issues with internal VirtualNetwork for a LAN on KVM?

Issues related to configuring your network
Post Reply
opticalc
Posts: 9
Joined: 2017/05/11 17:10:29

issues with internal VirtualNetwork for a LAN on KVM?

Post by opticalc » 2018/06/09 21:05:45

I thought I had it all figured out, but end up with very strange results.

The goal is for a KVM host to have a VM running pfsense firewall that will frontend all network traffic (including traffic to/from the baremetal KVM host, which is to live on the same internal network all the other VMs will be on). For testing purpose currently the firewallVM is permitting all traffic on the WAN and LAN. Im at the point now where from the KVM host on a bash term I can ping out using DNS even, to anywhere in the world. But thats it; the KVM host cannot use yum to install anything, cannot use firefox to get anywhere, and other VMs also have no connectivity at all.

Now there already was a "default" virtual network (virbr0) in KVM but it has DHCP+NAT enabled, and I need PFsense to handle all that. So "default" is disabled now in preference of a new virtualnetwork "LAN" (virbr1) that is present on my other VMs. So the KVM host sees itself as having a staticIP configured on virbr1 so that the KVM will have connectivity via PFsense. The Pfsense VM has a bridge for its wan (wanbr1) with the PHY interface of the KVM host in that bridge. And PFSense has that new virtualnetwork "LAN" for its LAN interface. And pinging anything/anywhere from a KVM bash works, but nothing else. ??? KVM and PFsense can ping each other directly.

Ive also tried it such that instead of using a KVM virtualnetwork for the LAN, I just created a new generic bridge in KVM and just have not assigned it any physical system interfaces, have just used that bridge for my 2 VMs. Same exact results.

Basically the goal is for the PFSense VM to frontend all traffic, and have a virtual network that the other VMs as well as the KVM host itself has connectivity on. Is my design not the correct way to go about achieving this?

opticalc
Posts: 9
Joined: 2017/05/11 17:10:29

Re: issues with internal VirtualNetwork for a LAN on KVM?

Post by opticalc » 2018/06/10 20:28:57

in case anyone else ever has this issue.

I noticed the TCP SYN was making it out of the WAN interface of the pfsense, but nothing ever came back. the problem is the TCP checksum offloading needs to be disabled on the pfsense. not sure but i think they also recommend disabling it on all the VMs as well.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: issues with internal VirtualNetwork for a LAN on KVM?

Post by jlehtone » 2018/06/11 07:13:47

That might be, although I don't recall doing so on CentOS guests; they might not even try it on "virtio" devices.

The libvirt "default" virtual network does set

Code: Select all

-t mangle -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
which is DHCP traffic from dnsmasq process on the host to VMs.

I would configure two bridges on the host before libvirt exists:
* wanbr, with WAN NIC of the host as member. No IP
* lanbr, with LAN NIC of the host as member. Valid IP. LAN-IP of pfsense as default gateway.

The host can now talk with everyone in the LAN whether the VM is up or not.

Then create VM for pfsense, with interfaces on both bridges.


Option 2 is to not create the wanbr at all, but to assign the WAN NIC of host directly to VM in a passthrough mode (there are more than one such mode). Checksums might be affected.

Post Reply