bastl Posted March 27, 2019 Share Posted March 27, 2019 Is it possible to create an virtual nic somehow that is only for internal use and not like the virbr0 in a NAT network behind the actual Unraid network? Having a VM using the virbr0 even if it's on it's own network still can see devices and shares behind the NAT. That's not what I want. I couldn't find any solutions on the forum for this. All I've found are the suggestions to use the virbr, but thats completly agains the idea of an separated isolated network. Vmware, Virtualbox, XCP-NG all have such an feature build in. Did I miss something? The goal is to be able to create VMs for testing without any access to the outside. Only talking to each other. Maybe have an Pfsense VM also having access to that internal only network to handle DHCP and to monitor web traffic. I don't want a solution where I have to change some settings inside the VMs to permit access to the outside. Manual configuring the network to maybe set it to a wrong gateway for example isn't a solution. Highly appreciated for any suggestions. Quote Link to comment
ken-ji Posted March 27, 2019 Share Posted March 27, 2019 You just need to create (and persist) a bridge device for your VMs to use. create a xml file (ie /tmp/lab-network.xml) <network ipv6='yes'> <name>lab-network</name> <bridge name="virbr1" stp="on" delay="0"/> </network> Then you enable the network with virsh net-define /tmp/lab-network.xml virsh net-start lab-network This will create a bridge virbr1, which you can assign to your VMs. There will be a host interface virbr1-nic (but will not be assigned an IP or any such automatically) refer to https://libvirt.org/formatnetwork.html for more details on the xml file format 2 Quote Link to comment
bastl Posted March 28, 2019 Author Share Posted March 28, 2019 @ken-ji Thanks. It looks like it's working. I'am having another virbr up and used by a pfsense VM and a Windows VM. Pfsense acts as a torproxy for the VM and Windows has access to the internet and hasn't any access to the lan services Unraid provides. The question is, how do I make the virbr persistent, so it survives a Unraid restart? Is there a config file somewhere on the flash device where I have to put the bridge settings in? I can't really find anything where the virbr0 is configured in. Quote Link to comment
ken-ji Posted March 28, 2019 Share Posted March 28, 2019 the net-define command already makes it persistent. run virsh net-autostart lab-network to make the corresponding bridge auto start 1 Quote Link to comment
bastl Posted March 29, 2019 Author Share Posted March 29, 2019 I completly missed that part in the libvirt documentation. Thanks again @ken-ji Custom virbr is up and running and survived a server restart. Quote Link to comment
Dav3 Posted January 29, 2020 Share Posted January 29, 2020 On 3/27/2019 at 4:11 PM, ken-ji said: You just need to create (and persist) a bridge device for your VMs to use. create a xml file (ie /tmp/lab-network.xml) <network ipv6='yes'> <name>lab-network</name> <bridge name="virbr1" stp="on" delay="0"/> </network> Then you enable the network with virsh net-define /tmp/lab-network.xml virsh net-start lab-network This will create a bridge virbr1, which you can assign to your VMs. There will be a host interface virbr1-nic (but will not be assigned an IP or any such automatically) refer to https://libvirt.org/formatnetwork.html for more details on the xml file format Apologies for resurrecting an old thread, but this seems relevant enough to avoid creating a duplicate: @ken-ji I've been reading the libvirt Network XML spec but can't figure out how to so something similar to this. I want to create a private bridge that filters a VM to a few addresses & ports on the LAN. My XML currently looks like: <network > <name>private</name> <bridge name="private0" stp="on" delay="0"/> <forward mode="nat" dev="br1"> <nat> <port start='500' end='1000'/> </nat> </forward> <ip address="192.168.1.202" netmask="255.255.255.0"/> </network> But I get an error that br1 is already taken when I try to virsh net-start the XML file. Can anyone provide clues for how to do this? Quote Link to comment
ken-ji Posted January 29, 2020 Share Posted January 29, 2020 @Dav3 Would hep if you outline your network config and what exactly you want to do here Looks to me like you want to define a bridge interface in Unraid "private0" which should be NATd against br1, using outgoing ports 500-1000 and assigning the internal IP of 192.168.1.202/24 to the bridge . I'll definitely say first that I haven't messed with the network config of VMs for quite a while now as I have no need for complex networking with Unraid VMs. I'm only using bridged VMs on the primary interface br0 as I don't need to make other complicated setups - docker and a Mikrotik router has is currently enough for my needs. Quote Link to comment
