[SOLVED] How to create a virtual nic for internal/isolated use only?


Recommended Posts

Is it possible to create an virtual nic somehow that is only for internal use and not like the virbr0 in a NAT network behind the actual Unraid network? Having a VM using the virbr0 even if it's on it's own network still can see devices and shares behind the NAT. That's not what I want. I couldn't find any solutions on the forum for this. All I've found are the suggestions to use the virbr, but thats completly agains the idea of an separated isolated network. Vmware, Virtualbox, XCP-NG all have such an feature build in. Did I miss something?

 

The goal is to be able to create VMs for testing without any access to the outside. Only talking to each other. Maybe have an Pfsense VM also having access to that internal only network to handle DHCP and to monitor web traffic. I don't want a solution where I have to change some settings inside the VMs to permit access to the outside. Manual configuring the network to maybe set it to a wrong gateway for example isn't a solution. 

 

Highly appreciated for any suggestions. 

Link to comment

You just need to create (and persist) a bridge device for your VMs to use.

create a xml file (ie /tmp/lab-network.xml)

<network ipv6='yes'>
  <name>lab-network</name>
  <bridge name="virbr1" stp="on" delay="0"/>
</network>

Then you enable the network with

virsh net-define /tmp/lab-network.xml

virsh net-start lab-network

 

This will create a bridge virbr1, which you can assign to your VMs.

There will be a host interface virbr1-nic (but will not be assigned an IP or any such automatically)

 

refer to https://libvirt.org/formatnetwork.html for more details on the xml file format

  • Like 2
Link to comment

@ken-ji Thanks. It looks like it's working. I'am having another virbr up and used by a pfsense VM and a Windows VM. Pfsense acts as a torproxy for the VM and Windows has access to the internet and hasn't any access to the lan services Unraid provides. The question is, how do I make the virbr persistent, so it survives a Unraid restart? Is there a config file somewhere on the flash device where I have to put the bridge settings in? I can't really find anything where the virbr0 is configured in.

Link to comment
  • bastl changed the title to (SOLVED) How to create a virtual nic for internal/isolated use only?
  • 9 months later...
On 3/27/2019 at 4:11 PM, ken-ji said:

You just need to create (and persist) a bridge device for your VMs to use.

create a xml file (ie /tmp/lab-network.xml)


<network ipv6='yes'>
  <name>lab-network</name>
  <bridge name="virbr1" stp="on" delay="0"/>
</network>

Then you enable the network with

virsh net-define /tmp/lab-network.xml

virsh net-start lab-network

 

This will create a bridge virbr1, which you can assign to your VMs.

There will be a host interface virbr1-nic (but will not be assigned an IP or any such automatically)

 

refer to https://libvirt.org/formatnetwork.html for more details on the xml file format

Apologies for resurrecting an old thread, but this seems relevant enough to avoid creating a duplicate:

 

@ken-ji I've been reading the libvirt Network XML spec but can't figure out how to so something similar to this.  I want to create a private bridge that filters a VM to a few addresses & ports on the LAN. My XML currently looks like:

<network >
  <name>private</name>
  <bridge name="private0" stp="on" delay="0"/>
  <forward mode="nat" dev="br1">
    <nat>
      <port start='500' end='1000'/>
    </nat>
  </forward>
  <ip address="192.168.1.202" netmask="255.255.255.0"/>
</network>

But I get an error that br1 is already taken when I try to virsh net-start the XML file.  Can anyone provide clues for how to do this?

Link to comment

@Dav3 Would hep if you outline your network config and what exactly you want to do here
Looks to me like you want to define a bridge interface in Unraid "private0" which should be NATd against br1, using outgoing ports 500-1000 and assigning the internal IP of 192.168.1.202/24 to the bridge .

I'll definitely say first that I haven't messed with the network config of VMs for quite a while now as I have no need for complex networking with Unraid VMs.

I'm only using bridged VMs on the primary interface br0 as I don't need to make other complicated setups - docker and a Mikrotik router has is currently enough for my needs.

