# KVM on a Gentoo home router host with non-nat bridged netwk

## mondjef

ok, I have been all over the net and back again and it is apparent that my knowledge of networking knowledge needs to be improved.  I have a gentoo linux home router that I setup using the following guide to setup right down to the "T" http://www.gentoo.org/doc/en/home-router-howto.xml.  Now I would like to set up KVM virtualization on this machine (the host).  

Through numerous guides I have managed to configure the kernel as necessary and install the needed packages via emerge.  Now my problem is getting the network set up so that the guest OS can receive an IP address on the local network and are able to communication with the outside and on the LAN.  For understanding how to go about setting up the network I have looked at the two following links for setting up Bridged networking between the host and the guest with no success http://en.gentoo-wiki.com/wiki/KVM and http://www.linux-kvm.org/page/KvmOnGentoo.  When I set up the bridge I get no internet access from other clients connected to this Gentoo home router and these clients can no longer SSH into the Gentoo home router, in other words it seems the clients connected to this router no longer receive IP addresses via DHCP.  Is there something that I am missing that would be unique to my setup...do I need to alter dnsmasq and/or iptables to get this to work?  Any help would be greatly appreciated.

Let me know if any config files are needed for understanding.

----------

## Hu

If I understand correctly, you are already using NAT for your real machines, but you want to bridge the guest.  Is this correct?  If so, why do you want to do this?  Mixing bridging with NAT can be done, but is often more complex than just using NAT consistently.

Please post the output of emerge --info app-emulation/qemu-kvm ; ps -efwwww | grep qemu ; iptables-save -c | cat -n; brctl show; ip addr show; grep -E '^[^#]' /path/to/dnsmasq.conf.

----------

## mondjef

 *Hu wrote:*   

> If I understand correctly, you are already using NAT for your real machines, but you want to bridge the guest.  Is this correct?  If so, why do you want to do this?  Mixing bridging with NAT can be done, but is often more complex than just using NAT consistently.
> 
> Please post the output of emerge --info app-emulation/qemu-kvm ; ps -efwwww | grep qemu ; iptables-save -c | cat -n; brctl show; ip addr show; grep -E '^[^#]' /path/to/dnsmasq.conf.

 

Hi Hu thanks for helping me out, here is the info you requested.  Yes, I am already using NAT for my real machines and is being provided by a Gentoo machine I setup as a home router.  It is this same machine I want to run some VMs on.  Some of the commands do not show much due to the fact I disabled the bridge because it is not working and I needed my internet back up in the meantime.  I have included my net configuration file so that you can see what I had set up for the bridge part.  I am not that strong when it comes to network topology and iptables but I guess what I want is some sort of way to get the guest VM to be on the local LAN and be accessible like a regular machine and also be able to reach the internet.  Could I just create interfaces get the guest OS to use them and route traffic to them?  I am really confused when it comes to this stuff. 

Portage 2.1.10.44 (hardened/linux/amd64, gcc-4.5.3, glibc-2.13-r4, 2.6.37-gentoo-r4 x86_64)

=================================================================

                         System Settings

=================================================================

System uname: Linux-2.6.37-gentoo-r4-x86_64-AMD_Athlon-tm-_64_X2_Dual_Core_Processor_5600+-with-gentoo-2.0.3

Timestamp of tree: Sat, 28 Jan 2012 01:30:01 +0000

app-shells/bash:          4.1_p9

dev-lang/python:          2.7.2-r3, 3.1.4-r3

dev-util/cmake:           2.8.4-r1

dev-util/pkgconfig:       0.26

sys-apps/baselayout:      2.0.3

sys-apps/openrc:          0.9.8.2

sys-apps/sandbox:         2.5

sys-devel/autoconf:       2.68

sys-devel/automake:       1.11.1

sys-devel/binutils:       2.21.1-r1

sys-devel/gcc:            4.5.3-r1

sys-devel/gcc-config:     1.4.1-r1

sys-devel/libtool:        2.4-r1

sys-devel/make:           3.82-r1

sys-kernel/linux-headers: 3.1 (virtual/os-headers)

sys-libs/glibc:           2.13-r4

Repositories: gentoo sunrise freeswitch xgr x-portage

ACCEPT_KEYWORDS="amd64"

ACCEPT_LICENSE="* -@EULA"

CBUILD="x86_64-pc-linux-gnu"

CFLAGS="-O2 -march=k8 -pipe"

CHOST="x86_64-pc-linux-gnu"

CONFIG_PROTECT="/etc"

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"

CXXFLAGS="-O2 -march=k8 -pipe"

DISTDIR="/usr/portage/distfiles"

FEATURES="assume-digests binpkg-logs distlocks ebuild-locks fixlafiles news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"

FFLAGS=""

GENTOO_MIRRORS="ftp://ftp.spline.inf.fu-berlin.de/mirrors/gentoo/ rsync://mirror.neolabs.kz/gentoo http://mirror.datapipe.net/gentoo ftp://mirror.datapipe.net/gentoo http://gentoo.mirrors.tds.net/gentoo"

