Re: NATed or Private Network Setups
On 10/27/14 09:21, John Baldwin wrote: > On Friday, October 24, 2014 04:08:27 PM Pete Wright wrote: >> Hi All, >> Has anyone deployed bhyve using NAT'd or private network setups? I've >> been able to deploy bridged interfaces, but I was wondering if anyone >> has done other network topologies. Is there anything preventing this >> from happening code wise? I reckon it could be achieved by creating a >> pseudo interface? > > I setup a bridge on my laptop and add all the tap interfaces for VMs as > members to the bridge. I use a /24 for the internal "LAN" for these > interfaces and assign the .1 to the bridge0 interface itself. I then run > dnsmasq to provide DHCP/DNS to the VMs and use natd (ipfw_nat would also > work) > to allow the VMs NAT access to the outside world. There are more details in > an article in the most recent issue of the FreeBSD Journal, but I'll push > that > into the regular FreeBSD docs at some point as well. > > With the dnsmasq setup, I put the vmname as the hostname so that it is sent > in > the dhclient request. dnsmasq then adds local overrides for VMs while they > are active. (So you can 'ssh vm0' on the host, or from another vm.) The > 'host' entry in /etc/hosts is also snarfed up by dnsmasq so that within a vm > I > can use 'host' as a hostname (e.g. for NFS mounting something off of my > laptop). > > Some config file snippets: > > /etc/sysctl.conf: > > net.link.tap.up_on_open=1 > > /etc/rc.conf: > > # bhyve setup > autobridge_interfaces="bridge0" > autobridge_bridge0="tap*" > cloned_interfaces="bridge0 tap0 tap1 tap2" > ifconfig_bridge0="inet 192.168.16.1/24" > gateway_enable="YES" > natd_enable="YES" > natd_interface="wlan0" > dnsmasq_enable="YES" > firewall_enable="YES" > firewall_type="/etc/rc.firewall.pippin" > > /etc/hosts: > > 192.168.16.1host > > /etc/resolvconf.conf: > > name_servers=127.0.0.1 > dnsmasq_conf=/etc/dnsmasq-conf.conf > dnsmasq_resolv=/etc/dnsmasq-resolv.conf > > /usr/local/etc/dnsmasq.conf: > > domain-needed > bogus-priv > resolv-file=/etc/dnsmasq-resolv.conf > interface=bridge0 > dhcp-range=192.168.16.10,192.168.16.200,12h > conf-file=/etc/dnsmasq-conf.conf > > /etc/rc.firewall.pippin: > > # prevent inbound traffic for our guest /24 > add denyall from any to 192.168.16.0/24 via em0 > add denyall from any to 192.168.16.0/24 via wlan0 > > # divert packets between guest and outside world to natd > add divert natd all from any to any via wlan0 > > # prevent outbound traffic for our guest /24 > add denyall from 192.168.16.0/24 to any via em0 > add denyall from 192.168.16.0/24 to any via wlan0 > > # pass everything else > add allow all from any to any > > (I have not figured out a way to have the NAT prefer em0 if present and fail > over to wlan0 if not, etc.) > Thanks for this detailed explanation John! Using dnsmasq sounds great, especially for my environment since we already leverage it for openstack on our linux systems extensively. Cheers, -pete -- Pete Wright p...@nomadlogic.org twitter => @nomadlogicLA ___ freebsd-virtualization@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization To unsubscribe, send any mail to "freebsd-virtualization-unsubscr...@freebsd.org"
Re: NATed or Private Network Setups
On Friday, October 24, 2014 04:08:27 PM Pete Wright wrote: > Hi All, > Has anyone deployed bhyve using NAT'd or private network setups? I've > been able to deploy bridged interfaces, but I was wondering if anyone > has done other network topologies. Is there anything preventing this > from happening code wise? I reckon it could be achieved by creating a > pseudo interface? I setup a bridge on my laptop and add all the tap interfaces for VMs as members to the bridge. I use a /24 for the internal "LAN" for these interfaces and assign the .1 to the bridge0 interface itself. I then run dnsmasq to provide DHCP/DNS to the VMs and use natd (ipfw_nat would also work) to allow the VMs NAT access to the outside world. There are more details