Link to comment

Great!  I'm trying to figure out how to isolate a vm to a few lan addresses & ports, block everything else to them.

Been using unraid /boot/config/go file to tweak iptables of br1/eth1 on 2nd nic.

Instead I want to define it using 'virsh net-define'. (better)

Would prefer to use virtual interface not eth1.

To get filtering it needs NAT type (?)

Not clear on xml

 

Link to comment

Ok so I ended up back-burnering setting up a virtual switch and defining it in net-define XML.

Using iptables in /boot/config/go is good enough for now.  Spent far too much time on it.

So thanks anyway, that lab-network.xml snippet was really helpful and lead me to the virsh command interface which is a goldmine.  :)

 

Link to comment

AFAIK, you don't / can't impose vm isolation with just a virtual switch - you'll need additional software on the vswitch (which is not part of Unraid)

however, creating a vswitch for the vm alone then using iptables to restrict access to it should work. you should also try to impose guest level restrictions as well.

Link to comment
  • 4 months later...
On 3/28/2019 at 12:11 AM, ken-ji said:

You just need to create (and persist) a bridge device for your VMs to use.

create a xml file (ie /tmp/lab-network.xml)


<network ipv6='yes'>
  <name>lab-network</name>
  <bridge name="virbr1" stp="on" delay="0"/>
</network>

Then you enable the network with

virsh net-define /tmp/lab-network.xml

virsh net-start lab-network

 

This will create a bridge virbr1, which you can assign to your VMs.

There will be a host interface virbr1-nic (but will not be assigned an IP or any such automatically)

 

refer to https://libvirt.org/formatnetwork.html for more details on the xml file format

Thanks it's work for the vm but my docker don't see the new interface.

Link to comment
1 hour ago, JamesAdams said:

Thanks it's work for the vm but my docker don't see the new interface.

You need to tell docker about the new bridge by going to the Settings | Docker Menu. Stopping the docker engine will then let you edit the networks and allow you to define the IP and gateways for the internal network.

Link to comment

Its been a while, but I think the docker settings page limits which network interfaces it will display.

You need to enable "Preserve user defined networks" in the Docker Settings, then in the command line run something like

# docker network create \
-o parent=vibr1 \
--driver macvlan \
--subnet 192.168.1.0/24 \
--ip-range 192.168.1.128/25 \
--gateway 192.168.1.1 \
labnet

Adjust the IPs to your needs. Unfortunately, docker won't let you create a network without a gateway defined and imposes a few other annoying constraints on docker networks.

Link to comment
On 6/4/2020 at 11:40 PM, ken-ji said:

Its been a while, but I think the docker settings page limits which network interfaces it will display.

You need to enable "Preserve user defined networks" in the Docker Settings, then in the command line run something like


# docker network create \
-o parent=vibr1 \
--driver macvlan \
--subnet 192.168.1.0/24 \
--ip-range 192.168.1.128/25 \
--gateway 192.168.1.1 \
labnet

Adjust the IPs to your needs. Unfortunately, docker won't let you create a network without a gateway defined and imposes a few other annoying constraints on docker networks.

ok thanks i will test.

 

You know if for the virtual network that i have created with your method we can define an ip and a mask by default and gateway ?

because on this network I create a virtual router which works when I but the ip manually in my vm w10 but the dhcp does not work my vm takes an ip in 169.254.88.156 by default while my network is in 192.168.0.0 .

 

image.png.a802740635c6555e48305ac7bedbc298.png

 

Thanks for your help.

Link to comment

i found the solution i edit my network for that

 

<network ipv6='yes'>
  <name>lab-network</name>
  <uuid>9076910b-63df-470f-862a-606414dd750a</uuid>
  <bridge name='virbr1' stp='on' delay='0'/>
  <mac address='52:54:00:a7:8f:4b'/>
  <ip address='192.168.0.0' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.0.11' end='192.168.0.20'/>
    </dhcp>
  </ip>
  <route address='192.168.0.0' prefix='24' gateway='192.168.0.10'/>
</network>

 

Link to comment
  • JorgeB changed the title to [SOLVED] How to create a virtual nic for internal/isolated use only?
  • 4 weeks later...

hi, i have a virtual nic in unraid and i wish to add a vlan in this virtual network but i don't found the solution...

