KVM: All network traffic to one guest (firewall)

networking firewall kvm-virtualization traffic guest

6,404

Solution 1

Simple. Let's assume:

WAN -> eth0

LAN -> eth1

What you will want to do is create a bridge (let's name it br_wan) with device eth0 and leave it with no IP configured at the host (the host will have no IP set for br_wan).

Now create another bridge (let's call it br_lan) with device eth1 and let the host take its IP from this bridge via DHCP (assuming PFSense is the dhcp server here).

To the PFSense VM you will give it both the br_wan and br_lan as ethernet devices (use virtio for better perf). PFSense will see them as eth0 and eth1 most likely.

Some config basics, have not tested it, but all you will need to do is setup the right configuration inside /etc/network/interfaces, the lines below are from my memory, not tested but should be almost right:

====== /etc/network/interfaces at the HOST ======

auto br_wan

iface br_wan inet static

    address 0.0.0.0

    bridge_ports eth0


auto br_lan

iface br_lan inet dhcp

    bridge_ports eth1

Solution 2

As far as I understand you want almost the same setup as I have, so I will try and describe it:

My KVM server with 2 NICs runs Ubuntu 13.10 Server with KVM+Libvirt. One NIC serves as bridge on the LAN and the other is passed directly from ISP to the virtual firewall (running Vyatta).

My ISP assigns IPs with DHCP bound to the MAC address. The virtual firewall handles the DHCP client calls to ISP so the IP is assigned directly to it. On the KVM server/host I had to set a static local address on the ISP facing NIC to stop it from doing DHCP client calls (since my ISP will only lease one IP)

This is the /etc/network/interfaces on the host (eth0 connected to LAN switch, eth1 directly to/from ISP):

auto eth0
iface eth0 inet manual

auto br0
iface br0 inet static
        address 10.0.0.2
        netmask 255.255.255.0
        gateway 10.0.0.1
        network 10.0.0.0
        broadcast 10.0.0.255
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0
        bridge_maxwait 0
        dns-nameservers 10.0.0.4
        dns-search lan

auto eth1
iface eth1 inet static
        address 10.0.99.1
        netmask 255.255.255.252

This is the interface configuration for the virtual machine:

<interface type='direct'>
  <mac address='52:54:00:b6:58:85'/>
  <source dev='eth1' mode='vepa'/>
  <target dev='macvtap0'/>
  <model type='virtio'/>
  <alias name='net0'/>
  <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
<interface type='bridge'>
  <mac address='52:54:00:88:94:6e'/>
  <source bridge='br0'/>
  <target dev='vnet1'/>
  <model type='virtio'/>
  <alias name='net1'/>
  <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
</interface>

The Vyatta interfaces configuration looks like this (eth1 goes to LAN/bridge and eth0 is the ISP facing connection from eth1 on the host):

interfaces {
    ethernet eth0 {
        address dhcp
        duplex auto
        firewall {
            in {
                name wan2lan
            }
            local {
                name wan2gw
            }
        }
        hw-id 52:54:00:b6:58:85
        smp_affinity auto
        speed auto
    }
    ethernet eth1 {
        address 10.0.0.1/24
        duplex auto
        hw-id 52:54:00:88:94:6e
        smp_affinity auto
        speed auto
    }
    loopback lo {
    }
}

This way I get the DHCP address from my ISP directly to the virtual firewall, and the routing on the host goes through the virtual firewall as I want.

Hope this helps :-)

6,404

ViiJay

Updated on September 18, 2022

Comments

ViiJay almost 2 years

I am currently using a VMWare ESXi 5.5 server for my virtualisation. The network setup is like this:

PFSense firewall is the center of it all and connected to: LAN Network (physical NIC 1 assigned by VMWare) DMZ network (no physical NIC assigned by VMWare) WAN (physical NIC 2 assigned only to the firewall by VMWare)

The host is member of the LAN network. There are a couple of servers in the DMZ and LAN network which are all linux based so all in all nothing too fancy.

In my scenario the firewall takes care of all traffic and the physical NIC 2 is exclusively available to the firewall (not the host). This way the firewall is able to get the public IP address which is assigned by my internet provider via DHCP (cable provider).

Finally I am now able from my client which is member of the LAN network of course to access all servers I want and need to which I managed by specific firewall rules on the PFSense. Everything is peachy so far.

So my question now is how do I implement this scenario within KVM and make the KVM host (which will probably be a Ubuntu server 13.10 or 14.04 or Debian based one) a network related "dumb" host and let the firewall be the pit for all network traffic.

I have experimented a little on my laptop with KVM and installing a guest (Ubuntu server 13.10 based) but it had only one physical NIC and I didn't want to pull the internet cable for this test. :)

So all help, suggestions and ideas on how to get this setup be accomplished is greatly appreciated. If there is a lack of information please let me know and I will try to update this post accordingly but I hope the general idea on what I want to do has become clear during this post.

VJ

P.S.: For better understanding here is a picture of my current VMWare network setup.
- ViiJay over 10 years
  
  Hey c4f4t0r, thanks for the info but what about using services on one of the guests? Will the external IP be on the guest (firewall) or do I have to port forward from the host to the firewall first and then add the specific rules on the firewall?
- c4f4t0r over 10 years
  
  use iptables on host, for nating and snating ip public to guest firewall
Michal Sokolowski about 9 years

I am using VLANs instead of phisical interfaces. Setup: Centos & KVM & PFsense.
mbello about 9 years

Michal, what is your point/question?
Michal Sokolowski about 9 years

Just confirmation: such setup works for me too.