LANG="en_US.UTF-8"

LDFLAGS="-Wl,-O1 -Wl,--as-needed"

LINGUAS="en"

MAKEOPTS="-j2"

PKGDIR="/usr/portage/packages"

PORTAGE_CONFIGROOT="/"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

PORTDIR_OVERLAY="/var/lib/layman/sunrise /var/lib/layman/freeswitch /var/lib/layman/xgr /usr/local/portage"

SYNC="rsync://rsync.gentoo.org/gentoo-portage"

USE="a52 aac acl alsa amd64 berkdb bzip2 cddda cdparanoia cdr cli cracklib crypt cups curl cxx divx dri dvb dvd dvdr encode ffmpeg flac gdbm gif gpm gsm gzip hardened iconv ipv6 jpeg jpeg2k justify mad matroska matrox mmx modules mp3 mp4 mpeg mudflap multilib musepack musicbrainz mysql mysqli nas ncurses nls nptl nptlonly ogg openmp pam pax_kernel pcre perl php png pppd quicktime raw rawpack readline session shorten smp speex sse sse2 ssl sysfs tcpd theora threads tiff udev unicode urandom v4l vorbis wavpack wmf x264 xorg xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" PHP_TARGETS="php5-3" QEMU_SOFTMMU_TARGETS="i386 x86_64" QEMU_USER_TARGETS="i386 x86_64" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"

Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

=================================================================

                        Package Settings

=================================================================

app-emulation/qemu-kvm-0.15.1-r1 was built with the following:

USE="aio alsa curl hardened jpeg (multilib) ncurses png ssl threads vhost-net -bluetooth -brltty -debug (-esd) -fdt -nss -pulseaudio -qemu-ifup (-rbd) -sasl -sdl -spice -vde -xattr -xen" QEMU_SOFTMMU_TARGETS="i386 x86_64 (-arm) -cris (-m68k) -microblaze (-mips) -mips64 -mips64el -mipsel (-ppc) (-ppc64) -ppcemb -sh4 -sh4eb (-sparc) -sparc64" QEMU_USER_TARGETS="i386 x86_64 (-alpha) (-arm) -armeb -cris (-m68k) -microblaze (-mips) -mipsel (-ppc) (-ppc64) -ppc64abi32 -sh4 -sh4eb (-sparc) -sparc32plus -sparc64"

ps -efwwww | grep qemu

root      3411  3383  0 15:58 pts/1    00:00:00 grep --colour=auto qemu

iptables-save -c | cat -n

     1	# Generated by iptables-save v1.4.12.1 on Sat Jan 28 15:59:26 2012

     2	*raw

     3	:PREROUTING ACCEPT [261860734:203507743783]

     4	:OUTPUT ACCEPT [150497817:182355598803]

     5	COMMIT

     6	# Completed on Sat Jan 28 15:59:26 2012

     7	# Generated by iptables-save v1.4.12.1 on Sat Jan 28 15:59:26 2012

     8	*nat

     9	:PREROUTING ACCEPT [41768:2743402]

    10	:INPUT ACCEPT [34832:2305212]

    11	:OUTPUT ACCEPT [5495:382034]

    12	:POSTROUTING ACCEPT [99:18397]

    13	[2042246:134709496] -A POSTROUTING -o ppp0 -j MASQUERADE

    14	COMMIT

    15	# Completed on Sat Jan 28 15:59:26 2012

    16	# Generated by iptables-save v1.4.12.1 on Sat Jan 28 15:59:26 2012

    17	*mangle

    18	:PREROUTING ACCEPT [1878264:1540759585]

    19	:INPUT ACCEPT [1514621:1262881008]

    20	:FORWARD ACCEPT [363607:277873503]

    21	:OUTPUT ACCEPT [998247:831804787]

    22	:POSTROUTING ACCEPT [1361872:1109689028]

    23	:THESHAPER - [0:0]

    24	[1243665:74435420] -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

    25	[8172740:608021379] -A POSTROUTING -o ppp0 -j THESHAPER

    26	[7023821:376002484] -A THESHAPER -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK ACK -m length --length 0:64 -j CLASSIFY --set-class 0001:0002

    27	[10075:5456791] -A THESHAPER -p icmp -m length --length 512:65535 -j CLASSIFY --set-class 0001:0004

    28	[71952:15315906] -A THESHAPER -p icmp -m length --length 0:512 -j CLASSIFY --set-class 0001:0002

