Re: KVM VM's facing public network

[Brian Jackson <iggy@theiggy.com>]

On Tue, 29 Jan 2013 12:53:21 -0500
Hugo R Hernández-Mora <hdezmora@gmail.com> wrote:

> Hello there,
> we are experiencing a problem by configuring a KVM bridged networking
> to share a public network interface between the KVM host and the VMs. 
> Currently, our KVM server has set three network interfaces as follows:
> 
> * eth0: 192.168.10.101/23 (main interface for public network - no
> bridge)
> * eth1 <--> br1: 192.168.10.201/23 (KVM VMs connected to public
> network)
> * eth3 <--> br3: 10.7.10.201/23 (KVM VMs connected to LAN)
> 
> We have followed instructions as from Red Hat as well as from
> diferrent web sites and we are not able to get the VMs to get access
> into/from the public network. Here is a more detailed configuration
> for the KVM host:
> 
> ifcfg-eth0
> DEVICE=eth0
> ONBOOT=yes
> HWADDR=AC:80:B2:14:C5:EE
> BOOTPROTO=none
> IPADDR=192.168.10.101
> NETMASK=255.255.254.0
> 
> ifcfg-eth1
> DEVICE=eth1
> ONBOOT=yes
> HWADDR=AC:80:B2:4E:D3:28
> BRIDGE=br1
> 
> ifcfg-br1
> DEVICE=br1
> ONBOOT=yes
> TYPE=Bridge
> BOOTPROTO=none
> IPADDR=192.168.10.201
> NETMASK=255.255.254.0
> STP=off
> DELAY=0
> 
> ifcfg-eth3
> DEVICE=eth3
> ONBOOT=yes
> HWADDR=AC:80:B2:4E:D3:2A
> BRIDGE=br3
> 
> ifcfg-br3
> DEVICE=br3
> ONBOOT=yes
> TYPE=Bridge
> BOOTPROTO=static
> IPADDR=10.7.10.201
> NETMASK=255.255.254.0
> STP=off
> DELAY=0
> 
> network
> NETWORKING=yes
> HOSTNAME=kvm1.public-lan.net
> GATEWAY=192.168.10.1
> 
> For iptables/routing, we have followed instructions as explained on 
> http://www.linux-kvm.org/page/Networking#public_bridge
> *nat
> :POSTROUTING ACCEPT [0:0]
> -A POSTROUTING --out-interface br1 -j MASQUERADE
> COMMIT
> :FORWARD ACCEPT [0:0]
> -A FORWARD --in-interface br1 -j ACCEPT
> 
> Hostside:
> Allow IPv4 forwarding and add route to client (could be put in a
> script 
> - route has to be added after the client has started):
> sysctl -w net.ipv4.ip_forward=1 # allow forwarding of IPv4
> route add -host <ip-of-client> dev <tap-device> # add route to the
> client
> 
> Clientside:
> Default GW of the client is of course then the host (<ip-of-host> has
> to be in same subnet as <ip-of-client> ...):
> route add default gw <ip-of-host>


What do the client configs look like? What network options are you
passing to qemu/kvm (or just the whole command line)? If your guests
and host are in the same subnet, why are you masquerading/routing? Why
not just use standard bridging?


> 
> But it doesn't seem to work. My assumption the problem is related
> with a wrong setting of the firewall on the iptables. Could you
> please advice? Your help will be greatly appreciated!
> 
> We are running Scientific Linux 6.2 on the KVM server as well as on
> the VMs. There is no network issue by accessing the LAN between VMs
> but only to face the public network.
> 
> Thanks in advance,
> -Hugo
> --
> To unsubscribe from this list: send the line "unsubscribe kvm" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html