Libvert Networking to Separate VM LAN

Issues related to configuring your network
Post Reply
smacz
Posts: 6
Joined: 2015/06/30 01:16:24

Libvert Networking to Separate VM LAN

Post by smacz » 2015/06/30 05:10:18

I am attempting to create a LAN with a separate subnet for the VMs that I'm creating on my KVM host (using eth0 for access to host and eth1 for VM access). One of the VM's will be offering DHCP and DNS services to the rest of the VMs. Another is going to be a Spacewalk server so that I can do automated deployments inside of that LAN. My concern is how to get internet from my ISP router to the one that I'm creating for the VM's.

At first I was thinking of bridging and simply hooking up every VM to a bridge on the host's eth1. But then I figured out that assigns IP addresses in the same subnet as all my other devices (192.168.1.X) when I want them in their own subnet (10.0.0.X). That would also put the DHCP VM server inside the same LAN as my router which provides IP addresses in that LAN.

So I figured I need some kind of gateway. I'm trying that at the moment but not having much luck getting the gateway VM to access either my regular router or the other VM I have set up right now.

I looked into using VLAN's, but that seemed more for large-scale deployments, and I don't know how it would work with a Cobbler/Spacewalk/DHCP deployment (but if needed I can cross that bridge when I come to it)

So I've looked at:
  • using a VM as a router and/or gateway (and just NAT that particular VM?)
  • using VLAN (not preferable if possible)
  • what a bridge is able to accomplish (on it's own or with a VM router/gateway)
  • what a TUN/TAP network is (but documentation is slim pickins)
...but still feel like I'm running blind here.

So what might just be my best option for taking eth1 on the host, and giving this "VM (Separate) LAN Party" access to the internet through that?

Thanks for the consideration,

-Andrew

smacz
Posts: 6
Joined: 2015/06/30 01:16:24

Re: Libvert Networking to Separate VM LAN

Post by smacz » 2015/07/11 20:52:03

Well, none of the above worked, but I did want to post a follow-up just in case anyone else stumbled across this.

I ended up resorting to putting two NICs on each VM. One being NAT'd to the default network and one belonging to an isolated virtual network 'virtnet' that I made.

The biggest problem that I ran into with making a router out of a VM was that it acted more like a gateway than anything else. I got to the point where I could ping inside of the virtnet and ping the ISP's router. When I pinged outside of my LAN (say 8.8.8.8) I could traceroute to my ISP's router, but nothing further from there. It was almost like the packets were getting lost in translation.

So now my VM's can access the internet via the first NIC (say eth0) and access the internal virtnet via the second (say eth1). Without being able to diagnose the router/gateway issue, that is the best config that I can come up with.

aks
Posts: 3022
Joined: 2014/09/20 11:22:14

Re: Libvert Networking to Separate VM LAN

Post by aks » 2015/07/13 17:58:53

I am attempting to create a LAN with a separate subnet for the VMs that I'm creating on my KVM host (using eth0 for access to host and eth1 for VM access).
So separate IP addresses for each interface would seem the easiest option. You'll need a router somewhere along the network path to "join" them together.
One of the VM's will be offering DHCP and DNS services to the rest of the VMs.

DHCP will require foprwarding to cross the subnet(s) - DNS is routable.
My concern is how to get internet from my ISP router to the one that I'm creating for the VM's.
So long as the router "knows" - i.e.: has a route to the target, it'll work.
At first I was thinking of bridging and simply hooking up every VM to a bridge on the host's eth1.

Bridging is not routing.
So I figured I need some kind of gateway.
Yes you do.
I'm trying that at the moment but not having much luck getting the gateway VM to access either my regular router or the other VM I have set up right now.
Does the router have an interface on each network and does it have the required routes?
I looked into using VLAN's, but that seemed more for large-scale deployments, and I don't know how it would work with a Cobbler/Spacewalk/DHCP deployment (but if needed I can cross that bridge when I come to it)
Generally, VLANs are the responsibility of the network - i.e.: it should be transparent to the hosts. You can make each host "VLAN aware" but this is much, much harder.
using a VM as a router and/or gateway (and just NAT that particular VM?)
A router is not necessarily a NAT device.
When I pinged outside of my LAN (say 8.8.8.8) I could traceroute to my ISP's router, but nothing further from there.
This does not necessarily mean all is lost. For example, ICMP ping/traceroute or TCP "pingf"/"traceroute" could simply be blocked by the network you have no (or limited) control over.
So now my VM's can access the internet via the first NIC (say eth0) and access the internal virtnet via the second (say eth1). Without being able to diagnose the router/gateway issue, that is the best config that I can come up with.
So I'll make something up (lack of data).
Say I have a VM called VM1, with:
eth0: 192.168.2.1/24
eth1: 172.168.1.1/16
routes:
192.168.2.0/24 via 192.168.2.1/24
172.168.1.0/16 via 172.168.1.1/16
default (0.0.0.0) via 192.168.2.254 # anything you don't know about, send here!
I also have a router:
eth0: 192.168.2.254/24
routes:
192.168.2.0/24 via 192.168.2.254/24
default via <my_isp_ip_address> # anything you don't know about, send here!
Additionally I need some NAT as I'm using private class C addresses for Internet access.
That means eth1 is internal only (can't get to the internet) and eth0 can get to the internet.

Hopefully that's given you something to think about.

Post Reply

Return to “CentOS 7 - Networking Support”