Hello,

I am a bit lost in the virtual networking stuff.

I have a linux machine (NixOs) which is a host and runs pfsense within Qemu-kvm.
The machine has 2 network interfaces. The first NIC is isolated, by putting it in passthrough mode, and solely accessible by pfsense and meant to be the WAN port.
The second NIC is meant to serve the home network.

In the end pfsense should be the dhcp server.



I started of by creating a bridge, nm-bridge, with nmtui and bind eth1 to that.
nm-bridge was getting an IP address from the home-router.
Pfsense was able to connect to nm-bridge and I saw a vnet0 appearing when executing brctl show.
Both from the host and pfsense-vm I was able to ping the network.

Here is where I miserably fail in knowledge.
Next step was to enable the dhcp server on pfsense and connect the virtual switch, openvswitch, to pfsense and eth1.

Somehow, due to the fact that vnet0 is a tun/tap device I was not allowed to connect the 2.

How should I approach this ?

best regards

Simon

Is the bridge over eth0&eth1 or eth1? Based on your picture, it is over eth0&eth1.

Apologies for the delayed reply.

The bridge is over eth0/eth1 indeed.

I want packets from the wan port (eth0), via pfsense, virtual bridge towards the lan port (eth1) and vice versa.

I went ahead and tried something with namespaces instead of virtual machines.
See figure.

My host can access the internet perfectly.

My namespace "namespace" can get an ip address via DHCP however can not ping.



routing looks to be OK and as well as iptables.
Both on the root namespace (host) and namespace.
Also ipv4.ip_forward is set to 1.

I tried to find a solution online. However for a novice on virtual networking it is sometimes hard to see the forest through the trees.

Can you ping the gateway?

No, I can not.

However I can ping the virtual switch (vswitch).

I get the idea my virtual switch, created with openvswitch, is not forwarding packets.


I did a :

What I saw was:



I created the switch with no additional options.

Adding eth1:


Since eth1 had no ip beforehand I executed

At this stage I could ping the veth1 port of the vswitch0.

Like you mentioned, two NIC cards for home LAN and Internet WAN are isolated. So the virtual switch can NOT be over eth0/eth1. The virtual switch is on layer 2 and bypass layer 3 functionality. You can try virtual switch over eth1 or home LAN.

Is your vswitch bridged with eth0?

Digging up this old thread again.

I did an experiment in a virtualbox before putting it on real hardware.

1. put the VM network in bridged mode. Which resembles the real world example.
Result, namespace can get an ip addres and generates resolv.conf.
No pinging to the gateway or outside world from within the namespace.

2. put the VM network in NAT mode
Result, namespace gets an ip address and generates resolv.conf and
pinging to the gateway or outside world is possible from within the namespace.

hmmm. What is going on here ???.

In 1) I can only ping the virtual switch.

Another experiment.

Using brctl insted of oopenVswitch.
Similar results.