# my kvm guest don't reach the Web

## lalebarde

Hi all,

Thought I read all of this :

1) http://en.gentoo-wiki.com/wiki/KVM

2) https://forums.gentoo.org/viewtopic-t-893308-start-0.html

3) http://shorewall.net/configuration_file_basics.htm

and made numerous trials, I cannot manage to join the network from my xp guest. I have roughly the same configuration than nordic bro in (2), mainly except I use wlan0 with dhcp instead of eth0 with static ip :

```
# uname -a

Linux PCCARO 3.3.8-gentoo #16 SMP PREEMPT Sun Sep 2 13:49:27 CEST 2012 x86_64 Intel(R) Core(TM) i7 CPU 870 @ 2.93GHz GenuineIntel GNU/Linux
```

Versions : net-firewall/shorewall-4.4.23.2,  app-emulation/qemu-kvm-1.1.1-r1

Running : Host (of course), kvm_intel, kvm, tun, guest (windows xp)

Fails : ping guest gateway at 192.168.99.1 or any web server like www.google.fr, http through Internet Explorer. If I stop shorewall, and perform a iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE, repear the guest connection from the windows control panel, nothing is changed.

I launch the guest with : 

```
qemu-kvm -hda /var/virtual/WindowsXP.img -cdrom /dev/cdrom -m 1024 -name xp -net nic,macaddr=00:00:00:00:00:22 -net tap,ifname=qtap0,script=no,downscript=no
```

ifconfig :

```
br0       Link encap:Ethernet  HWaddr 52:54:00:12:34:56  

          inet addr:192.168.99.1  Bcast:192.168.99.255  Mask:255.255.255.0

          inet6 addr: fe80::5054:ff:fe12:3456/64 Scope:Link

          UP BROADCAST MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0 

          RX bytes:0 (0.0 B)  TX bytes:328 (328.0 B)

eth0      Link encap:Ethernet  HWaddr 00:25:64:f3:d0:e6  

          UP BROADCAST MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

          Interrupt:17 

lo        Link encap:Local Loopback  

          inet addr:127.0.0.1  Mask:255.0.0.0

          inet6 addr: ::1/128 Scope:Host

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:467 errors:0 dropped:0 overruns:0 frame:0

          TX packets:467 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0 

          RX bytes:43349 (42.3 KiB)  TX bytes:43349 (42.3 KiB)

qtap0     Link encap:Ethernet  HWaddr 52:54:00:12:34:56  

          inet6 addr: fe80::5054:ff:fe12:3456/64 Scope:Link

          UP BROADCAST PROMISC MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:5 overruns:0 carrier:0

          collisions:0 txqueuelen:500 

          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wlan0     Link encap:Ethernet  HWaddr 00:e0:4c:82:08:8a  

          inet addr:192.168.0.101  Bcast:192.168.0.255  Mask:255.255.255.0

          inet6 addr: fe80::2e0:4cff:fe82:88a/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:4767 errors:0 dropped:0 overruns:0 frame:0

          TX packets:4921 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:4598616 (4.3 MiB)  TX bytes:655624 (640.2 KiB)
```

/etc/resolv.conf :

```
nameserver 212.27.40.241

nameserver 212.27.40.240
```

/etc/conf.d/net : 

```
dns_domain_lo="MAISON"

bridge_br0="qtap0"

brctl_br0="setfd 0" "stp off" 

rc_need_br0="net.qtap0"

config_eth0="192.168.0.99/24"

routes_eth0="default via 192.168.0.1"

dns_servers_eth0="212.27.40.240 212.27.40.241"

config_br0="192.168.99.1/24"

config_qtap0="null"

tuntap_qtap0="tap"

tunctl_qtap0="-u common"

mac_qtap0="52:54:00:12:34:56"

modules="wpa_supplicant"

wpa_supplicant_eth0="-Dwext"

config_wlan0=( "dhcp" ) 
```