Dav3 Posted January 29, 2020 Share Posted January 29, 2020 Great! I'm trying to figure out how to isolate a vm to a few lan addresses & ports, block everything else to them. Been using unraid /boot/config/go file to tweak iptables of br1/eth1 on 2nd nic. Instead I want to define it using 'virsh net-define'. (better) Would prefer to use virtual interface not eth1. To get filtering it needs NAT type (?) Not clear on xml Quote Link to comment
Dav3 Posted February 1, 2020 Share Posted February 1, 2020 Ok so I ended up back-burnering setting up a virtual switch and defining it in net-define XML. Using iptables in /boot/config/go is good enough for now. Spent far too much time on it. So thanks anyway, that lab-network.xml snippet was really helpful and lead me to the virsh command interface which is a goldmine. Quote Link to comment
ken-ji Posted February 1, 2020 Share Posted February 1, 2020 AFAIK, you don't / can't impose vm isolation with just a virtual switch - you'll need additional software on the vswitch (which is not part of Unraid) however, creating a vswitch for the vm alone then using iptables to restrict access to it should work. you should also try to impose guest level restrictions as well. Quote Link to comment
JamesAdams Posted June 4, 2020 Share Posted June 4, 2020 On 3/28/2019 at 12:11 AM, ken-ji said: You just need to create (and persist) a bridge device for your VMs to use. create a xml file (ie /tmp/lab-network.xml) <network ipv6='yes'> <name>lab-network</name> <bridge name="virbr1" stp="on" delay="0"/> </network> Then you enable the network with virsh net-define /tmp/lab-network.xml virsh net-start lab-network This will create a bridge virbr1, which you can assign to your VMs. There will be a host interface virbr1-nic (but will not be assigned an IP or any such automatically) refer to https://libvirt.org/formatnetwork.html for more details on the xml file format Thanks it's work for the vm but my docker don't see the new interface. Quote Link to comment
ken-ji Posted June 4, 2020 Share Posted June 4, 2020 1 hour ago, JamesAdams said: Thanks it's work for the vm but my docker don't see the new interface. You need to tell docker about the new bridge by going to the Settings | Docker Menu. Stopping the docker engine will then let you edit the networks and allow you to define the IP and gateways for the internal network. Quote Link to comment
JamesAdams Posted June 4, 2020 Share Posted June 4, 2020 2 minutes ago, ken-ji said: You need to tell docker about the new bridge by going to the Settings | Docker Menu. Stopping the docker engine will then let you edit the networks and allow you to define the IP and gateways for the internal network. In docker i don't see my virbr0... Quote Link to comment
ken-ji Posted June 4, 2020 Share Posted June 4, 2020 Its been a while, but I think the docker settings page limits which network interfaces it will display. You need to enable "Preserve user defined networks" in the Docker Settings, then in the command line run something like # docker network create \ -o parent=vibr1 \ --driver macvlan \ --subnet 192.168.1.0/24 \ --ip-range 192.168.1.128/25 \ --gateway 192.168.1.1 \ labnet Adjust the IPs to your needs. Unfortunately, docker won't let you create a network without a gateway defined and imposes a few other annoying constraints on docker networks. Quote Link to comment
JamesAdams Posted June 9, 2020 Share Posted June 9, 2020 On 6/4/2020 at 11:40 PM, ken-ji said: Its been a while, but I think the docker settings page limits which network interfaces it will display. You need to enable "Preserve user defined networks" in the Docker Settings, then in the command line run something like # docker network create \ -o parent=vibr1 \ --driver macvlan \ --subnet 192.168.1.0/24 \ --ip-range 192.168.1.128/25 \ --gateway 192.168.1.1 \ labnet Adjust the IPs to your needs. Unfortunately, docker won't let you create a network without a gateway defined and imposes a few other annoying constraints on docker networks. ok thanks i will test. You know if for the virtual network that i have created with your method we can define an ip and a mask by default and gateway ? because on this network I create a virtual router which works when I but the ip manually in my vm w10 but the dhcp does not work my vm takes an ip in 169.254.88.156 by default while my network is in 192.168.0.0 . Thanks for your help. Quote Link to comment
JamesAdams Posted June 11, 2020 Share Posted June 11, 2020 i found the solution i edit my network for that <network ipv6='yes'> <name>lab-network</name> <uuid>9076910b-63df-470f-862a-606414dd750a</uuid> <bridge name='virbr1' stp='on' delay='0'/> <mac address='52:54:00:a7:8f:4b'/> <ip address='192.168.0.0' netmask='255.255.255.0'> <dhcp> <range start='192.168.0.11' end='192.168.0.20'/> </dhcp> </ip> <route address='192.168.0.0' prefix='24' gateway='192.168.0.10'/> </network> Quote Link to comment
