KVM bridge NIC DHCP Fails no IOMMU

Issues related to configuring your network
Post Reply
ixeous
Posts: 113
Joined: 2005/07/07 13:01:59

KVM bridge NIC DHCP Fails no IOMMU

Post by ixeous » 2015/03/02 07:27:26

This is intended to be more of a knowledge share as I didn't find the specific solution recommendation via google. This is a rather simple solution that seems to be working well.

I have a CentOS 6 box as a KVM host. I have as one of my VMs, a system that is my firewall. There are 2 physical NICs on the host that are passed to the VM as a bridge. eth0/br0 is the internal network interface. That NIC is used by all VMs (I don't NAT my VMs). eth1/br1 is the external interface. Only the firewall uses eth1/br1.

Everything worked great while using DSL, but I recently upgraded my internet to cable. The cable modem is a Cisco DCP3216. The firewall which previously used pppoe without issue was unable to get a DHCP address from the cable modem. If I plugged eth1 from the firewall into my wireless router, it would get an IP address so the configuration for the firewall was correct.

The solutions that I found online did not fix the issue or apply to my situation. Some solutions suggested spoofing the MAC on the firewall The most promising solution was using PCI-passthrough, KVM requires IOMMU for PCI passthrough, but my motherboard does not support IOMMU.

I found some pages that stated that cable modems would only issue an IP address to the first MAC that the cable modem sees. I could use tcpdump to verify that traffic was going out via the physical host and the firewall (vm) using their respective MAC addresses.

The SOLUTION:

I wanted to prevent the cable modem from "seeing" the MAC of the physical NIC via the KVM host system. Since that NIC is dedicated to the firewall, there is no need for the KVM host to use that NIC to communicate. It simply needs to provide the bridge (no IOMMU so no passthrough). I accomplished that by simply using iptables OUTPUT chain to filter traffic from the KVM host on those interfaces.

# iptables -A OUTPUT -o eth1 -j DROP
# iptables -A OUTPUT -o br1 -j DROP

Save of course. Now, the bridge will send traffic from the firewall VM, but not the physical host. So far, everything seems to be working. I'm even posting from this solution.

Post Reply