NATed or Private Network Setups

Pete Wright pete at nomadlogic.org
Mon Oct 27 17:36:15 UTC 2014 


On 10/27/14 09:21, John Baldwin wrote:
> On Friday, October 24, 2014 04:08:27 PM Pete Wright wrote:
>> Hi All,
>> Has anyone deployed bhyve using NAT'd or private network setups?  I've
>> been able to deploy bridged interfaces, but I was wondering if anyone
>> has done other network topologies.  Is there anything preventing this
>> from happening code wise?  I reckon it could be achieved by creating a
>> pseudo interface?
> 
> I setup a bridge on my laptop and add all the tap interfaces for VMs as 
> members to the bridge.  I use a /24 for the internal "LAN" for these 
> interfaces and assign the .1 to the bridge0 interface itself.  I then run 
> dnsmasq to provide DHCP/DNS to the VMs and use natd (ipfw_nat would also work) 
> to allow the VMs NAT access to the outside world.  There are more details in 
> an article in the most recent issue of the FreeBSD Journal, but I'll push that 
> into the regular FreeBSD docs at some point as well.
> 
> With the dnsmasq setup, I put the vmname as the hostname so that it is sent in 
> the dhclient request.  dnsmasq then adds local overrides for VMs while they 
> are active.  (So you can 'ssh vm0' on the host, or from another vm.)  The 
> 'host' entry in /etc/hosts is also snarfed up by dnsmasq so that within a vm I 
> can use 'host' as a hostname (e.g. for NFS mounting something off of my 
> laptop).
> 
> Some config file snippets:
> 
> /etc/sysctl.conf:
> 
> net.link.tap.up_on_open=1
> 
> /etc/rc.conf:
> 
> # bhyve setup
> autobridge_interfaces="bridge0"
> autobridge_bridge0="tap*"
> cloned_interfaces="bridge0 tap0 tap1 tap2"
> ifconfig_bridge0="inet 192.168.16.1/24"
> gateway_enable="YES"
> natd_enable="YES"
> natd_interface="wlan0"
> dnsmasq_enable="YES"
> firewall_enable="YES"
> firewall_type="/etc/rc.firewall.pippin"
> 
> /etc/hosts:
> 
> 192.168.16.1            host
> 
> /etc/resolvconf.conf:
>  
> name_servers=127.0.0.1
> dnsmasq_conf=/etc/dnsmasq-conf.conf
> dnsmasq_resolv=/etc/dnsmasq-resolv.conf
> 
> /usr/local/etc/dnsmasq.conf:
> 
> domain-needed
> bogus-priv
> resolv-file=/etc/dnsmasq-resolv.conf
> interface=bridge0
> dhcp-range=192.168.16.10,192.168.16.200,12h
> conf-file=/etc/dnsmasq-conf.conf
> 
> /etc/rc.firewall.pippin:
> 
> # prevent inbound traffic for our guest /24
> add     deny    all from any to 192.168.16.0/24 via em0
> add     deny    all from any to 192.168.16.0/24 via wlan0
> 
> # divert packets between guest and outside world to natd
> add     divert  natd all from any to any via wlan0
> 
> # prevent outbound traffic for our guest /24
> add     deny    all from 192.168.16.0/24 to any via em0
> add     deny    all from 192.168.16.0/24 to any via wlan0
> 
> # pass everything else
> add     allow   all from any to any
> 
> (I have not figured out a way to have the NAT prefer em0 if present and fail 
> over to wlan0 if not, etc.)
> 



Thanks for this detailed explanation John!  Using dnsmasq sounds great,
especially for my environment since we already leverage it for openstack
on our linux systems extensively.

Cheers,
-pete

-- 
Pete Wright
pete at nomadlogic.org
twitter => @nomadlogicLA

More information about the freebsd-virtualization mailing list