QEMU/KVM Sharing files with host locally while maintaining inet connec

i716 · 2017-07-13 08:04:57

This question is not specific to Arch but it occurs on my Arch installation and therefore I will ask it here.

My setup is as the following: Host (Arch Linux) Guest (Win7) Virtualization with QEMU/KVM

File sharing between host and guest is achieved by using samba shares. I have created two bridges (br0 and br1) where only br0 is linked to the NIC (eno1). So if I assign br0 to the virtual machine, it can access the internet and the host. If I choose br1, the guest can only communicate with the host itself. There's also no DHCP involved so the guest and the br1 both have a static IP address.

The above setup is on a desktop which doesn't change location and is always connected to my own LAN environment. So actually sharing files over my (hopefully) secure LAN should not be an issue and I therefore prefer using the br0 solution.

I do however plan to set things up on a laptop in a similar fashion. This device WILL change location almost daily and connect to a variety of public networks. And that leads me to the following issue:

How can I achieve that both the host and the guest have an active internet connection while making sure that the connection between host and guest only happens locally, e.g. the file transfer via samba should not be performed over the public network.

Thanks in advance for your input!

brebs · 2017-07-13 08:50:15

If you're paranoid about making a mistake in the guest, then add some iptables firewalling on the host, to block externally outgoing samba traffic from the guest.

I would recommend using a single TAP interface, rather than the confusing situation of br0 and br1, and such confusingly-vague interface names.

tom.ty89 · 2017-07-13 09:04:26

Can't you configure the SMB server so that it will only be accessible from network of the NIC is tapped to br1? (While you can even have two emulated NICs simultaneously that are tapped to the two bridges respectively)

You may also use a NAT NIC for internet and bridged NIC for host-guest communication I suppose?

Last edited by tom.ty89 (2017-07-13 09:05:21)

i716 · 2017-07-13 09:21:51

@brebs: The guest is seldom used and just replaces a natively installed Windows. The reason for using Windows at all is simple: I run some software that requires Windows; one of them will scan documents that need to be available on the Linux host immediately. This is not about making mistakes in the guest. I just don't want to have my private data unnecessarily sent over public WiFi networks (if that's possible at all...)
Just that you get me right on this, I need to have both the guest and the host to be able to access the outside world, while I'd prefer for the Samba shares to stay between the guest and the host (without being routed over a unknown network).
Your idea of the TAP interface sounds interesting. How would you go about it in order to establish the aforementioned environment?

@tom.ty89: Well, sure I could bind the samba server to a specified interface. But how does this solve the issue? One bridge connects to the physical network device and the other one doesn't let the VM access the internet.
So you were talking about 2 connections simultaneously. That means they must exist on the guest, right?

tom.ty89 · 2017-07-13 09:30:56

I am not sure what you mean. You can always emulate more than one NIC in the VM. One NIC tapped to the bridge that enslave the host NIC will give you internet connectivity to the guest, and also exposing the VM to the public network, of course. But then if you can somehow configure the SMB server so that is only accessible from the network of another NIC (that is tapped to a bridge with no host NIC slave), then at least the SMB server is not exposed to the public network?

Edit: that is, with this configuration, through the IP address of the NIC tapped to bridge with host NIC slave, your host and computers on the public network will be able to ping your guest or so, but not access your SMB share, not even your host; but through the IP address of the NIC that is tapped to the bridge with no host NIC slave, your host should be able to ping your guest and access your SMB share, while the computers of the public network will not be able to get to your guest through this IP/NIC at all.

And if you want to prevent exposing the guest to publc network at all, I sugguested NAT + bridge with no host NIC slave.

Last edited by tom.ty89 (2017-07-13 09:44:31)

brebs · 2017-07-13 09:33:47

Use the "interfaces = ..." and "bind interfaces only = yes" options, in the Samba server's config.

For a tap interface - google it.

i716 · 2017-07-13 09:41:46

@tom.ty89, @brebs

Thanks for your input. I will look into this over the weekend. Just fyi and as a note to myself, my current network looks like this:

[user1@T1700 ~]$ ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master bridge0 state UP mode DEFAULT group default qlen 1000
    link/ether XX:b1:56:XX:98:XX brd ff:ff:ff:ff:ff:ff
3: bridge0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:56:XX:98:XX brd ff:ff:ff:ff:ff:ff
6: bridge1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether fe:XX:00:XX:75:XX brd ff:ff:ff:ff:ff:ff
9: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master bridge1 state UNKNOWN mode DEFAULT group default qlen 1000
    link/ether fe:XX:00:XX:75:XX brd ff:ff:ff:ff:ff:ff
[user1@T1700 ~]$

Last edited by i716 (2017-07-13 09:49:10)

i716 · 2017-07-13 12:41:07

Ok, I added a second NIC to the virtual machine. The virtual Windows machine now sees two network adaptors. One of them is identified as 職別されていないネットワーク , which means unidentified network. The other is marked as home network. Unfortunately none of them has any connection to either the host or the internet.

[user1@T1700 ~]$ ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master bridge0 state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
3: bridge0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
4: bridge1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
7: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master bridge0 state UNKNOWN mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
8: vnet1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master bridge1 state UNKNOWN mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

UPDATE: I have somehow managed to get the above setup working. I have just deleted all NICs and entered the static IP on the Windows machine again. So now it works as expected: bridge0 for Internet access and bridge1 for anything local. I don't however clearly understand what is considered local and what's not.
My printer and my IP phone are connected to the same switch as this machine. Then the switch is connected to a router which serves as a wifi bridge. The main router however is located in the living room... Yes, I know it's a difficult setup and the wifi connection is the bottleneck to the 2GBit line I got... but that's another story.

