bridged networking with kvm

Question

I'm trying to get a guest virtual machine connected to my network using bridging. I've come across a couple of resources online, but they seem to be out of date, deal with xen or Ubuntu or don't seem to be complete. The host is running CentOS 5.5 and I'm using libvirt to manage the VMs so I use it to create the VMs and start and stop them. I have the bridge created (br0) and have attached eth0 to it. The VM doesn't seem to get an IP address, I want to use DHCP for addresses, I'll setup a static lease for the VM.

ifconfig from the host:

br0   Link encap:Ethernet  HWaddr 00:1A:4D:53:C3:A6  
      inet addr:192.168.1.121  Bcast:192.168.1.255  Mask:255.255.255.0
      inet6 addr: fe80::21a:4dff:fe53:c3a6/64 Scope:Link
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:5222 errors:0 dropped:0 overruns:0 frame:0
      TX packets:470 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0 
      RX bytes:753743 (736.0 KiB)  TX bytes:47868 (46.7 KiB)

eth0  Link encap:Ethernet  HWaddr 00:1A:4D:53:C3:A6  
      inet6 addr: fe80::21a:4dff:fe53:c3a6/64 Scope:Link
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:103200 errors:0 dropped:0 overruns:0 frame:0
      TX packets:116575 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000 
      RX bytes:13605883 (12.9 MiB)  TX bytes:63269448 (60.3 MiB)
      Interrupt:217 Base address:0xc000 

 eth1 Link encap:Ethernet  HWaddr 00:1B:21:0A:25:AA  
      inet addr:192.168.1.91  Bcast:192.168.1.255  Mask:255.255.255.0
      inet6 addr: fe80::21b:21ff:fe0a:25aa/64 Scope:Link
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:3124648 errors:0 dropped:0 overruns:0 frame:0
      TX packets:1693433 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:100 
      RX bytes:4531121842 (4.2 GiB)  TX bytes:119907573 (114.3 MiB)

 lo   Link encap:Local Loopback  
      inet addr:127.0.0.1  Mask:255.0.0.0
      inet6 addr: ::1/128 Scope:Host
      UP LOOPBACK RUNNING  MTU:16436  Metric:1
      RX packets:27294 errors:0 dropped:0 overruns:0 frame:0
      TX packets:27294 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0 
      RX bytes:34266420 (32.6 MiB)  TX bytes:34266420 (32.6 MiB)

virbr0 Link encap:Ethernet  HWaddr 00:00:00:00:00:00  
       inet addr:192.168.122.1  Bcast:192.168.122.255  Mask:255.255.255.0
       inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link
       UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
       RX packets:51332 errors:0 dropped:0 overruns:0 frame:0
       TX packets:89020 errors:0 dropped:0 overruns:0 carrier:0
       collisions:0 txqueuelen:0 
       RX bytes:2916963 (2.7 MiB)  TX bytes:132997389 (126.8 MiB)

vnet0  Link encap:Ethernet  HWaddr FE:52:00:1A:C8:4F  
       inet6 addr: fe80::fc52:ff:fe1a:c84f/64 Scope:Link
       UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
       RX packets:25 errors:0 dropped:0 overruns:0 frame:0
       TX packets:518 errors:0 dropped:0 overruns:0 carrier:0
       collisions:0 txqueuelen:500 
       RX bytes:4226 (4.1 KiB)  TX bytes:51190 (49.9 KiB)

The output of brctl show

bridge name bridge id       STP enabled interfaces
br0         8000.001a4d53c3a6       no              vnet0
                                                    eth0
virbr0      8000.000000000000       yes

Output from route:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     *               255.255.255.0   U     0      0        0 eth1
192.168.1.0     *               255.255.255.0   U     0      0        0 br0
192.168.122.0   *               255.255.255.0   U     0      0        0 virbr0
169.254.0.0     *               255.255.0.0     U     0      0        0 br0
default         DD-WRT          0.0.0.0         UG    0      0        0 br0

Finally, here's the networking section of the vm I'm trying to configure:

<interface type='bridge'>
  <mac address='54:52:00:1a:c8:4f'/>
  <source bridge='br0'/>
</interface>

Answer 1

As you already figured out, you have everything right... It's a firewall problem. You can get around that by adding a rule to allow the traffic (as you did), turn off the firewall completely, or, as they do in newer versions of Fedora and RHEL, add the following to /etc/sysctl.conf:

# Disable netfilter on bridges.
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

Then run sysctl -p to apply those changes.

Answer 2

KVM sets up its own bridge. This is the bridge virbr0. You should be able to configure how this is networked.

On the VM the interface should show up at eth0 not a bridge. This will be the other side of the vnet0 device.

I work on Ubuntu where KVM will startup a DNSMasq server for the bridged network to hand out DHCP addresses. KVM will also play with iptables to configure access to the network for your VM.

Try removing the bridge you created and restarting the VM. I would expect it to get an address in the 192.168.122.0 range from what I see of your configuration.

I didn't like how KVM was interacting with my firewall, so did my own manual networking for KVM. My configuration uses a virtual bridge which isn't connected to an Ethernet interface. The KVM Networking page from the Ubuntu community may help you understand how KVM is doing networking now.

EDIT: I took a second look at the bridged networking. I am not sure why you have an 192.168.1.x address on eth1. You configuration looks pretty much as I would expect. Try setting a static address on the VM to see if it can communicate.

To test to see what is happening with DHCP, I would try running tcpdump on br0 or eth0 watching for DHCP traffic, or any traffic from mac address 54:52:00:1a:c8:4f. Then try to get a DHCP address. You may need to enable SPT on the bridge.

The reason I did my own networking was to enable access to my VMs from the outside. I run two bridges, one of which hosts my DMZ.