    29	[0:0] -A THESHAPER -p udp -m udp --sport 22 -j CLASSIFY --set-class 0001:0002

    30	[0:0] -A THESHAPER -p udp -m udp --dport 22 -j CLASSIFY --set-class 0001:0002

    31	[0:0] -A THESHAPER -p tcp -m tcp --sport 22 -j CLASSIFY --set-class 0001:0002

    32	[0:0] -A THESHAPER -p tcp -m tcp --dport 22 -j CLASSIFY --set-class 0001:0002

    33	[0:0] -A THESHAPER -p udp -m udp --sport 23 -j CLASSIFY --set-class 0001:0002

    34	[0:0] -A THESHAPER -p udp -m udp --dport 23 -j CLASSIFY --set-class 0001:0002

    35	[0:0] -A THESHAPER -p tcp -m tcp --sport 23 -j CLASSIFY --set-class 0001:0002

    36	[0:0] -A THESHAPER -p tcp -m tcp --dport 23 -j CLASSIFY --set-class 0001:0002

    37	[0:0] -A THESHAPER -p udp -m udp --sport 53 -j CLASSIFY --set-class 0001:0002

    38	[20524:1361793] -A THESHAPER -p udp -m udp --dport 53 -j CLASSIFY --set-class 0001:0002

    39	[0:0] -A THESHAPER -p tcp -m tcp --sport 53 -j CLASSIFY --set-class 0001:0002

    40	[1:40] -A THESHAPER -p tcp -m tcp --dport 53 -j CLASSIFY --set-class 0001:0002

    41	[1:60] -A THESHAPER -p udp -m udp --sport 3389 -j CLASSIFY --set-class 0001:0002

    42	[0:0] -A THESHAPER -p udp -m udp --dport 3389 -j CLASSIFY --set-class 0001:0002

    43	[82:3280] -A THESHAPER -p tcp -m tcp --sport 3389 -j CLASSIFY --set-class 0001:0002

    44	[2:80] -A THESHAPER -p tcp -m tcp --dport 3389 -j CLASSIFY --set-class 0001:0002

    45	[0:0] -A THESHAPER -p udp -m udp --sport 5900 -j CLASSIFY --set-class 0001:0002

    46	[0:0] -A THESHAPER -p udp -m udp --dport 5900 -j CLASSIFY --set-class 0001:0002

    47	[41:1640] -A THESHAPER -p tcp -m tcp --sport 5900 -j CLASSIFY --set-class 0001:0002

    48	[0:0] -A THESHAPER -p tcp -m tcp --dport 5900 -j CLASSIFY --set-class 0001:0002

    49	[53643:34260376] -A THESHAPER -p udp -m udp --sport 5060:5100 -j CLASSIFY --set-class 0001:0003

    50	[53633:34259746] -A THESHAPER -p udp -m udp --dport 5060:5100 -j CLASSIFY --set-class 0001:0003

    51	[0:0] -A THESHAPER -p tcp -m tcp --sport 5060:5100 -j CLASSIFY --set-class 0001:0003

    52	[0:0] -A THESHAPER -p tcp -m tcp --dport 5060:5100 -j CLASSIFY --set-class 0001:0003

    53	[396629:78895914] -A THESHAPER -p udp -m udp --sport 10000:20000 -j CLASSIFY --set-class 0001:0003

    54	[520345:104003244] -A THESHAPER -p udp -m udp --dport 10000:20000 -j CLASSIFY --set-class 0001:0003

    55	[19995:799800] -A THESHAPER -p tcp -m tcp --sport 10000:20000 -j CLASSIFY --set-class 0001:0003

    56	[1913:108855] -A THESHAPER -p tcp -m tcp --dport 10000:20000 -j CLASSIFY --set-class 0001:0003

    57	[2:123] -A THESHAPER -p udp -m udp --sport 5000:5059 -j CLASSIFY --set-class 0001:0003

    58	[0:0] -A THESHAPER -p udp -m udp --dport 5000:5059 -j CLASSIFY --set-class 0001:0003

    59	[0:0] -A THESHAPER -p tcp -m tcp --sport 5000:5059 -j CLASSIFY --set-class 0001:0003

    60	[3:120] -A THESHAPER -p tcp -m tcp --dport 5000:5059 -j CLASSIFY --set-class 0001:0003

    61	[10:655] -A THESHAPER -p udp -m udp --sport 8000:8016 -j CLASSIFY --set-class 0001:0003

    62	[0:0] -A THESHAPER -p udp -m udp --dport 8000:8016 -j CLASSIFY --set-class 0001:0003

    63	[2:80] -A THESHAPER -p tcp -m tcp --sport 8000:8016 -j CLASSIFY --set-class 0001:0003

    64	[4:160] -A THESHAPER -p tcp -m tcp --dport 8000:8016 -j CLASSIFY --set-class 0001:0003

    65	[0:0] -A THESHAPER -p udp -m udp --sport 5004 -j CLASSIFY --set-class 0001:0003

    66	[0:0] -A THESHAPER -p udp -m udp --dport 5004 -j CLASSIFY --set-class 0001:0003

    67	[0:0] -A THESHAPER -p tcp -m tcp --sport 5004 -j CLASSIFY --set-class 0001:0003

    68	[0:0] -A THESHAPER -p tcp -m tcp --dport 5004 -j CLASSIFY --set-class 0001:0003

    69	[0:0] -A THESHAPER -p udp -m udp --sport 1720 -j CLASSIFY --set-class 0001:0003