I don't want to mark this as solved just yet. Well, it is working and I got what I asked for. But some reading on the internet has suggested that the above setup might not work with a WiFi connection (as in WiFi from a WiFi card directly as it is found in a laptop) So there must be another way to do it. But how?

And it seems like other people have been thinking about it, too. So, there must be a viable solution - most preferably a best practice solution!
=> https://www.reddit.com/r/sysadmin/comme … _two_nics/

Last edited by i716 (2017-07-13 13:59:51)

tom.ty89 · 2017-07-13 14:40:27

In this scenario, "public" is your home network (or the wifi network of a cafe, for example), while "private" is the network that only the host and the guest are in. So say your guest needs to access the printer connected to your router or so, the public bridge/NIC must be up and configured. If you guest needs to access the host or vice versa, they can do so via either the public/private network, unless certain service is bound to either of them, for example binding the SMB server to private NIC. If you successfully configured that, then your host and guest can talk when either bridge/NIC pair is up, but only when the private pair is up, your host can access the SMB server, while other computers in the public network can only talk to the guest when the public pair is up; that said, they should never be able to access the SMB share.

Edit: for the WiFi problem, the reason it might not work is that not all WiFi adapter can work as a bridge slave. That probably means you will have to use NAT for the guest's internet connectivity. I think the only problem that would cause in your case is that it would prevent your guests from accessing printer or so in your home network, but your other needs should still be fulfiled.

Last edited by tom.ty89 (2017-07-13 14:45:56)

i716 · 2017-07-14 00:09:59

@tom.ty89

Thanks for your detailed explanation. Yes, I can confirm that only with the bridge that enslaves the physical NIC enabled, I can see other network devices like the printer or the TV. The other bridge just shows the Samba shares - just as I expected.
Regarding the possible WiFi problem, I have not set it up on a laptop yet, so I can't comment on this. It's just about what I read on the internet. What exactly do you mean by NAT? There's an option in virt-manager which is labelled as Virtual network 'default' NAT (Inactive), so choosing this one does not work out of the box. It can be chosen however after issuing

 sudo virsh net-start default

in the terminal. But unfortunately the connection established this way is always dead.

So when the laptop is at home, it can and should access the whole network, including printers and other devices. And when I'm in a coffee shop or at the airport, it doesn't have to do anything else except for connecting to the internet. So that's OK. But how do I go about letting it access my printer at home? That's obviously neccessary.
Would it be an option to remove the bridge that enslaves eno1 (so that the physical device is no longer busy) and select Host device eno1: macvtab instead? I can confirm that this option lets me connect to the internet and it also lets me see my printer - it just didn't let me connect to the host itself. But that's sorted out now with the bridge that does not connect to the physical interface.

tom.ty89 · 2017-07-14 07:14:06

Well I don't know libvirt. What I was referring to is the user-mode networking in qemu (-net user). It's the mode that the default NIC (created if none specified by the user) works in. I am not sure why it doesn't work for you (assuming the libvirt default is the same thing).

You can probably have three emulated NICs in your guest. The private bridge one is like always on I suppose. The public bridge one will only works when you connect it to wired LAN at home. While the NAT one will be useful when you connect to wireless LAN (WiFi) at home or out in the public. (That means, if you want to access printer from your guest, you need to connect to wired LAN anyway)

You may want to disable the NAT one in Windows when you are connected to wired LAN, but that may not be necessary, just something you can try in case you feel like the internet connection in the guest is slow.

Not exactly sure what the macvtap you mentioned will do. With ordinary bridge/tap/host ethernet slave combination both host public bridge and the public NIC in the guest will be getting IP from the home router (if it has DHCP enabled, otherwise configure them to be in the same subnet as the printer and so manually). And all of them should be able to talk to each other.

Perhaps you should paste your `ip a` output.

Last edited by tom.ty89 (2017-07-14 07:15:59)

Arch Linux

#1 2017-07-13 08:04:57

QEMU/KVM Sharing files with host locally while maintaining inet connec

#2 2017-07-13 08:50:15

Re: QEMU/KVM Sharing files with host locally while maintaining inet connec

#3 2017-07-13 09:04:26

Re: QEMU/KVM Sharing files with host locally while maintaining inet connec

#4 2017-07-13 09:21:51

Re: QEMU/KVM Sharing files with host locally while maintaining inet connec

#5 2017-07-13 09:30:56

Re: QEMU/KVM Sharing files with host locally while maintaining inet connec

#6 2017-07-13 09:33:47

Re: QEMU/KVM Sharing files with host locally while maintaining inet connec

#7 2017-07-13 09:41:46

Re: QEMU/KVM Sharing files with host locally while maintaining inet connec

#8 2017-07-13 12:41:07

Re: QEMU/KVM Sharing files with host locally while maintaining inet connec

#9 2017-07-13 14:40:27

Re: QEMU/KVM Sharing files with host locally while maintaining inet connec

#10 2017-07-14 00:09:59

Re: QEMU/KVM Sharing files with host locally while maintaining inet connec

#11 2017-07-14 07:14:06

Re: QEMU/KVM Sharing files with host locally while maintaining inet connec

Board footer