/etc/init.d/kvm - from (1) - just changed br0 IP address and the tap interface name, qtap0 :

```
#!/sbin/runscript

# Copyright 1999-2012 Gentoo Foundation

# Distributed under the terms of the GNU General Public License v2

# $Header: $

NUM_OF_DEVICES=1

USERID="common"

depend() {

        need net

}

start() {

        ebegin "Loading the kvm module"

        /sbin/modprobe kvm

        eend $? "Failed to load the kvm module"

        ebegin "Loading the kvm_intel module"

        /sbin/modprobe kvm_intel

        eend $? "Failed to load the kvm_intel module"

        ebegin "Loading the tun module"

        /sbin/modprobe tun

        eend $? "Failed to load the tun module"

        ebegin "Setting up the bridge device (br0)"

        /sbin/brctl addbr br0

        /sbin/ifconfig br0 192.168.99.1 netmask 255.255.255.0 up

        eend $? "Failed to create the bridge interface"

        for ((i=0; i < NUM_OF_DEVICES; i++)); do

                ebegin "Setting up the tap interface: qtap$i"

                /usr/bin/tunctl -b -u $USERID -t qtap$i >/dev/null

                eend $? "Failed to create the tap interface: qtap$i"

                ebegin "Linking the bridge interface with qtap$i"

                /sbin/brctl addif br0 qtap$i

                eend $? "Failed to link the bridge interface to qtap$i"

                ebegin "Bring qtap$i interface up"

                /sbin/ifconfig qtap$i up 0.0.0.0 promisc

                eend $? "Failed to bring qtap$i up"

        done

        ebegin "Allowing Internet access"

        echo "1" > /proc/sys/net/ipv4/ip_forward 

        eend $? "Failed to allow forwarding"

        iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

        eend $? "Failed to allow masquerade (eth0)"

        eend 0

}

stop() {

        for ((i=0; i < NUM_OF_DEVICES; i++)); do

                ebegin "Bring qtap$i interface down"

                /sbin/ifconfig qtap$i down

                eend $? "Failed to bring qtap$i down"

                ebegin "Unlinking the bridge interface with qtap$i"

                /sbin/brctl delif br0 qtap$i

                eend $? "Failed to unlink the bridge interface to qtap$i"

                ebegin "Removing the tap interface: qtap$i"

                /usr/bin/tunctl -d qtap$i >/dev/null

                eend $? "Failed to remove the tap interface: qtap$i"

        done

        ebegin "Stopping the bridge device (br0)"

        /sbin/ifconfig br0 down

        /sbin/brctl delbr br0

        eend $? "Failed to stop the bridge interface"

        ebegin "Unloading the tun module"

        /sbin/modprobe -r tun

        eend $? "Failed to unload the tun module"

        ebegin "Unloading the kvm_intel module"

        /sbin/modprobe -r kvm_intel

        eend $? "Failed to unload the kvm_intel module"

        ebegin "Unloading the kvm module"

        /sbin/modprobe -r kvm

        eend $? "Failed to unload the kvm module"

        ebegin "Stopping Internet access"

        echo "0" > /proc/sys/net/ipv4/ip_forward

        eend $? "Failed to cancel forwarding"

        iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

        eend $? "Failed to remove masquerade (eth0)"

        eend 0

}

restart() {

        stop

        start

}
```

/etc/init.d/bridge_forward - from (1) : 

```
#!/sbin/runscript

# Copyright 1999-2012 Gentoo Foundation

# Distributed under the terms of the GNU General Public License v2

# $Header: $

depend() {

        need net.br0

}

start() {

        ebegin "Turning on forwarding for bridge interface"

        /sbin/sysctl net.ipv4.conf.br0.forwarding=1 >/dev/null 2>&1

        eend $?

}

stop() {

        ebegin "Turning off forwarding for bridge interface"

        /sbin/sysctl net.ipv4.conf.br0.forwarding=0 >/dev/null 2>&1

        eend $?

}

restart() {

        stop

        start

}
```

/etc/sysctl.conf - from (1)  :

```
net.ipv4.ip_forward = 0

net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.all.rp_filter = 1

net.bridge.bridge-nf-call-arptables=0

net.bridge.bridge-nf-call-iptables=0

net.bridge.bridge-nf-call-ip6tables=0
```