    70	[0:0] -A THESHAPER -p udp -m udp --dport 1720 -j CLASSIFY --set-class 0001:0003

    71	[0:0] -A THESHAPER -p tcp -m tcp --sport 1720 -j CLASSIFY --set-class 0001:0003

    72	[0:0] -A THESHAPER -p tcp -m tcp --dport 1720 -j CLASSIFY --set-class 0001:0003

    73	[0:0] -A THESHAPER -p udp -m udp --sport 1731 -j CLASSIFY --set-class 0001:0003

    74	[0:0] -A THESHAPER -p udp -m udp --dport 1731 -j CLASSIFY --set-class 0001:0003

    75	[0:0] -A THESHAPER -p tcp -m tcp --sport 1731 -j CLASSIFY --set-class 0001:0003

    76	[0:0] -A THESHAPER -p tcp -m tcp --dport 1731 -j CLASSIFY --set-class 0001:0003

    77	[0:0] -A THESHAPER -p udp -m udp --sport 80 -j CLASSIFY --set-class 0001:0004

    78	[0:0] -A THESHAPER -p udp -m udp --dport 80 -j CLASSIFY --set-class 0001:0004

    79	[1949:332543] -A THESHAPER -p tcp -m tcp --sport 80 -j CLASSIFY --set-class 0001:0004

    80	[885521:70397908] -A THESHAPER -p tcp -m tcp --dport 80 -j CLASSIFY --set-class 0001:0004

    81	[0:0] -A THESHAPER -p udp -m udp --sport 443 -j CLASSIFY --set-class 0001:0004

    82	[0:0] -A THESHAPER -p udp -m udp --dport 443 -j CLASSIFY --set-class 0001:0004

    83	[0:0] -A THESHAPER -p tcp -m tcp --sport 443 -j CLASSIFY --set-class 0001:0004

    84	[6443382:364768277] -A THESHAPER -p tcp -m tcp --dport 443 -j CLASSIFY --set-class 0001:0004

    85	[1:68] -A THESHAPER -p udp -m udp --sport 8080 -j CLASSIFY --set-class 0001:0004

    86	[0:0] -A THESHAPER -p udp -m udp --dport 8080 -j CLASSIFY --set-class 0001:0004

    87	[55:7004] -A THESHAPER -p tcp -m tcp --sport 8080 -j CLASSIFY --set-class 0001:0004

    88	[0:0] -A THESHAPER -p tcp -m tcp --dport 8080 -j CLASSIFY --set-class 0001:0004

    89	[0:0] -A THESHAPER -p udp -m udp --sport 110 -j CLASSIFY --set-class 0001:0006

    90	[0:0] -A THESHAPER -p udp -m udp --dport 110 -j CLASSIFY --set-class 0001:0006

    91	[0:0] -A THESHAPER -p tcp -m tcp --sport 110 -j CLASSIFY --set-class 0001:0006

    92	[0:0] -A THESHAPER -p tcp -m tcp --dport 110 -j CLASSIFY --set-class 0001:0006

    93	[0:0] -A THESHAPER -p udp -m udp --sport 25 -j CLASSIFY --set-class 0001:0006

    94	[0:0] -A THESHAPER -p udp -m udp --dport 25 -j CLASSIFY --set-class 0001:0006

    95	[0:0] -A THESHAPER -p tcp -m tcp --sport 25 -j CLASSIFY --set-class 0001:0006

    96	[7:448] -A THESHAPER -p tcp -m tcp --dport 25 -j CLASSIFY --set-class 0001:0006

    97	[0:0] -A THESHAPER -p udp -m udp --sport 21 -j CLASSIFY --set-class 0001:0006

    98	[0:0] -A THESHAPER -p udp -m udp --dport 21 -j CLASSIFY --set-class 0001:0006

    99	[0:0] -A THESHAPER -p tcp -m tcp --sport 21 -j CLASSIFY --set-class 0001:0006

   100	[1036:57940] -A THESHAPER -p tcp -m tcp --dport 21 -j CLASSIFY --set-class 0001:0006

   101	[0:0] -A THESHAPER -p udp -m udp --sport 143 -j CLASSIFY --set-class 0001:0006

   102	[0:0] -A THESHAPER -p udp -m udp --dport 143 -j CLASSIFY --set-class 0001:0006

   103	[0:0] -A THESHAPER -p tcp -m tcp --sport 143 -j CLASSIFY --set-class 0001:0006

   104	[0:0] -A THESHAPER -p tcp -m tcp --dport 143 -j CLASSIFY --set-class 0001:0006

   105	[0:0] -A THESHAPER -p udp -m udp --sport 445 -j CLASSIFY --set-class 0001:0006

   106	[0:0] -A THESHAPER -p udp -m udp --dport 445 -j CLASSIFY --set-class 0001:0006

   107	[0:0] -A THESHAPER -p tcp -m tcp --sport 445 -j CLASSIFY --set-class 0001:0006

