On Wed, Jun 12, 2024 at 09:22:10PM -0700, jrmu wrote:
> > TL,DR: add the VLAN interface to the veb device configured in /etc/vm.conf
> >
> > It depends a bit on the role you want your vmm host to play in that
> > network. Everything written below refers to the host, unless otherwise
> > specified.
>
> Thanks. I think I follow the basic idea of the setup.
>
> However, it appears to me that the virtual machine interfaces, which
> vm.conf(5) appears to constrain to be tap(4) interfaces, will not
> automatically have their vnet id set. Instead, each virtual machine will
> need to create its own vlan interface.
>
> Is there any way to avoid forcing the virtual machine to do that? To
> handle this entirely by the host?
>
> --
> jrmu
> IRCNow (https://ircnow.org)
Each switch you define in vm.conf is isolated by itself (and shows up as
a veb device on the host). So if you want to keep your VMs isolated,
you don't need to worry about VLANs at the VM level.
If you want them isolated among themselves, just define a switch for
each one on vm.conf, and then, in each VM, attach an interface to each
switch. E.g.:
switch "vm_A" { interface veb0 }
switch "vm_B" { interface veb1 }
vm "vm_A" {
...
interface { switch "vm_A" }
}
vm "vm_B" {
...
interface { switch "vm_B" }
}
So now you have two VMs, each on its own separated network. And on the
host, you can decide what you connect to each of them, on veb0 and veb1,
respectively. No need for VLANs, so far.
Host <-> VM networking:
Want to route packets between you host and each VM? Just create (and
configure) a couple of vport interfaces, and add each of them to each
veb. Assuming you configured vio0 on vm_A to 192.168.10.2/24 and vio0
on vm_B to 192.168.11.2/24 (or some other addresses other than .1 on
those /24 subnets):
# ifconfig vport0 create
# ifconfig vport0 inet 192.168.10.1 netmask 255.255.255.0
# ifconfig vport0 up
# ifconfig veb0 add vport0
# ifconfig vport1 create
# ifconfig vport1 inet 192.168.11.1 netmask 255.255.255.0
# ifconfig vport1 up
# ifconfig veb1 add vport1
As long as each VM doesn't have a route for the _other_ VMs network,
they remain isolated. No need for VLANs so far.
Upstream VLANs:
Now, if you have a VLAN that you want to "attach" each VM to, you need
two things: to make your host "extract" those VLAN's packets from the
wire (by creating a vlan interface with the physical interface as the
parent), and then add that vlan interface to the respective veb. So, if
you want vm_A to be connected to VLAN 800 you'd do something like
# ifconfig vlan800 create
# ifconfig vlan800 vnetid 800 parent em0
# ifconfig vlan800 up
# ifconfig veb0 add vlan800
As I said earlier, you don't even need to configure an IP address for
the vlan800 interface. As long as the vio0 interface on the VM is
properly configured -- i.e. with an IP address and netmask compatible
with whatever is upstream from the host, on than VLAN -- you will now
have the VM sending/receiving packets on VLAN 800.
--
