Hi,

since I'm not making any progress: I want to set up a VM (running
testing) that can be reachable from the outside over the network. I've
done that 2 years or so ago and I forgot how to do the networking setup,
and network configuration has changed in the meantime.

I need to somehow set up a bridge interface so the guest can tap into
it. I don't understand the docs I found about that. Looking at [1], I
can see that my physical network adaptor won't have an IP address
anymore and that there is only a bridge interface instead. This is
probably not what I want, and I remember I did it differently before,
after lots of experimenting.

So what I'm looking for is a good documentation that explains me how to
set up the network stuff. I've found contradictory ones ...


[1]: http://www.howtoforge.com/virtualization-with-kvm-on-a-debian-squeeze-server


--
Debian testing amd64


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87392lr7dj.fsf@yun.yagibdah.de">http://lists.debian.org/87392lr7dj.fsf@yun.yagibdah.de

On Thu, Sep 13, 2012 at 10:32:40PM +0200, lee wrote:
> Hi,
>
> since I'm not making any progress: I want to set up a VM (running
> testing) that can be reachable from the outside over the network. I've
> done that 2 years or so ago and I forgot how to do the networking setup,
> and network configuration has changed in the meantime.
>
> I need to somehow set up a bridge interface so the guest can tap into
> it. I don't understand the docs I found about that. Looking at [1], I
> can see that my physical network adaptor won't have an IP address
> anymore and that there is only a bridge interface instead. This is
> probably not what I want, and I remember I did it differently before,
> after lots of experimenting.
>
If you're using Virtualbox, you don't need to set up a bridged interface
with regular Linux tools. You can just select "Bridged networking" for
your virtual machine and Virtualbox handles it.

In older versions of Virtualbox, it was necessary to set up a bridged
interface using Linux tools. Their documentation covered it fairly well
as I recall. I think that was in the version 1.x days. Maybe you can
find some of their old documentation.

-Rob


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120913231008.GC14050@aurora.owens.net">http://lists.debian.org/20120913231008.GC14050@aurora.owens.net

Rob Owens <rowens@ptd.net> writes:

> On Thu, Sep 13, 2012 at 10:32:40PM +0200, lee wrote:
>> Hi,
>>
>> since I'm not making any progress: I want to set up a VM (running
>> testing) that can be reachable from the outside over the network. I've
>> done that 2 years or so ago and I forgot how to do the networking setup,
>> and network configuration has changed in the meantime.
>>
>> I need to somehow set up a bridge interface so the guest can tap into
>> it. I don't understand the docs I found about that. Looking at [1], I
>> can see that my physical network adaptor won't have an IP address
>> anymore and that there is only a bridge interface instead. This is
>> probably not what I want, and I remember I did it differently before,
>> after lots of experimenting.
>>
> If you're using Virtualbox, you don't need to set up a bridged interface
> with regular Linux tools. You can just select "Bridged networking" for
> your virtual machine and Virtualbox handles it.
>
> In older versions of Virtualbox, it was necessary to set up a bridged
> interface using Linux tools. Their documentation covered it fairly well
> as I recall. I think that was in the version 1.x days. Maybe you can
> find some of their old documentation.

Oh I should have mentioned that I'm not using Virtualbox but qemu/kvm or
how it's called. That seems to suggest using a bridge[1], and I find
that very confusing. I understand that apparently I am supposed to
replace my currently used eth1 by a bride device which uses eth1 and to
which I could add other physical devices like eth0. I don't understand
what the purpose of adding more physical devices would be and what I
actually get when I have such a bridge device and what all that has to
do with a guest.

It seems to me that having the bridge device in theory would somehow
magically enable me to give the guest an IP address in the same network
as the host is. That isn't what I want because I want the guest behind
the firewall which is on the host (using shorewall). Of course, I also
don't want to compromise eth1 in any way and don't want to have my
firewall somehow penetrated, which I have no idea about whether it could
happen or not with introducing a bridge device.

I don't get it, it doesn't make any sense to me. At this point, I don't
even know what questions I need to ask.