   108	[0:0] -A THESHAPER -p tcp -m tcp --dport 445 -j CLASSIFY --set-class 0001:0006

   109	[0:0] -A THESHAPER -p udp -m udp --sport 137:139 -j CLASSIFY --set-class 0001:0006

   110	[0:0] -A THESHAPER -p udp -m udp --dport 137:139 -j CLASSIFY --set-class 0001:0006

   111	[0:0] -A THESHAPER -p tcp -m tcp --sport 137:139 -j CLASSIFY --set-class 0001:0006

   112	[0:0] -A THESHAPER -p tcp -m tcp --dport 137:139 -j CLASSIFY --set-class 0001:0006

   113	[0:0] -A THESHAPER -p udp -m udp --sport 4662 -j CLASSIFY --set-class 0001:0006

   114	[0:0] -A THESHAPER -p udp -m udp --dport 4662 -j CLASSIFY --set-class 0001:0006

   115	[0:0] -A THESHAPER -p tcp -m tcp --sport 4662 -j CLASSIFY --set-class 0001:0006

   116	[0:0] -A THESHAPER -p tcp -m tcp --dport 4662 -j CLASSIFY --set-class 0001:0006

   117	[0:0] -A THESHAPER -p udp -m udp --sport 4664 -j CLASSIFY --set-class 0001:0006

   118	[0:0] -A THESHAPER -p udp -m udp --dport 4664 -j CLASSIFY --set-class 0001:0006

   119	[0:0] -A THESHAPER -p tcp -m tcp --sport 4664 -j CLASSIFY --set-class 0001:0006

   120	[0:0] -A THESHAPER -p tcp -m tcp --dport 4664 -j CLASSIFY --set-class 0001:0006

   121	[34:2191] -A THESHAPER -p udp -m udp --sport 6881:6999 -j CLASSIFY --set-class 0001:0006

   122	[0:0] -A THESHAPER -p udp -m udp --dport 6881:6999 -j CLASSIFY --set-class 0001:0006

   123	[3249:129960] -A THESHAPER -p tcp -m tcp --sport 6881:6999 -j CLASSIFY --set-class 0001:0006

   124	[9:360] -A THESHAPER -p tcp -m tcp --dport 6881:6999 -j CLASSIFY --set-class 0001:0006

   125	[22891:2931563] -A THESHAPER -s 192.168.0.124/32 -j CLASSIFY --set-class 0001:0003

   126	[0:0] -A THESHAPER -d 192.168.0.124/32 -j CLASSIFY --set-class 0001:0003

   127	COMMIT

   128	# Completed on Sat Jan 28 15:59:26 2012

   129	# Generated by iptables-save v1.4.12.1 on Sat Jan 28 15:59:26 2012

   130	*filter

   131	:INPUT ACCEPT [20526:17914607]

   132	:FORWARD DROP [14:1058]

   133	:OUTPUT ACCEPT [998250:831809631]

   134	[192628762:74859759957] -A INPUT -i eth0 -j ACCEPT

   135	[6192844:3014738098] -A INPUT -s 127.0.0.0/8 -j ACCEPT

   136	[5:1640] -A INPUT ! -i eth0 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable

   137	[205:12566] -A INPUT ! -i eth0 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable

   138	[17590730:3513609236] -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT

