I want to run a qemu-kvm guest with Debian 9 as its OS on a Debian 10 host. The host is connected to the local network, and I would like the guest to be "visible" to the local network as if it were a regular device connected directly to the network. To this end, I configured a bridge named br0 on the host by editing /etc/network/interfaces as follows:
auto lo iface lo inet loopback allow-hotplug eth0 auto eth0 iface eth0 inet manual up ifconfig eth0 promisc up down ifconfig eth0 promisc down auto br0 iface br0 inet static hwaddress ether 08:60:6e:69:4a:b5 address 192.168.1.11 netmask 255.255.255.0 gateway 192.168.1.1 bridge_ports eth0 bridge_stp on bridge_fd 0 The MAC address configured for the bridge is the same as that of my eth0 interface.
My host's networking seems to work fine after this change.
Using sudo virsh edit debian9 (where debian9 is the name of the guest), I edited the default network interface as follows:
<interface type='bridge'> <mac address='52:54:00:bc:8c:97'/> <source bridge='br0'/> <model type='virtio'/> <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/> </interface> Inside the guest, I assigned a static IP address by editing /etc/network/interfaces as follows, as it did not seem to receive an IP address using DHCP:
source /etc/network/interfaces.d/* auto lo iface lo inet loopback allow-hotplug enp1s0 auto enp1s0 iface enp1s0 inet static address 192.168.1.13 netmask 255.255.255.0 gateway 192.168.1.1 The guest seems to show up correctly in the br0 bridge on the host when I do sudo brctl show:
bridge name bridge id STP enabled interfaces br0 8000.08606e694ab5 yes eth0 vnet0 docker0 8000.024202321e8f no veth7291e29 virbr0 8000.5254005aa541 yes virbr0-nic The host can now correctly connect to the guest (e.g., using ping or ssh), and the guest can correctly connect to the host, but other devices on the same local network cannot access the guest, or the other way around.
I suspect this must be due to some firewall/routing issue on the host, but am not sure how to diagnose this further. The following is the output of iptables -S on the host. I did not configure any iptables rules myself: most of them are related to libvirt's default NAT network, or a docker installation on the host:
-P INPUT ACCEPT -P FORWARD DROP -P OUTPUT ACCEPT -N DOCKER -N DOCKER-ISOLATION-STAGE-1 -N DOCKER-ISOLATION-STAGE-2 -N DOCKER-USER -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT -A FORWARD -i virbr0 -o virbr0 -j ACCEPT -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-ISOLATION-STAGE-1 -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o docker0 -j DOCKER -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT -A DOCKER -d 172.17.0.1/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8050 -j ACCEPT -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -j RETURN -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP -A DOCKER-ISOLATION-STAGE-2 -j RETURN -A DOCKER-USER -j RETURN Does anyone have any suggestions as to how I might get the guest to become "visible" on the local network?