[1]: ... or allowing the guest access to a physical network card, about
which I don't know whether my hardware would support it or not ---
and I'd have to buy a network cable and plug that into the router
in which case the guest still won't be behind the firewall of the
host


--
Debian testing amd64


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 871ui51lax.fsf@yun.yagibdah.de">http://lists.debian.org/871ui51lax.fsf@yun.yagibdah.de

lee <lee@yun.yagibdah.de> wrote:
> That seems to suggest using a bridge[1], and I find that very
> confusing. I understand that apparently I am supposed to replace my
> currently used eth1 by a bride device which uses eth1 and to which I
> could add other physical devices like eth0. I don't understand what the
> purpose of adding more physical devices would be and what I actually
> get when I have such a bridge device and what all that has to do with
> a guest.

Ah. Consider a bridge to be a software implementation of a network switch.

Currently your networking subsystem refers to eth1, which represents the
NIC itself. With a bridge, your networking subsystem would refer to a
bridge called br1 (say), and the bridge would connect to your eth1. (The
bridge name is completely arbitrary; you could call it eth3 if you really
wanted to.)

The reason you would use a bridge is because then each of your VMs could
also connect to the bridge and therefore to eth1, and your host system
and each of the VMs would have separate IP addresses, etc.


> It seems to me that having the bridge device in theory would somehow
> magically enable me to give the guest an IP address in the same network
> as the host is.

The guest would become visible to your network as a distinct entity
to the host, and could get an address using DHCP (if your network uses
this), etc.


> That isn't what I want because I want the guest behind the firewall
> which is on the host (using shorewall).

This is actually two unrelated things that you've squashed together. It
is completely possible for the host's firewall to restrict access to
a guest, regardless of whether the guest is hidden by the host or it
appears as an independent system on your network.

If you are going to use bridging, though, you do need to tell shorewall
about it. See http://www.shorewall.net/SimpleBridge.html

Your VM networking choices are these:

1. Bridge - allows the guest to appear on your network as a separate
entity to the host
2. NAT - hides the guest behind your host IP address; you'll need to
provide some form of proxying (port forwarding) on your host to
allow inbound connections to your guest
3. Internal networking - the guest can communicate only with the host
4. No networking - like it says

Chris


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 60abi9x6q4.ln2@news.roaima.co.uk">http://lists.debian.org/60abi9x6q4.ln2@news.roaima.co.uk

Chris Davies <chris-usenet@roaima.co.uk> writes:

> lee <lee@yun.yagibdah.de> wrote:
>> That seems to suggest using a bridge[1], and I find that very
>> confusing. I understand that apparently I am supposed to replace my
>> currently used eth1 by a bride device which uses eth1 and to which I
>> could add other physical devices like eth0. I don't understand what the
>> purpose of adding more physical devices would be and what I actually
>> get when I have such a bridge device and what all that has to do with
>> a guest.
>
> Ah. Consider a bridge to be a software implementation of a network switch.
>
> Currently your networking subsystem refers to eth1, which represents the
> NIC itself. With a bridge, your networking subsystem would refer to a
> bridge called br1 (say), and the bridge would connect to your eth1. (The
> bridge name is completely arbitrary; you could call it eth3 if you really
> wanted to.)
>
> The reason you would use a bridge is because then each of your VMs could
> also connect to the bridge and therefore to eth1, and your host system
> and each of the VMs would have separate IP addresses, etc.

Still I can't imagine this When I look at the drawing on [1], I see
that it doesn't apply because I do not have a configuration like that.
I have only eth1 connected to the internet (the router actually, but
that doesn't make a difference for this).

I do not want to bridge the internet transparently with the local
network, which seems to be what a bridge would do. It would be like
replacing this:


|--- host A
Internet --- eth0 firewall eth1 ---|--- host B
|--- host N


with this:


|--- con1 --- host A
Internet --- con0 switch ---|--- con2 --- host B
|--- conN --- host N


"con*" stands for the connector on the switch where I plug in the
network cable.