   139	[59781:3179663] -A INPUT -p tcp -m tcp --dport 10000:20000 -j ACCEPT

   140	[2797011:1324915361] -A INPUT -p udp -m udp --dport 5060 -j ACCEPT

   141	[2:92] -A INPUT -p tcp -m tcp --dport 5060 -j ACCEPT

   142	[20143:13025745] -A INPUT -p udp -m udp --dport 5080 -j ACCEPT

   143	[0:0] -A INPUT -p tcp -m tcp --dport 5080 -j ACCEPT

   144	[525803:126748358] -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

   145	[30093:1576700] -A INPUT ! -i eth0 -p tcp -m tcp --dport 0:1023 -j DROP

   146	[1201:237338] -A INPUT ! -i eth0 -p udp -m udp --dport 0:1023 -j DROP

   147	[69:4180] -A FORWARD -d 192.168.0.0/16 -i eth0 -j DROP

   148	[22774964:3726364438] -A FORWARD -s 192.168.0.0/16 -i eth0 -j ACCEPT

   149	[28008662:28639477592] -A FORWARD -d 192.168.0.0/16 -i ppp0 -j ACCEPT

   150	COMMIT

   151	# Completed on Sat Jan 28 15:59:26 2012

brctl show

bridge name	bridge id		STP enabled	interfaces

ip addr show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

    inet6 ::1/128 scope host 

       valid_lft forever preferred_lft forever

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

    link/ether 00:1b:21:3d:eb:49 brd ff:ff:ff:ff:ff:ff

    inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0

    inet6 fe80::21b:21ff:fe3d:eb49/64 scope link 

       valid_lft forever preferred_lft forever

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

    link/ether 00:24:1d:21:37:6e brd ff:ff:ff:ff:ff:ff

    inet 192.168.0.2/24 brd 192.168.0.255 scope global eth1

    inet6 fe80::224:1dff:fe21:376e/64 scope link 

       valid_lft forever preferred_lft forever

4: sit0: <NOARP> mtu 1480 qdisc noop state DOWN 

    link/sit 0.0.0.0 brd 0.0.0.0

5: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast state UNKNOWN qlen 3

    link/ppp 

    inet 206.248.160.14 peer 206.248.154.122/32 scope global ppp0

grep -E '^[^#]' /etc/dnsmasq.conf

domain-needed

bogus-priv

interface=eth0

dhcp-range=192.168.0.100,192.168.0.150,255.255.255.0,12h

/etc/conf.d/net

# This blank configuration will automatically use DHCP for any net.*

# scripts in /etc/init.d.  To create a more complete configuration,

# please review /etc/conf.d/net.example and save your configuration

# in /etc/conf.d/net (this file :]!).

#setup eth1

config_eth1=( "192.168.0.2/24" )

#PPOE connection (WAN)

config_ppp0=( "ppp" )

link_ppp0="eth1"

plugins_ppp0=( "pppoe" )

username_ppp0="username"

password_ppp0="password"

pppd_ppp0=( #   "noauth"

"defaultroute"

"usepeerdns"

# "default-asyncmap"

# "ipcp-accept-remote"

# "ipcp-accept-local"

# "lcp-echo-interval 15"

# "lcp-echo-failure 3"

# "persist"

# "holdoff 5"

# "child-timeout 60"

# "mru 1492"

"mtu 1492"

#lock

 )

##     noaccomp noccp nobsdcomp nodeflate nopcomp novj novjccomp

#rc_need_ppp0="net.eth1"

#setup lan

config_eth0="192.168.0.1 netmask 255.255.255.0 broadcast 192.168.0.255"

#rc_need_br0="net.tap0"

#config_eth0="null" # any any other interfaces you want to bridge

#bridge_br0="eth0"

#config_br0="192.168.0.1/24"  # the ip of the original eth0, or dhcp

#brctl_br0=( "setfd 9" "sethello 2" "setmaxage 12" "stp off" )

----------

## Hu

Please use code tags to wrap output from commands.  It groups the output nicely and ensures a font that is often more suitable for large data dumps.

If you want other machines on the LAN to have access to the guest, then bridging is best.  You can do tricks with NAT/port forwarding to expose selected guest services to the LAN, but bridging will be cleaner in the long term.

Placing both NICs in a single subnet is rarely wise.  I suspect it only works for you now because of the use of PPP for your upstream.  It would help if you could show the output as it was when the setup was broken.  I have not run dnsmasq on an interface enslaved to a bridge, but I expect that it needs to be reconfigured to listen on br0.  I know that your firewall rules are written in such a way that the LAN clients will fail when you switch to the bridge.  Packets which arrive on an interface enslaved to a bridge use the name of the bridge, not the name of the enslaved interface, when performing matching.  Similarly, packets leaving through an enslaved interface will use the bridge name.  If you need to write a rule which knows which enslaved interface received the packet, you can use the physdev match to inspect that.  Thus, to use the bridge, you need to s/eth0/br0/ all your firewall rules.  Of course, if you change them in place, then they will work only when you use the bridge and will fail if you switch back to an unbridged setup.  Using a bridge with only a single port enslaved is fine, so after the rules are converted, everything should work independent of whether a guest is actually running at the time.

----------

## mondjef

Sorry about the code tags, should have known as I read enough of the posts but rarely get the chance to post and help someone else out...one day.

Ok, at one point in my configuration I had changed dnsmasq to use the br0 interface instead of eth0.  I had wondered about the iptables rules having something to do with it.  I will reconfigure the bridge, have dnsmasq to use br0 instead of eth0, and last but not least change all my iptables rules to use br0 instead of eth0 and report back whether I can have beer yet or not.  Thanks again for taking the time to trouble shout this.

----------

## NeddySeagoon

mondjef,

You get to have a beer anyway.

I use Virtual Machine Manager on a remote system for managing my KVMs

The real hardware has four NICs all bridged to a VM router/firewall done with shorewall.

The NICs are for the Internet, the DMZ, wireless and protected wired. I don't use PPPoE as my VDSL 'modem' does that.

I had to draw out the networking several times, with IP numbers, to get it right as I wanted minimal downtime when I switched from a Smoothwall box.

I also have KVMs on that system for a media server and mail server.

----------

## mondjef

Success!  I can ssh into the box from a client on same LAN and access internet.  I will continue with getting the VM running now.  Thank you very much for your help.

----------

## mondjef

 *NeddySeagoon wrote:*   

> mondjef,
> 
> You get to have a beer anyway.
> 
> I use Virtual Machine Manager on a remote system for managing my KVMs
> ...

 

Very interesting NeddySeagoon, I am always interested in new ways of doing things that can improve my set up.  What were the reasons for you setting things up that way, more secure, easier to manage, performance?

