You are not logged in.
In the Arch wiki it is stated that you should use nftables or to be exact iptables-nft instead of iptables + ebtables from the AUR. Unfortunately, Libvirt doesn't use the properly configured iptables compatibility layer on the recommended setup by default, but plain nftables. If you have the same symptoms as described below, then try setting firewall_backend=iptables in /etc/libvirt/network.conf or configure forwarding in nftables like described in the Gentoo forums here.
Hello Arch Linux community,
I am trying to get an internet connection up and running in my KVM/QEMU VM through Libvirt's default NAT.
Unfortunately, the guest (Windows 10) sees the virtual adapter as an "Unidentified network" and shows that there is "No Internet". This and the output of "ipconfig" (below) shows that the VM's DHCP cannot assign a gateway. The subnet mask (originally 255.255.255.0) and the auto IPv4 (, which should be between 192.168.122.2 and 192.168.122.254,) are misconfigured as well:
Ethernet adapter Ethernet 2:
Connection-specific DNS Suffix . :
Autoconfiguration IPv4 Address. . : 169.254.81.241
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :
Output of "ip a" on the host while the VM is running:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp3s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
link/ether f0:2f:74:1b:5b:aa brd ff:ff:ff:ff:ff:ff
3: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 52:54:00:5b:92:9a brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
4: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether d0:37:45:d8:fb:9a brd ff:ff:ff:ff:ff:ff
inet 192.168.0.127/24 metric 20 brd 192.168.0.255 scope global dynamic wlan0
valid_lft 603733sec preferred_lft 603733sec
inet6 fe80::d237:45ff:fed8:fb9a/64 scope link
valid_lft forever preferred_lft forever
6: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master virbr0 state UNKNOWN group default qlen 1000
link/ether fe:54:00:d4:cd:4e brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:fed4:cd4e/64 scope link
valid_lft forever preferred_lft forever
Output of "ip r" on host:
default via 192.168.0.1 dev wlan0 proto dhcp src 192.168.0.127 metric 20
192.168.0.0/24 dev wlan0 proto kernel scope link src 192.168.0.127 metric 20
192.168.0.1 dev wlan0 proto dhcp scope link src 192.168.0.127 metric 20
192.168.0.56 dev wlan0 proto dhcp scope link src 192.168.0.127 metric 20
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
This is weird, because the bridge (virbr0) is up and the virtual interface (vnet0) is attached to it. To fix the misconfiguration, I set the LAN settings statically, which worked, but now I can only ping my host (192.168.0.127) and the bridge (192.168.122.1), but pings to WAN servers like "google.com" or even "8.8.8.8" time out.
Doesn't this mean that virbr0 works and forwards the packets as expected, however the firewall does not allow the virtual bridge to send packets to the default gateway?
nftables rules (# nft list ruleset): http://0x0.st/Ho6G.txt
virbr0 config (/etc/libvirt/qemu/networks/default.xml): http://0x0.st/Ho6h.txt
Libvirt log (/var/log/libvirt/libvirtd.log): http://0x0.st/Ho6n.txt
vnet0 config while VM is on (/etc/libvirt/qemu/win10.xml): http://0x0.st/HoIs.txt
Thank you in advance for your time and help!
limefrog :)))
Last edited by limefrog (2024-07-06 20:26:15)
Linux is free, if you don't value your time.
Offline
Since I don't use libvirt I can only give some general hints.
Whenever you see this:
Ethernet adapter Ethernet 2: Connection-specific DNS Suffix . : Autoconfiguration IPv4 Address. . : 169.254.81.241 Subnet Mask . . . . . . . . . . . : 255.255.0.0 Default Gateway . . . . . . . . . :
on a virtual or physical Windows PC it means the network connectivity is broken.
Windows doesn't receive a DHCP reply and chooses an APIPA address.
Is dnsmasq up and running?
Offline
Is dnsmasq up and running?
Hi -thc,
Thank you for your reply! I have dnsmasq installed, but I didn't enable it, because I already had systemd-resolved and thought that the two services would conflict. They actually did conflict and I had to get rid of my systemd-resolved configuration, but now I have dnsmasq running and I do not get the errors in Libvirt's log about the DNS resolution. Unfortunately, the DHCP server still does not work and I still do not have internet access in the VM. What do you think about the idea with the firewall settings?
Linux is free, if you don't value your time.
Offline
What do you think about the idea with the firewall settings?
I was right. For some reason Libvirt does not work with nftables, so I had to switch to iptables + ebtables (AUR).
Linux is free, if you don't value your time.
Offline
I'm currently getting this aswell, how do I get this to work?
—–BEGIN GEEK CODE BLOCK—–
Version: 4.0
GCS/E !a c– d:- C++++ ULÜ/*++ LC#++/go++/p+/js+/sql+/Cpp/C/!j G:OmegaRogue FE+ FB++ M- PGP++ E+ H+ PS+++/G++/L+++/S+++ PE+++ TB++/M++/SW+/t+/LOTR+/TBB+/S++/F+/R&M+/D+ R+ B- kD+ kX++ e*>>++ h! !r !z
—–END GEEK CODE BLOCK—–
Offline
I had this problem and in my case I had an unholy configuration where both the monolithic libvirtd and at least some of the modular libvirt daemons were configured. All the virt* daemons and sockets are the modular ones and libvirtd.socket and libvirtd.service are the monolithic ones. I disabled/stopped all the virt* sockets and daemons and it worked. I found this link helpful.
Last edited by dozy lizard (2024-02-11 14:03:11)
Offline
You need to set the firewall_backend=iptables option in /etc/libvirt/network.conf since we are using iptables-nft instead of nftables.
Offline
I'm currently getting this aswell, how do I get this to work?
Sorry for the necro, but the other guy started. Make sure that the firewall is at fault and not missing dependencies (dnsmasq or ebtables if you want iptables instad of nftables) etc. Nftables is not broken per se, however it's misconfigured by default. You could either force libvirt to use the iptables compatibility layer (if you have iptables-nft and not only nftables) like adonesp mentioned or set up the forwarding rules manually. It's not difficult because somebody in the Gentoo forums has done the coding for us: here (it's at the bottom)
Linux is free, if you don't value your time.
Offline