The difference to a switch would be that the switch doesn't show up
because it works transparently.

What I actually have is that:


Internet A (not in use)

Internet B --- router w/ FW |--- eth1 host A w/ shorewall
|--- ethX or wireless host B
|--- ethX or wireless host N

What I want is this:


Internet B --- router w/ FW --- eth1 host w/ shorewall xxx --- guest


"xxx" is a placeholder for some way to connect the guest which runs on
the host.

Ideally, I would bundle "Internet A" and "Internet B" to increase the
available bandwidth. It seemed to be so complicated that it didn't
appear worthwhile, given that "Internet A" is very slow. It is possible
to plug "Internet B" into eth0 (and run pppd on the host) while it's not
possible to plug "Internet A" into the host (because it's ADSL coming
over an ISDN phone line, so it has to come over the router). I have an
Intel e100 card laying around with two ports, so physical network
interfaces can be plenty The router can get internet either through
the phone line or through an ethernet port. It only really needs that
when wireless is in use, which it usually isn't.

So I could have something like that:


Inet A --- router ---|
| --- eth0 & eth1 host A w/ shorewall eth2
Inet B --------------| |
|
|
|-----------------|-----------|-------|
| | |
host B host C guest on A


... if that isn't too complicated


[1]: http://www.shorewall.net/SimpleBridge.html


>> It seems to me that having the bridge device in theory would somehow
>> magically enable me to give the guest an IP address in the same network
>> as the host is.
>
> The guest would become visible to your network as a distinct entity
> to the host, and could get an address using DHCP (if your network uses
> this), etc.

Then how do I get it behind the firewall? It doesn't have a network
interface and even the host won't have one anymore.

I suspect what gives me trouble might be that I would take away a
network interface and replace it with some sort of unknown mess (the
bridge, which is some sort of melting pot) that somehow can have any IP
address it wants. That totally removes the order of things and leaves
me without a handle (a network interface).

>> That isn't what I want because I want the guest behind the firewall
>> which is on the host (using shorewall).
>
> This is actually two unrelated things that you've squashed together. It
> is completely possible for the host's firewall to restrict access to
> a guest, regardless of whether the guest is hidden by the host or it
> appears as an independent system on your network.

How can that be when they are like plugged into a switch, side by side?
The switch they are plugged in is directly connected to the internet
(the router) since the network cable is plugged into it as well.

> If you are going to use bridging, though, you do need to tell shorewall
> about it. See http://www.shorewall.net/SimpleBridge.html

This example seems to be something very different. It bridges eth1 and
eth2 transparently and uses eth0 to connect them to the internet through
a firewall. In my case, there is only one physical interface involved
which would be replaced by the bridge itself, which itself is connected
to the internet without anything in between. That seems to make it
impossible to separate hosts from the internet and from each other
because the bridge transparently melts everything together into one
network.

What am I missing?

Wouldn't it be much easier if I replaced eth0 with a bridge device so
that shorewall has two interfaces to work with? I would keep eth1 as is
now and simply add rules for the bridge device which uses eth0? And
since both eth0 and eth1 are physically installed on the same host, I
don't need to plug a network cable into eth0? IIRC, I did something
like that last time, but I also had some sort of tapping or tunnel thing
and I don't remember what that was for ...


--
Debian testing amd64


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 878vccwkgf.fsf@yun.yagibdah.de">http://lists.debian.org/878vccwkgf.fsf@yun.yagibdah.de

Hi,
I think I had a similar problem. To solve the problem first you need to
set up a bridge, there's instructions in lots of places on how to do this,

auto br0
iface br0 inet static
address 192.168.1.2
network 192.168.1.0
netmask 255.255.255.0
# broadcast 192.168.0.255
gateway 192.168.1.1
bridge_ports eth0
bridge_fd 0
# bridge_hello 2
# bridge_maxage 12
bridge_stp off

Then you need to alter the VM's xml file,

<interface type='bridge'>
<mac address='52:54:00:87:97:a6'/>
<source bridge='br0'/>

Hope this helps, and if you need any more information, just ask
James

On 14/09/12 00:48, lee wrote:

Rob Owens<rowens@ptd.net> writes:


On Thu, Sep 13, 2012 at 10:32:40PM +0200, lee wrote:

Hi,

since I'm not making any progress: I want to set up a VM (running
testing) that can be reachable from the outside over the network. I've
done that 2 years or so ago and I forgot how to do the networking setup,
and network configuration has changed in the meantime.

