0

I have following two networks,

<network>
  <name>subsys-network</name>
  <bridge name="virbr1"/>
  <forward mode="nat"/>
  <ip address="192.168.72.1" netmask="255.255.255.128">
    <dhcp>
      <range start='192.168.72.2' end='192.168.72.126'/>
    </dhcp>
  </ip>
</network>

<network>
  <name>gw-frontend-network</name>
  <bridge name="virbr2"/>
  <forward mode="nat"/>
  <ip address="172.22.10.1" netmask="255.255.255.128">
    <dhcp>
      <range start='172.22.10.2' end='172.22.10.126'/>
    </dhcp>
  </ip>
</network>

cat /proc/sys/net/ipv4/ip_forward returns 1

I could find the option of using a routed network but that would not have NAT for external network access.

How can I configure routing such that VMs on two networks can communicate with each other?

Currently trying to ping 172.22.10.64 from 192.168.72.56 returns following,

PING 172.22.10.64 (172.22.10.64) 56(84) bytes of data.
From 192.168.72.1 icmp_seq=1 Destination Port Unreachable
From 192.168.72.1 icmp_seq=2 Destination Port Unreachable
From 192.168.72.1 icmp_seq=3 Destination Port Unreachable
From 192.168.72.1 icmp_seq=4 Destination Port Unreachable
Iresh Dissanayaka
  • 115
  • 4
  • 1
    You need to set up NAT rule on the host so that it doesn't do NAT for all addresses, but excludes the address ranges of the private networks. Then you need to make sure there aren't firewall rules that prevent traffic between these two networks. – Tero Kilkanen Sep 04 '22 at 07:47
  • So what's currently happening is that it does NAT for all addresses outside the subnet. Got it. Is there a way to configure it within libvirt API? – Iresh Dissanayaka Sep 04 '22 at 08:15
  • I am not familiar enough with libvirt, I don't know. – Tero Kilkanen Sep 04 '22 at 11:59

1 Answers1

0

You can manually add the necessary firewall rules to allow communication between these two networks. You need to make two changes:

  1. Disable masquerading between the two networks, and
  2. Allow forwarding between the two networks

To fix (1), we need to add a pair of rules to that nat POSTROUTING chain (before the call to the LIBVIRT_PRT chain). So perhaps:

iptables -t nat -I POSTROUTING 1 -s 192.168.72.0/25 -d 172.22.10.0/25 -j ACCEPT
iptables -t nat -I POSTROUTING 1 -s 172.22.10.0/25 -d 192.168.72.0/25 -j ACCEPT

To fix (2), we need rules in the filter FORWARD chain before calls to the LIBVIRT_FWI or LIBVIRT_FWO chains:

iptables -I FORWARD 1 -s 172.22.10.0/25 -d 192.168.72.0/25 -j ACCEPT
iptables -I FORWARD 1 -s 192.168.72.0/25 -d 172.22.10.0/25 -j ACCEPT

Making those rules persistent is left as an exercise, since exactly how one does that varies by distribution and by firewall management tool.

Iresh Dissanayaka
  • 115
  • 4
larsks
  • 43,623
  • 14
  • 121
  • 180