Arch Linux

tnnguk9

Member

Registered: 2018-04-16

Posts: 2

QEMU/KVM Private (Internal) Network

I'm having trouble setting up an internal network so that two VMs can only talk to each other via a bridge (and not the host). I've used networkd to configure the bridge on the host machine, and qemu-bridge-helper to create a tap device attached to the bridge when I start the VM. Unfortunately, no matter what I do they cannot ping each other.

I essentially want to create the same setup as linked here, using QEMU/KVM.

My bridge device /etc/systemd/network/proxy.netdev is configured as follows:

[NetDev]
Name=br1
Kind=bridge

The network /etc/systemd/network/proxy.network is below:

[Match]
Name=br1

[Network]
DHCPServer=Yes

I start my VMs with the following:

qemu-system-x86_64 -netdev tap,helper=/usr/lib/qemu/qemu-bridge-helper,id=net0,br=br0 -device virtio-net-pci,netdev=net0,mac=51:40:B6:55:05:10 -netdev tap,helper=/usr/lib/qemu/qemu-bridge-helper,id=net1,br=br1 -device virtio-net-pci,netdev=net1,mac=4D:B8:D1:D8:C7:F3 ...
qemu-system-x86_64 -netdev tap,helper=/usr/lib/qemu/qemu-bridge-helper,id=net0,br=br1 -device virtio-net-pci,netdev=net1,mac=18:58:B4:D9:90:EA ...

br0 is attached to my physical network and the host machine is Arch.

Any help or pointers would be greatly appreciated.

lo1

Member

Registered: 2017-09-25

Posts: 584

Re: QEMU/KVM Private (Internal) Network

They can't ping each other, but can they ping the bridge?

What happens if, instead, you use the native ip tools to create your bridges and tap interfaces, setting them so the bridge is the master, then manually add addresses so they stay in the same subnet?

ip link add br0 type bridge
ip link set br0 up
ip tuntap add tap0 mode tap
ip tuntap add tap1 mode tap
ip link set tap0 up promisc on && ip link set tap1 up promisc on
ip link set tap0 master br0 && ip link set tap1 master br0
qemu-system-x86_64 -netdev tap,id=t0,ifname=tap0,script=no,downscript=no -device e1000,netdev=t0,id=nic0 ........
qemu-system-x86_64 -netdev tap,id=t1,ifname=tap1,script=no,downscript=no -device e1000,netdev=t1,id=nic1 ........

---

How To Ask Questions The Smart Way && Tacts Filters && K.I.S.S. &&
Rootless Root

Toolybird

Member

Registered: 2017-09-30

Posts: 76

Re: QEMU/KVM Private (Internal) Network

A simpler approach - follow the docs to create a "very isolated" network as per:

https://libvirt.org/formatnetwork.html# … sNoGateway

Then create a pfSense VM with 2 interfaces:

  1. standard NAT for the WAN side
  2. "very isolated" for the LAN side

Works well

(but you have to correctly configure pfSense if using virtio networking - see here)

https://doc.pfsense.org/index.php/VirtI … Offloading

tnnguk9

Member

Registered: 2018-04-16

Posts: 2

Re: QEMU/KVM Private (Internal) Network

They can't ping each other, but can they ping the bridge?

What happens if, instead, you use the native ip tools to create your bridges and tap interfaces, setting them so the bridge is the master, then manually add addresses so they stay in the same subnet?

ip link add br0 type bridge
ip link set br0 up
ip tuntap add tap0 mode tap
ip tuntap add tap1 mode tap
ip link set tap0 up promisc on && ip link set tap1 up promisc on
ip link set tap0 master br0 && ip link set tap1 master br0
qemu-system-x86_64 -netdev tap,id=t0,ifname=tap0,script=no,downscript=no -device e1000,netdev=t0,id=nic0 ........
qemu-system-x86_64 -netdev tap,id=t1,ifname=tap1,script=no,downscript=no -device e1000,netdev=t1,id=nic1 ........

Thanks for your response. No luck with this method sadly, it created the exact same setup as what I had done with networkd.

A simpler approach - follow the docs to create a "very isolated" network as per:

https://libvirt.org/formatnetwork.html# … sNoGateway

Then create a pfSense VM with 2 interfaces:

  1. standard NAT for the WAN side
  2. "very isolated" for the LAN side

Works well

(but you have to correctly configure pfSense if using virtio networking - see here)

https://doc.pfsense.org/index.php/VirtI … Offloading

Thank you for those links. I'll attempt to use libvirt instead and see if that works...

gaofei

Member

Registered: 2017-08-11

Posts: 26

Re: QEMU/KVM Private (Internal) Network

QEMU’s new -nic and hubport option  . Try using the -hubport parameter. The legacy parameter -net and -vlan should be avoided.