4.5 KiB
layout, author, tags
| layout | author | tags |
|---|---|---|
| post | Sam Hadow | virtualization networking sysadmin |
On my computer I use archlinux with NetworkManager and QEMU/KVM with virt-manager for virtual machines. In this blog post I'll show you the steps to set up a bridge for the virtual machine. With a bridge on the host instead of the virtual connection NATed to a device, each virtual machine will have its own IP address on the network the host is connected to.
Purpose
The advantage of having a bridge for the virtual machines is the router sees each virtual machine as a separate machine. Each virtual machine is visible on the LAN and has an independent IP address. It also has the advantage of not requiring any additional configuration on the host firewall, when using a NAT network attached to a device forward rules are required to make it work.
For example for NATed connections I have the following additional rules in my nftables configuration:
note: I purposefully ommited the rest of the configuration and only left the rules for the NAT connection.
define qemu_bridge_if = "virbr0"
table inet filter {
chain input {
# -------------------------------- qemu
iifname $qemu_bridge_if accept comment "accept from VM"
}
chain forward {
# -------------------------------- qemu
iifname $qemu_bridge_if accept comment "accept VM interface as input"
oifname $qemu_bridge_if accept comment "accept VM interface as output"
}
chain output {
}
}
Steps
1. Identify physical NIC:
First we have to identify the NIC (Network Interface Card) used by the host to connect to the internet.
To do this we can use the command ip a and look for the line with the IP address we have on the LAN:
Example output:
note: I purposefully ommited the other interfaces and anonymized the output
3: enp4s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether aa:bb:cc:dd:ee:ff brd ff:ff:ff:ff:ff:ff
altname enxAABBCCDDEEFF
inet 10.0.0.42/24 brd 10.0.0.255 scope global dynamic noprefixroute enp4s0f0
valid_lft 3600sec preferred_lft 3600sec
inet6 fd00:dead:beef::1234/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::abcd:ef12:3456:789a/64 scope link noprefixroute
valid_lft forever preferred_lft forever
The interesting information for us here is the interface name: enp4s0f0
2. Create the bridge
Once we have identified the interface we can proceeed with the bridge creation.
First creating the bridge: note: here it's named br0, but name it how you prefer
sudo nmcli connection add type bridge ifname br0 con-name br0
Then attach the bridge to the interface:
sudo nmcli connection add type ethernet ifname enp4s0f0 master br0 con-name br0-enp4s0f0
Then move the IP configuration to the bridge:
sudo nmcli connection modify br0 ipv4.method auto ipv6.method auto
sudo nmcli connection modify br0-enp4s0f0 ipv4.method disabled ipv6.method ignore
With
$ nmcli connection show
You should see something like:
NAME UUID TYPE DEVICE
Wired connection 1 a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d ethernet enp4s0f0
br0 f0e9d8c7-b6a5-4987-9abc-1234567890a9 bridge br0
You can disable the old connection:
sudo nmcli connection down "Wired connection 1"
And optionally delete it:
sudo nmcli connection delete "Wired connection 1"
After that bring up the bridge:
sudo nmcli connection up br0
Then with
ip a show br0 | grep "inet "
You should see something like:
inet 10.0.0.125/24 brd 10.0.0.255 scope global dynamic noprefixroute br0
And enp4s0f0 should no longer have an IP address.
note:
If you have an IP address reservation in your router using the MAC address from your NIC, you should now replace it with the MAC address from br0. The virtual machines will still appear as different machines and get their IP address with the DHCP.
3. Creating virtual machines
Then with virt-manager when creating virtual machines, skip the network configuration and don't add a virtual network, instead in the virtual machine informations, add new hardware, go to network and select bridged device (here the device name will be br0).