in an article in the most recent issue of the FreeBSD Journal, but I'll push that into the regular FreeBSD docs at some point as well. With the dnsmasq setup, I put the vmname as the hostname so that it is sent in the dhclient request. dnsmasq then adds local overrides for VMs while they are active. (So you can 'ssh vm0' on the host, or from another vm.) The 'host' entry in /etc/hosts is also snarfed up by dnsmasq so that within a vm I can use 'host' as a hostname (e.g. for NFS mounting something off of my laptop). Some config file snippets: /etc/sysctl.conf: net.link.tap.up_on_open=1 /etc/rc.conf: # bhyve setup autobridge_interfaces="bridge0" autobridge_bridge0="tap*" cloned_interfaces="bridge0 tap0 tap1 tap2" ifconfig_bridge0="inet 192.168.16.1/24" gateway_enable="YES" natd_enable="YES" natd_interface="wlan0" dnsmasq_enable="YES" firewall_enable="YES" firewall_type="/etc/rc.firewall.pippin" /etc/hosts: 192.168.16.1host /etc/resolvconf.conf: name_servers=127.0.0.1 dnsmasq_conf=/etc/dnsmasq-conf.conf dnsmasq_resolv=/etc/dnsmasq-resolv.conf /usr/local/etc/dnsmasq.conf: domain-needed bogus-priv resolv-file=/etc/dnsmasq-resolv.conf interface=bridge0 dhcp-range=192.168.16.10,192.168.16.200,12h conf-file=/etc/dnsmasq-conf.conf /etc/rc.firewall.pippin: # prevent inbound traffic for our guest /24 add denyall from any to 192.168.16.0/24 via em0 add denyall from any to 192.168.16.0/24 via wlan0 # divert packets between guest and outside world to natd add divert natd all from any to any via wlan0 # prevent outbound traffic for our guest /24 add denyall from 192.168.16.0/24 to any via em0 add denyall from 192.168.16.0/24 to any via wlan0 # pass everything else add allow all from any to any (I have not figured out a way to have the NAT prefer em0 if present and fail over to wlan0 if not, etc.) -- John Baldwin ___ freebsd-virtualization@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization To unsubscribe, send any mail to "freebsd-virtualization-unsubscr...@freebsd.org"
Re: NATed or Private Network Setups
On 10/25/14, 8:01 AM, John Nielsen wrote: On Oct 24, 2014, at 5:08 PM, Pete Wright wrote: Hi All, Has anyone deployed bhyve using NAT'd or private network setups? I've been able to deploy bridged interfaces, but I was wondering if anyone has done other network topologies. Is there anything preventing this from happening code wise? I reckon it could be achieved by creating a pseudo interface? Rather than supporting something like epair(4) directly, I believe the plan is to allow connecting a bhyve VM to a user-space virtual switch on the host. Neither is currently available to my knowledge. For a NAT setup today you should be able to add your VM's tap(4) interface as the only member of a bridge on the host and assign an IP address to the bridge interface. Services like DHCP for this virtual subnet would need to also be configured on the host in addition to whatever NAT you want to use. For an internal-only network between two or more VMs on the host you could also just use a bridge containing only the VM tap adapters. If you don't want the host to participate in the network then don't put an IP on the bridge. I disciovered you can also use netgraph to hook to the tap interfaces, which means that you can use the whole netgraph library of functions.. I did find out that it occasionally loses packets or something so I need to investigate more but it did work. ___ freebsd-virtualization@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization To unsubscribe, send any mail to "freebsd-virtualization-unsubscr...@freebsd.org" ___ freebsd-virtualization@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization To unsubscribe, send any mail to "freebsd-virtualization-unsubscr...@freebsd.org"
Re: NATed or Private Network Setups