----------

## NeddySeagoon

mondjef,

I had been using a 4 way Smoothwall for years for security and the time came when it wasn't fast enough to handel my downlink.

I didn't intend to use bridging - I wanted to use PCI passthrough but the 4 way NIC I bought did not support it.  Ooops.

The bare metal install is a minimal hardened install for supporting KVM, which is what I intended. It has its own Physical Volume in a lvm set.

I had to fall back to bridging when PCI passthrough would not work for me, or buy another 4 way NIC.

The KVMs all share a different Physical Volume and have one or more logical volumes each.

I use the virtio drivers as the performace is better then the emulated hardware plus drivers. Using logical volumes for the KVMs cuts out the overhead of a filesystem in a file too. 

I did start writing it up but its by no means complete.

----------

## mondjef

ok, finally had time to install a VM but now I am having network problems with clients/Guest OS connected to this machine.  It seems no clients (DHCP) or Guest OS on the same LAN (receive IP via DHCP also) can communicate with each other.  Anyone have any suggestions on where and how to trouble shout this?

----------

## jamapii

I guess most problems will result from lack of doing

 *Hu wrote:*   

> s/eth0/br0/

 

for everything, netfilter rules, dnsmasq, mail, squid or any other servers that refer to an interface in their config files.

Not that you should change your configuration now that it works, but for anyone reading this...

In the special case of running VMs on the router, I would recommend a separate internal network (this has been referred to as "Host-only networking" in GUI-dependant VM software). LAN machines will see it as it's covered by the default route. However, as I did it, it involved a bridge device anyway, this is where qemu connects its tap devices. Then, firewall rules refer not to "eth0", but to "any internal device".

----------

## jamapii

 *mondjef wrote:*   

> It seems no clients (DHCP) or Guest OS on the same LAN
> 
> (receive IP via DHCP also) can communicate with each other.  Anyone have any
> 
> suggestions on where and how to trouble shout this?

 

If the DHCP clients have correct IP addresses but can't communicate with

each other, your switch is broken, as (if?) this does not go through the

router.

If the clients just can't reach the router, I think then the bridging is

broken. I also wouldn't completely rule out the firewall rules.

My favourite tool to watch where traffic does or doesn't go is:

iptraf.

My bridging setup in /etc/conf.d/net is

```
tuntap_tap0="tap"

brctl_br0="setfd 0

sethello 0

stp off"

bridge_br0="tap0"

config_br0="10.30.12.1/24"

config_tap0="null"

RC_AFTER_br0="net.tap0"         # _NEED_ is broken

rc_need_br0="net.tap0"      # this is overkill, but one of them does it

```

where tap0 is a dummy device to get br0 started (because I don't add eth0),

and br0 bridges all the VMs together. Yours might be

```
brctl_br0="setfd 0

sethello 0

stp off"    # probably leave this out

bridge_br0="eth0"

config_br0="10.1.2.3/24"

rc_need_br0="net.eth0"

```

I think you may want to leave out the brctl_ lines, maybe it's safer that

way.

And maybe you need a special (non-default) /etc/qemu/qemu-ifup, I don't know

how this is handled usually.

However, this just applies if your test for "it communicates" is ping. If

you mean nfs, cifs/samba, or something like that, there may still be an

"eth0" in the specific config file, waiting to be replaced with br0.

----------

## Hu

 *mondjef wrote:*   

> Anyone have any suggestions on where and how to trouble shout this?

 Please elaborate on the nature of the non-communication.  At what layer do they fail to communicate?  Which protocols are affected?Last edited by Hu on Sun Feb 05, 2012 5:54 pm; edited 1 time in total

----------

## mondjef

ok, finally had some more time to trouble shoot this as far as I am capable of given my current linux abilities. 

here is how things look:

Host:

