Howto connect physical NIC's to a firewall guest only in qemu-kvm environment

JaRuKat · 11-04-2011, 06:54 PM

Software used:

Ubuntu server 11.10 with XFCE desktop
QEMU/KVM
Virtual Machine Manager and libvirt etc.

Harware: Intel I7, 12 GByte Ram, 4 Nic's

Problem:

I want to connect a guest firewall directly to my ISP. I'm using IPCop v2.0.0. Installs without problem as qemu image. But connecting to the outside world is a huge problem.

First attempt, I tried to make connections with brctl bridges. This is working but contains a huge error. The host server is making contact with all the interfaces, which is not allowed. Especially not with my ISP Internet interface. I have to connect to my ISP as a DHCP client with a certain name and I want of course put a firewall in between. The guest firewall MUST make the contact only.

Second attempt. I tried VDE2 V2.3.3 but I can not combine this with qemu-kvm and the physical NIC's.

/etc/interfaces (Host):

auto eth3
iface eth3 inet manual

In the startup script of the virtual switch I put these lines (not complete):

vde_switch -s /tmp/vde -d -g vde2-net -M /tmp/vde/mi -f /etc/vde2/sw.conf

ifdown eth3
ip link set eth3 address <mac hw addr>
ifup eth3
vde_pcapplug -s /tmp/vde -d -g vde2-net --port=<x> eth3

sw.conf contains the setup of the virtual switch:

port/sethub 0 # 1=hub 0=switch
port/setnumports 16 # Total number of ports

#
# Prepare extra Vlan's
#

vlan/create 0001
vlan/create 0002
vlan/create 0003

#
# Create ports
#

port/create 1 # Green
port/create 2 # Green
port/create 3 # Green
port/create 4 # Green
p..............

...........
port/setvlan 7 0000
port/setvlan 8 0000
port/setvlan 9 0000

port/setvlan 10 0001
port/setvlan 11 0001

port/setvlan 12 0002
port/setvlan 13 0002

port/setvlan 14 0003
port/setvlan 15 0003

Result after making contact with vdeterm /tmp/vde/mi:

>vlan/allprint
........
VLAN 0001
-- Port 0012 tagged=0 active=0 status=Learning
........ (all the ports are the same)

>port/allprint
.......
Port 0012 untagged_vlan=001 INACTIVE - NOT Unnamed Allocatable
Current User: NONE Access COntrol: (User: NONE - Group: NONE)
In: pkts 0 bytes 0
OUT: pkts 0 bytes 0
........ (all the ports are the same)

In the end no NIC's are connected to the ports. What do I do wrong???

Second question is how to connect the VDE2 vlan=0000 to qemu-kvm guests and the host itself. It seems to be impossible to use Virtual Machine Manager v0.9.0 and/or libvirt. In VMM I can only see bridges.

vdeq (vde qemu wrapper) is going to be obsolete and is advised not to use and doesn't give any result either.

(It's a pity I can't publish a small drawing...........)