On 2014-10-24 20:01, John Nielsen wrote: >> On Oct 24, 2014, at 5:08 PM, Pete Wright wrote: >> >> Hi All, >> Has anyone deployed bhyve using NAT'd or private network setups? I've >> been able to deploy bridged interfaces, but I was wondering if anyone >> has done other network topologies. Is there anything preventing this >> from happening code wise? I reckon it could be achieved by creating a >> pseudo interface? > > Rather than supporting something like epair(4) directly, I believe the plan > is to allow connecting a bhyve VM to a user-space virtual switch on the host. > Neither is currently available to my knowledge. > > For a NAT setup today you should be able to add your VM's tap(4) interface as > the only member of a bridge on the host and assign an IP address to the > bridge interface. Services like DHCP for this virtual subnet would need to > also be configured on the host in addition to whatever NAT you want to use. > > For an internal-only network between two or more VMs on the host you could > also just use a bridge containing only the VM tap adapters. If you don't want > the host to participate in the network then don't put an IP on the bridge. > ___ > freebsd-virtualization@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization > To unsubscribe, send any mail to > "freebsd-virtualization-unsubscr...@freebsd.org" > This sets up stupid-simple NAT to allow a bhyve instance to talk to the internet. This is especially useful when your connection is wireless so you can't just bridge it. Assumes IPFW is already loaded note that it loads with a default deny all. in /etc/rc.conf: firewall_enable="YES" firewall_type="OPEN" firewall_quiet="NO" firewall_logging="YES" gateway_enable="YES" Run: #this needs to be the same tap the bhyve uses, 1 per bhyve ifconfig tap0 create ifconfig tap0 10.0.9.1/30 #Load the IPFW nat module if it isn't already kldload ipfw_nat #create an IPFW NAT instance on your internet interface ipfw nat config if wlan0 #pass outbound traffic from the internal network through NAT ipfw add 9001 nat ip from 10.0.9.0/24 to any out via wlan0 ipfw add 9002 nat ip from any to any in via wlan0 Then just configure the bhyve to have an IP in the 10.0.9.0/24 network -- Allan Jude signature.asc Description: OpenPGP digital signature
Re: NATed or Private Network Setups
> On Oct 24, 2014, at 5:08 PM, Pete Wright wrote: > > Hi All, > Has anyone deployed bhyve using NAT'd or private network setups? I've > been able to deploy bridged interfaces, but I was wondering if anyone > has done other network topologies. Is there anything preventing this > from happening code wise? I reckon it could be achieved by creating a > pseudo interface? Rather than supporting something like epair(4) directly, I believe the plan is to allow connecting a bhyve VM to a user-space virtual switch on the host. Neither is currently available to my knowledge. For a NAT setup today you should be able to add your VM's tap(4) interface as the only member of a bridge on the host and assign an IP address to the bridge interface. Services like DHCP for this virtual subnet would need to also be configured on the host in addition to whatever NAT you want to use. For an internal-only network between two or more VMs on the host you could also just use a bridge containing only the VM tap adapters. If you don't want the host to participate in the network then don't put an IP on the bridge. ___ freebsd-virtualization@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization To unsubscribe, send any mail to "freebsd-virtualization-unsubscr...@freebsd.org"
NATed or Private Network Setups
Hi All, Has anyone deployed bhyve using NAT'd or private network setups? I've been able to deploy bridged interfaces, but I was wondering if anyone has done other network topologies. Is there anything preventing this from happening code wise? I reckon it could be achieved by creating a pseudo interface? Thanks in advance! -pete -- Pete Wright p...@nomadlogic.org twitter => @nomadlogicLA ___ freebsd-virtualization@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization To unsubscribe, send any mail to "freebsd-virtualization-unsubscr...@freebsd.org"