A bit about my setup, I'm primarily trying to understand all of this using nmcli since that seems to be where RHEL 8 is heading. I'll try to bold my questions.
My LAN: 192.168.1.0/24, gateway 192.168.1.254 out to internet.
Host machine: CentOS 7, 2 nics:
lan-eth (enp8s1) - static ip of 192.168.1.2, gateway: 192.168.1.254
Then I set up a bridge so I can put a VM on my main LAN with a 2nd nic (wnp5s0):
Code:
nmcli con create type bridge ifname external-bridge con-name external-bridge
nmcli con add type bridge-slave ifname enp5s0 master external-bridge
I assigned a static ip to the bridge with 192.168.1.3, rebooted.
---
I'm experimenting with various gateway/firewall software like pfsense, ipfire, and decided I wanted to understand it on a low level to approximate a router/gateway just with vanilla CentOS. So the plan is:
* One VM with 2 nics approximating a router, call it (gate):
NIC 1: DHCP that's plugged into the external-bridge, as if it's plugged directly into my main LAN. MY main router would assign an IP with DHCP, simulates an IP assigned from an ISP.
NIC 2: NIC plugged into a *2nd* bridge (net2) on the host. This bridge acts as a 2nd subnet (192.168.2.0/24), and the IP of this nic would be a static 192.168.2.1. It would act as a gateway for this 2nd net, running DHCP on NIC 2 for the 2nd net.
* N VMs that simulate hosts plugged into the net2 bridge. They're pretty simple hosts, one nic, gets their net2 address from (gate). They can talk to all the other hosts on net2, or (key part that's broken) talk to the internet through gate, which forwards to my main LAN gateway 192.168.1.254, which forwards out to the net.
To accomplish this, I created the net2 bridge:
Code:
nmcli con create type bridge ifname net2 con-name net2
This created a bridge that nmcli seems to continue to think it's perpetually in a "connecting" state.
It's entirely valid for this bridge to not have its own IP, correct? I just want it to act as a simple switch between the net2 machines.
At first I thought I would need to manually add TAP devices that are slaves to the respective bridges, and the VMs would use these TAP devices. But it appears that virt-manager actually creates a new TAP device (vnetN) when you select a bridge for a VM's NIC.
Do I need to (is it possible?) to manually create TAP devices attached to bridges ahead of time for VMs?
I created the gate VM with one NIC in the external-bridge, selected when I added the NIC. Added another NIC and selected the net2 bridge, which is noted as empty. When this VM got launched, I see vnet0 assigned to the external bridge, but
I do NOT see an expected vnet1 associated with the net2 bridge. Did I need to manually create this for some reason? I assigned a static address of 192.168.2.1 to the 2nd nic, with a gateway of 192.168.1.254.
Seeing I'm missing this tap device, I created another vm attached to net2 bridge as if it were a host to be routed by the gate. Interestingly, a tap device showed up associated with net2 bridge. I tried to ping 192.168.2.1 (the gate machine), but it would not ping. I rebooted gate, and interestingly, a vnet device showed up now that's in the net2 bridge.
So now I have my gate device acting as the router between 192.168.1.0/24 and 192.168.2.0/24, and I have a net2 host at 192.168.2.2. I can ping the gate from the net2 host
but I cannot ping any machines on my main LAN, which I would expect to be able to do because the gate would forward packets to the main LAN's gateway.
I enabled ipv4 forwarding on both my bare metal host, and on the gate vm. This is necessary, correct?
Overall, I just can't seem to get network traffic out of the net2 host. I'm not sure what I might have done wrong between the bare metal host, its bridges, and the gate vm. Any tips with this?