rc-update show : 

```
                acpid |      default                 

            alsasound | boot                         

             bootmisc | boot                         

       bridge_forward |      default                 

          consolefont | boot                         

                cupsd |      default                 

                 dbus |      default                 

                devfs |                       sysinit

                dmesg |                       sysinit

                 fsck | boot                         

                  gpm |      default                 

              hddtemp |      default                 

             hostname | boot                         

              hwclock | boot                         

              keymaps | boot                         

            killprocs |              shutdown        

                  kvm |      default                 

                local |      default                 

           localmount | boot                         

              modules | boot                         

             mount-ro |              shutdown        

                 mtab | boot                         

             net.eth0 |      default                 

               net.lo | boot                         

            net.wlan0 |      default                 

             netmount |      default                 

                 ntpd |      default                 

               procfs | boot                         

                 root | boot                         

            savecache |              shutdown        

            shorewall |      default                 

                 swap | boot                         

               sysctl | boot                         

            syslog-ng |      default                 

         termencoding | boot                         

                 udev |                       sysinit

       udev-postmount |      default                 

              urandom | boot                         

           vixie-cron |      default                 

                 wicd |      default                 

                  xdm |      default        
```

I also tried after having suppressed eth0 and wlan0 since they are re-created thanks to dependencies, but it changes nothing, thought it may be more clean.      

/etc/conf.d/modules :

```
modules="tg3"

modules="usblp"

modules="coretemp"
```

On the guest :

IP          : 192.168.99.20

Mask      : 255.255.255.0

Gateway : 192.168.99.1

----------

## _______0

undo ALL crap u did, networking, etc. And with a clean, normal and proper net config on the host start ur vm like dis:

qemu-kvm -hda /var/virtual/WindowsXP.img -m 1G

bingo! intrawebz automagically working!

----------

## Mad Merlin

You say you're using wlan0 for your network connection, but your iptables rule is natting out to eth0 (and I see 0 bytes in and out on eth0, so I can only assume it's not plugged in).

In your /etc/init.d/kvm script try changing this to wlan0 instead of eth0:

```

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 

eend $? "Failed to allow masquerade (eth0)"

```

----------

## lalebarde

Thanks Mad Merlin, and sorry to answer so late.

 :Embarassed:   YES, I have replaced now eth0 by wlan0 - what have happenned is that I moved my box and my eth0 is not available anymore - I had to buy a wifi interface - and of course, I forgot to adapt my script.

Still it does not work.

Studying details, I read from the tunctl man pages that :  *Quote:*   

> -p 
> 
> Create a TAP type interface with Ethernet header. Automatically selected if the desired interface starts with "tap" or if no interface name is given.

  I assume this has importance since the last tuto I got information from use tap0 and not qtap0 (from other tuto).

Still it does not work.

Additional information : 

```
iptables -t nat -L

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination         

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination         

eth0_masq  all  --  anywhere             anywhere            

wlan0_masq  all  --  anywhere             anywhere            

MASQUERADE  all  --  anywhere             anywhere            

Chain eth0_masq (1 references)

target     prot opt source               destination         

MASQUERADE  all  --  192.168.99.0/24      anywhere            

Chain wlan0_masq (1 references)

target     prot opt source               destination         

MASQUERADE  all  --  192.168.99.0/24      anywhere       
```

----------

## cach0rr0

in your host's /etc/conf.d/net, you only have qtap0 added to the bridge

which is not correct

the bridge should have both qtap0 *and* your actual NIC (eth0, wlan0, whichever)

that assumes your wireless NIC supports bridging - some do not.

have a look at my config here to see a working example

----------

## lalebarde

Thanks a lot for your answer cach0rr0,

 *cach0rr0 wrote:*   

> in your host's /etc/conf.d/net, you only have qtap0 added to the bridge which is not correct the bridge should have both qtap0 *and* your actual NIC (eth0, wlan0, whichever)

 

This is because I want to use MASQUERADE, as explained [url="http://en.gentoo-wiki.com/wiki/KVM#Enabling_the_access_to_Internet"]here[/url]. When I compare direct linking with masquerading, the first use bridge_br0="eth0 tap0" and the second bridge_br0="tap0". My understanding is that masquerading stealves tap0 with some netfilter magic so the link between eth0/wlan0 and tap0 does not appear in the net configuration. BTW, if you can post me a link that explains the internals of MASQUARADE, I am interested. I am very puzzled with how it works.

I made two things and now my VM can access the web :

1) change brctl_br0="setfd 0" "stp off" to brctl_br0="setfd 0 sethello 0 stp off"

2) remove shorewall, set all policies to ACCEPT in netfilter

I am not sure which one made it work..... I will come back and EDIT.