 

my virtual nic:

 

<network ipv6='yes'>
  <name>lab-network</name>
  <uuid>9076910b-63df-470f-862a-606414dd750a</uuid>
  <bridge name='virbr1-lab' stp='on' delay='0'/>
  <mac address='52:54:00:a7:8f:4b'/>
  <ip address='192.168.0.1' netmask='255.255.255.0'>
  </ip>
  <route address='192.168.0.0' prefix='24' gateway='192.168.0.10'/>
</network>

 

Anyone have a solution ?

Link to comment
  • 5 months later...
On 6/11/2020 at 3:29 PM, JamesAdams said:

i found the solution i edit my network for that

 


<network ipv6='yes'>
  <name>lab-network</name>
  <uuid>9076910b-63df-470f-862a-606414dd750a</uuid>
  <bridge name='virbr1' stp='on' delay='0'/>
  <mac address='52:54:00:a7:8f:4b'/>
  <ip address='192.168.0.0' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.0.11' end='192.168.0.20'/>
    </dhcp>
  </ip>
  <route address='192.168.0.0' prefix='24' gateway='192.168.0.10'/>
</network>

 

Can you tell me which file you edited?

Link to comment
  • 5 weeks later...
On 3/28/2019 at 12:11 AM, ken-ji said:

You just need to create (and persist) a bridge device for your VMs to use.

create a xml file (ie /tmp/lab-network.xml)






<network ipv6='yes'>
  <name>lab-network</name>
  <bridge name="virbr1" stp="on" delay="0"/>
</network>

Then you enable the network with

virsh net-define /tmp/lab-network.xml

virsh net-start lab-network

 

This will create a bridge virbr1, which you can assign to your VMs.

There will be a host interface virbr1-nic (but will not be assigned an IP or any such automatically)

 

refer to https://libvirt.org/formatnetwork.html for more details on the xml file format

Hi,

After  I apply xml I cant see new network in VM (When create new VM). What I must to do?

 

Where I can edit this xml again?

 

Edited by Kristijan
Link to comment
  • 2 months later...

@ken-ji Hi, i try to create another custom network with a bandwidth limit but i have this error, you have a idea please ?

 

root@JamesServer:/tmp# virsh net-start virbr1-lab
error: Failed to start network virbr1-lab
error: internal error: Child process (/usr/sbin/tc qdisc add dev virbr1-lab root handle 1: htb default 2) unexpected exit status 2: Error: Specified qdisc not found.
<network>
  <name>virbr1-lab</name>
  <uuid>03ca9ae6-8dbc-43b7-8e63-366b46926b20</uuid>
  <forward mode='nat'/>
  <bandwidth>
    <inbound average='625' peak='625' burst='625'/>
    <outbound average='625' peak='625' burst='625'/>
  </bandwidth>
  <bridge name='virbr1-lab' stp='on' delay='0'/>
  <mac address='52:54:00:c5:18:43'/>
  <ip address='192.168.50.1' netmask='255.255.255.248'>
    <dhcp>
      <range start='192.168.50.2' end='192.168.50.6'/>
    </dhcp>
  </ip>
</network>
Link to comment
4 minutes ago, ken-ji said:

The error: "Specified qdisc not found" indicates that the qdisc modules are not installed/available. So this would probably be unsupported unless the modules are compiled and loaded in (either by Limtech or some plugin)

 

 

Thanks for your fast response 😀

 

Thin but suddenly there is no other way to limit the internet speed of a vm ?

Link to comment
2 minutes ago, ken-ji said:

I think most users here limit VMs and dockers at the router level, which would have better control of the network than Unraid itself.

I could do that with my Mikrotik router, but I never needed to.

 

ah thin that I can not because I create a virtual network that does not communicate with my LAN :(

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.