet.
sudo iptables -t nat -I POSTROUTING -s 192.168.179.0/24 -j MASQUERADE

This setup will literally let one have mini cloud on his/her machine with minimum tools and maximum flexibility and control!

Thanks ulixes!

Last edited by vjlinux (2016-01-27 04:08:20)