JamesAdams Posted July 5, 2020 Share Posted July 5, 2020 hi, i have a virtual nic in unraid and i wish to add a vlan in this virtual network but i don't found the solution... my virtual nic: <network ipv6='yes'> <name>lab-network</name> <uuid>9076910b-63df-470f-862a-606414dd750a</uuid> <bridge name='virbr1-lab' stp='on' delay='0'/> <mac address='52:54:00:a7:8f:4b'/> <ip address='192.168.0.1' netmask='255.255.255.0'> </ip> <route address='192.168.0.0' prefix='24' gateway='192.168.0.10'/> </network> Anyone have a solution ? Quote Link to comment
sonuyos Posted December 25, 2020 Share Posted December 25, 2020 On 6/11/2020 at 3:29 PM, JamesAdams said: i found the solution i edit my network for that <network ipv6='yes'> <name>lab-network</name> <uuid>9076910b-63df-470f-862a-606414dd750a</uuid> <bridge name='virbr1' stp='on' delay='0'/> <mac address='52:54:00:a7:8f:4b'/> <ip address='192.168.0.0' netmask='255.255.255.0'> <dhcp> <range start='192.168.0.11' end='192.168.0.20'/> </dhcp> </ip> <route address='192.168.0.0' prefix='24' gateway='192.168.0.10'/> </network> Can you tell me which file you edited? Quote Link to comment
Kristijan Posted January 24, 2021 Share Posted January 24, 2021 (edited) On 3/28/2019 at 12:11 AM, ken-ji said: You just need to create (and persist) a bridge device for your VMs to use. create a xml file (ie /tmp/lab-network.xml) <network ipv6='yes'> <name>lab-network</name> <bridge name="virbr1" stp="on" delay="0"/> </network> Then you enable the network with virsh net-define /tmp/lab-network.xml virsh net-start lab-network This will create a bridge virbr1, which you can assign to your VMs. There will be a host interface virbr1-nic (but will not be assigned an IP or any such automatically) refer to https://libvirt.org/formatnetwork.html for more details on the xml file format Hi, After I apply xml I cant see new network in VM (When create new VM). What I must to do? Where I can edit this xml again? Edited January 25, 2021 by Kristijan Quote Link to comment
JamesAdams Posted April 9, 2021 Share Posted April 9, 2021 @ken-ji Hi, i try to create another custom network with a bandwidth limit but i have this error, you have a idea please ? root@JamesServer:/tmp# virsh net-start virbr1-lab error: Failed to start network virbr1-lab error: internal error: Child process (/usr/sbin/tc qdisc add dev virbr1-lab root handle 1: htb default 2) unexpected exit status 2: Error: Specified qdisc not found. <network> <name>virbr1-lab</name> <uuid>03ca9ae6-8dbc-43b7-8e63-366b46926b20</uuid> <forward mode='nat'/> <bandwidth> <inbound average='625' peak='625' burst='625'/> <outbound average='625' peak='625' burst='625'/> </bandwidth> <bridge name='virbr1-lab' stp='on' delay='0'/> <mac address='52:54:00:c5:18:43'/> <ip address='192.168.50.1' netmask='255.255.255.248'> <dhcp> <range start='192.168.50.2' end='192.168.50.6'/> </dhcp> </ip> </network> Quote Link to comment
ken-ji Posted April 9, 2021 Share Posted April 9, 2021 The error: "Specified qdisc not found" indicates that the qdisc modules are not installed/available. So this would probably be unsupported unless the modules are compiled and loaded in (either by Limtech or some plugin) Quote Link to comment
JamesAdams Posted April 9, 2021 Share Posted April 9, 2021 4 minutes ago, ken-ji said: The error: "Specified qdisc not found" indicates that the qdisc modules are not installed/available. So this would probably be unsupported unless the modules are compiled and loaded in (either by Limtech or some plugin) Thanks for your fast response 😀 Thin but suddenly there is no other way to limit the internet speed of a vm ? Quote Link to comment
ken-ji Posted April 9, 2021 Share Posted April 9, 2021 I think most users here limit VMs and dockers at the router level, which would have better control of the network than Unraid itself. I could do that with my Mikrotik router, but I never needed to. Quote Link to comment
JamesAdams Posted April 9, 2021 Share Posted April 9, 2021 2 minutes ago, ken-ji said: I think most users here limit VMs and dockers at the router level, which would have better control of the network than Unraid itself. I could do that with my Mikrotik router, but I never needed to. ah thin that I can not because I create a virtual network that does not communicate with my LAN Quote Link to comment
ken-ji Posted April 9, 2021 Share Posted April 9, 2021 You can try making a request to Limetech, but you'll need to know what you need exactly (I'm not sure either) Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.