I need to somehow set up a bridge interface so the guest can tap into
it. I don't understand the docs I found about that. Looking at [1], I
can see that my physical network adaptor won't have an IP address
anymore and that there is only a bridge interface instead. This is
probably not what I want, and I remember I did it differently before,
after lots of experimenting.


If you're using Virtualbox, you don't need to set up a bridged interface
with regular Linux tools. You can just select "Bridged networking" for
your virtual machine and Virtualbox handles it.

In older versions of Virtualbox, it was necessary to set up a bridged
interface using Linux tools. Their documentation covered it fairly well
as I recall. I think that was in the version 1.x days. Maybe you can
find some of their old documentation.


Oh I should have mentioned that I'm not using Virtualbox but qemu/kvm or
how it's called. That seems to suggest using a bridge[1], and I find
that very confusing. I understand that apparently I am supposed to
replace my currently used eth1 by a bride device which uses eth1 and to
which I could add other physical devices like eth0. I don't understand
what the purpose of adding more physical devices would be and what I
actually get when I have such a bridge device and what all that has to
do with a guest.

It seems to me that having the bridge device in theory would somehow
magically enable me to give the guest an IP address in the same network
as the host is. That isn't what I want because I want the guest behind
the firewall which is on the host (using shorewall). Of course, I also
don't want to compromise eth1 in any way and don't want to have my
firewall somehow penetrated, which I have no idea about whether it could
happen or not with introducing a bridge device.

I don't get it, it doesn't make any sense to me. At this point, I don't
even know what questions I need to ask.


[1]: ... or allowing the guest access to a physical network card, about
which I don't know whether my hardware would support it or not ---
and I'd have to buy a network cable and plug that into the router
in which case the guest still won't be behind the firewall of the
host





--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 5055C5B4.2020206@googlemail.com">http://lists.debian.org/5055C5B4.2020206@googlemail.com

lee <lee@yun.yagibdah.de> wrote:
> I do not want to bridge the internet transparently with the local
> network, which seems to be what a bridge would do. It would be like
> replacing this:
> |--- host A
> Internet --- eth0 firewall eth1 ---|--- host B
> |--- host N
> with this:
> |--- con1 --- host A
> Internet --- con0 switch ---|--- con2 --- host B
> |--- conN --- host N

No, not really. A bridge on your host is more like this:

|--- con1+shorewall --- host
Internet --- eth1+shorewall --- [switch] ---|--- con2+shorewall --- guest A
|--- con3+shorewall --- guest B
|--- conN+shorewall --- guest N-1

Notice that shorewall applies to the interfaces, rather than only to
the host itself.


> What I want is this:
> Internet B --- router w/ FW --- eth1 host w/ shorewall xxx --- guest

You can do that either with bridging (see above), or routing like this:

|--- con1 --- guest A
Internet --- eth1+shorewall --- host --- [NAT] ---|--- con2 --- guest B
|--- conN --- guest N


> Ideally, I would bundle "Internet A" and "Internet B" to increase the
> available bandwidth.

That's a different issue. But there's no reason in principle why you
couldn't, for example, have the host using eth0 and the guests aggregated
via eth1. You can connect the NICs corresponding to eth0 and eth1
whereever you like.