So, here is my full working configuration and call command :

```
# cat /etc/conf.d/net | nocomment

dns_domain_lo="MAISON"

bridge_br0="tap0"

brctl_br0="setfd 0 sethello 0 stp off" 

rc_need_br0="net.tap0"

config_eth0="192.168.0.99/24"

routes_eth0="default via 192.168.0.1"

dns_servers_eth0="212.27.40.240 212.27.40.241"

config_br0="192.168.99.1/24"

config_tap0="null"

tuntap_tap0="tap"

tunctl_tap0="-u common"

mac_tap0="52:54:00:12:34:56"

modules="wpa_supplicant"

wpa_supplicant_eth0="-Dwext"

config_wlan0=( "dhcp" ) 
```

```
# cat /etc/init.d/kvm | nocomment | grep -v ebegin | grep -v eend

NUM_OF_DEVICES=1

USERID="common"

DEV="wlan0"

depend() {

        need net

}

start() {

        /sbin/modprobe kvm

        /sbin/modprobe kvm_intel

        /sbin/modprobe tun

        /sbin/brctl addbr br0

        /sbin/ifconfig br0 192.168.99.1 netmask 255.255.255.0 up

        for ((i=0; i < NUM_OF_DEVICES; i++)); do

                /usr/bin/tunctl -b -u $USERID -t tap$i >/dev/null

                /sbin/brctl addif br0 tap$i

                /sbin/ifconfig tap$i up 0.0.0.0 promisc

        done

        echo "1" > /proc/sys/net/ipv4/ip_forward 

        iptables -t nat -A POSTROUTING -o $DEV -j MASQUERADE

}

stop() {

        for ((i=0; i < NUM_OF_DEVICES; i++)); do

                /sbin/ifconfig tap$i down

                /sbin/brctl delif br0 tap$i

                /usr/bin/tunctl -d tap$i >/dev/null

        done

        /sbin/ifconfig br0 down

        /sbin/brctl delbr br0

        /sbin/modprobe -r tun

        /sbin/modprobe -r kvm_intel

        /sbin/modprobe -r kvm

        echo "0" > /proc/sys/net/ipv4/ip_forward

        iptables -t nat -D POSTROUTING -o $DEV -j MASQUERADE

}

restart() {

        stop

        start

}
```

```
# ifconfig 

br0       Link encap:Ethernet  HWaddr 0e:b0:98:70:ad:2f  

          inet addr:192.168.99.1  Bcast:192.168.99.255  Mask:255.255.255.0

          inet6 addr: fe80::6495:9aff:fe42:e6c6/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:7413 errors:0 dropped:0 overruns:0 frame:0

          TX packets:10056 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0 

          RX bytes:457416 (446.6 KiB)  TX bytes:14418532 (13.7 MiB)

eth0      Link encap:Ethernet  HWaddr 00:25:64:f3:d0:e6  

          UP BROADCAST MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

          Interrupt:17 

lo        Link encap:Local Loopback  

          inet addr:127.0.0.1  Mask:255.0.0.0

          inet6 addr: ::1/128 Scope:Host

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:5580 errors:0 dropped:0 overruns:0 frame:0

          TX packets:5580 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0 

          RX bytes:452919 (442.3 KiB)  TX bytes:452919 (442.3 KiB)

tap0      Link encap:Ethernet  HWaddr 0e:b0:98:70:ad:2f  

          inet6 addr: fe80::cb0:98ff:fe70:ad2f/64 Scope:Link

          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1

          RX packets:7413 errors:0 dropped:0 overruns:0 frame:0

          TX packets:10071 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:500 

          RX bytes:561198 (548.0 KiB)  TX bytes:14419418 (13.7 MiB)

wlan0     Link encap:Ethernet  HWaddr 00:e0:4c:82:08:8a  

          inet addr:192.168.0.100  Bcast:192.168.0.255  Mask:255.255.255.0

          inet6 addr: fe80::2e0:4cff:fe82:88a/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:20184 errors:0 dropped:0 overruns:0 frame:0

          TX packets:18426 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:23615078 (22.5 MiB)  TX bytes:2833311 (2.7 MiB)
```

In a user common shell :

```
$ qemu-kvm -hda /var/virtual/WindowsXP.img -cdrom /dev/cdrom -m 1024 -name xp -net nic,macaddr=00:00:00:00:00:22 -net tap,ifname=tap0,script=no,downscript=no
```

After a xhost + in my own shell to accept X requests from the user common.

I have now and again to study netfilter to have a working configuration.

----------