Chris


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 97aji9xg7u.ln2@news.roaima.co.uk">http://lists.debian.org/97aji9xg7u.ln2@news.roaima.co.uk

Chris Davies <chris-usenet@roaima.co.uk> writes:

> lee <lee@yun.yagibdah.de> wrote:
>
> No, not really. A bridge on your host is more like this:
>
> |--- con1+shorewall --- host
> Internet --- eth1+shorewall --- [switch] ---|--- con2+shorewall --- guest A
> |--- con3+shorewall --- guest B
> |--- conN+shorewall --- guest N-1
>
> Notice that shorewall applies to the interfaces, rather than only to
> the host itself.

Yes and when I replace the interface I have now (eth1) with a bridge
device (br1), then how do I tell shorewall that the guest is in the dmz
(for example)? Now I have in shorewalls rules file:


,----
| #ZONE INTERFACE BROADCAST OPTIONS
| net eth1 detect tcpflags,logmartians=1,nosmurfs
`----


The replacement would be something like:


,----
| #ZONE INTERFACE BROADCAST OPTIONS
| net br1 detect tcpflags,logmartians=1,nosmurfs
| dmz br1 detect tcpflags,logmartians=1,nosmurfs
`----


... which doesn't make sense. You cannot put a firewall/router between
computers that are all plugged into the same switch because they are
connected to each other by the switch (unless you separate the
connectors the switch has from each other and the firewall/router is in
the switch itself). With a bridge device, the computers are even
connected transparently as if there was no switch.

You say shorewall applies to interfaces and not to hosts and you say I
should have only one interface for several hosts. I could conclude that
shorewall doesn't apply to any of the hosts then because it applies to
interfaces. Therefore, I cannot have a firewall between the hosts
because they do not have distinct interfaces shorewall would apply to,
can I?

And I must be missing something unless you really need a physical
interface for each guest (or at least for every zone) to turn into a
bridge device and one interface for the host itself so that shorewall
can apply to all of them through their interfaces. Or is it what you're
saying, that I do need physical interfaces for what I'm trying to do?


>> Ideally, I would bundle "Internet A" and "Internet B" to increase the
>> available bandwidth.
>
> That's a different issue. But there's no reason in principle why you
> couldn't, for example, have the host using eth0 and the guests aggregated
> via eth1. You can connect the NICs corresponding to eth0 and eth1
> whereever you like.

In my case, I would really want to bundle the two lines to one line that
has more bandwidth. It's a different issue I looked into a while ago
and didn't exactly find worthwhile after getting an idea about how
complicated that would be.


--
Debian testing amd64


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87pq5kzbr0.fsf@yun.yagibdah.de">http://lists.debian.org/87pq5kzbr0.fsf@yun.yagibdah.de

James Allsopp <jamesaallsopp@googlemail.com> writes:

> Hi,
> I think I had a similar problem. To solve the problem first you need
> to set up a bridge, there's instructions in lots of places on how to

Yes, and how do I get shorewall to work with that?

> Then you need to alter the VM's xml file,

Oh I don't have one yet. It seems I need the bridge interface before
creating the VM, and I can't set that up before understanding this
bridge thing and how to get it to work with shorewall (unless I just use
the currently unused eth0 to make the bridge interface. I'm trying to
actually understand and figure it out, though. Perhaps I don't need to
kinda waste a physical interface, and perhaps it won't work.)


--
Debian testing amd64


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87lig8zbfn.fsf@yun.yagibdah.de">http://lists.debian.org/87lig8zbfn.fsf@yun.yagibdah.de

lee <lee@yun.yagibdah.de> wrote:
> Yes and when I replace the interface I have now (eth1) with a bridge
> device (br1), then how do I tell shorewall that the guest is in the dmz
> (for example)?

You need "bridge" and "routeback" set in your shorewall interfaces file.

Take a look at http://www.shorewall.net/SimpleBridge.html and
http://www.shorewall.net/KVM.html. I think that the second reference
will be particularly useful for you - ignore the references to wlan0,
and replace "eth0" and "br0" with "eth1" and "br1" respectively.

Chris


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 62vli9xvgg.ln2@news.roaima.co.uk">http://lists.debian.org/62vli9xvgg.ln2@news.roaima.co.uk