ppp0 (eth1)--> wan assigned public ip address by ISP via DHCP

br0 (192.168.0.1)--> bridged with eth0, all LAN clients and VMs connected to this bridge.  Both lan clients and vm assigned ips via DHCP from the host so everyone is on the same subnet.

```

ifconfig

br0       Link encap:Ethernet  HWaddr 00:1b:21:3d:eb:49  

          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0

          inet6 addr: fe80::21b:21ff:fe3d:eb49/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:153956 errors:0 dropped:0 overruns:0 frame:0

          TX packets:208086 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0 

          RX bytes:17153054 (16.3 MiB)  TX bytes:197691857 (188.5 MiB)

eth0      Link encap:Ethernet  HWaddr 00:1b:21:3d:eb:49  

          inet6 addr: fe80::21b:21ff:fe3d:eb49/64 Scope:Link

          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1

          RX packets:123198 errors:0 dropped:0 overruns:0 frame:0

          TX packets:157195 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:17223138 (16.4 MiB)  TX bytes:111684577 (106.5 MiB)

          Interrupt:17 Memory:fdbc0000-fdbe0000 

eth1      Link encap:Ethernet  HWaddr 00:24:1d:21:37:6e  

          inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0

          inet6 addr: fe80::224:1dff:fe21:376e/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:155334 errors:0 dropped:0 overruns:0 frame:0

          TX packets:116202 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:162469945 (154.9 MiB)  TX bytes:19671558 (18.7 MiB)

          Interrupt:43 Base address:0xe000 

lo        Link encap:Local Loopback  

          inet addr:127.0.0.1  Mask:255.0.0.0

          inet6 addr: ::1/128 Scope:Host

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:83492 errors:0 dropped:0 overruns:0 frame:0

          TX packets:83492 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0 

          RX bytes:39465340 (37.6 MiB)  TX bytes:39465340 (37.6 MiB)

ppp0      Link encap:Point-to-Point Protocol  

          inet addr:xxx.xxx.xxx.xxx  P-t-P:xxx.xxx.xxx.xxx  Mask:255.255.255.255

          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1

          RX packets:154954 errors:0 dropped:0 overruns:0 frame:0

          TX packets:115815 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:3 

          RX bytes:159038018 (151.6 MiB)  TX bytes:17111588 (16.3 MiB)

vnet0     Link encap:Ethernet  HWaddr fe:54:00:40:b9:07  

          inet6 addr: fe80::fc54:ff:fe40:b907/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:30748 errors:0 dropped:0 overruns:0 frame:0

          TX packets:59178 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:500 

          RX bytes:2126696 (2.0 MiB)  TX bytes:86541059 (82.5 MiB)

ip addr show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

    inet6 ::1/128 scope host 

       valid_lft forever preferred_lft forever

2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

    link/ether 00:1b:21:3d:eb:49 brd ff:ff:ff:ff:ff:ff

    inet6 fe80::21b:21ff:fe3d:eb49/64 scope link 

       valid_lft forever preferred_lft forever

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

    link/ether 00:24:1d:21:37:6e brd ff:ff:ff:ff:ff:ff

    inet 192.168.0.2/24 brd 192.168.0.255 scope global eth1

    inet6 fe80::224:1dff:fe21:376e/64 scope link 

       valid_lft forever preferred_lft forever

4: sit0: <NOARP> mtu 1480 qdisc noop state DOWN 

    link/sit 0.0.0.0 brd 0.0.0.0

5: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN 

    link/ether 00:1b:21:3d:eb:49 brd ff:ff:ff:ff:ff:ff

    inet 192.168.0.1/24 brd 192.168.0.255 scope global br0

    inet6 fe80::21b:21ff:fe3d:eb49/64 scope link 

       valid_lft forever preferred_lft forever

6: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast state UNKNOWN qlen 3

    link/ppp 

    inet xxx.xxx.xxx.xxx peer xxx.xxx.xxx.xxx/32 scope global ppp0

10: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500

    link/ether fe:54:00:40:b9:07 brd ff:ff:ff:ff:ff:ff

    inet6 fe80::fc54:ff:fe40:b907/64 scope link 

       valid_lft forever preferred_lft forever

route

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

xxx.xxx.xxx.xxx *               255.255.255.255 UH    0      0        0 ppp0

192.168.0.0     *               255.255.255.0   U     0      0        0 br0

192.168.0.0     *               255.255.255.0   U     0      0        0 eth1

loopback        rivermistbeast  255.0.0.0       UG    0      0        0 lo

default         xxx.xxx.xxx.xxx 0.0.0.0         UG    4006   0        0 ppp0

```

Kubuntu Desktop computer:  assigned ip 192.168.0.123 via DHCP

```

ifconfig

eth1      Link encap:Ethernet  HWaddr 00:e0:18:db:78:e0  

          inet addr:192.168.0.123  Bcast:192.168.0.255  Mask:255.255.255.0

          inet6 addr: fe80::2e0:18ff:fedb:78e0/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:3840009 errors:0 dropped:0 overruns:0 frame:0

          TX packets:3014765 errors:0 dropped:0 overruns:3 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:4095484213 (4.0 GB)  TX bytes:1794717940 (1.7 GB)

          Interrupt:21 Base address:0xb400 

lo        Link encap:Local Loopback  

          inet addr:127.0.0.1  Mask:255.0.0.0

          inet6 addr: ::1/128 Scope:Host

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:295 errors:0 dropped:0 overruns:0 frame:0

          TX packets:295 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0 

          RX bytes:29211 (29.2 KB)  TX bytes:29211 (29.2 KB)

virbr0    Link encap:Ethernet  HWaddr 92:31:2f:22:c1:cf  

          inet addr:192.168.122.1  Bcast:192.168.122.255  Mask:255.255.255.0

          inet6 addr: fe80::9031:2fff:fe22:c1cf/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:2145 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0 

          RX bytes:0 (0.0 B)  TX bytes:1090373 (1.0 MB)

route

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.0.0     *               255.255.255.0   U     1      0        0 eth1

192.168.122.0   *               255.255.255.0   U     0      0        0 virbr0

link-local      *               255.255.0.0     U     1000   0        0 eth1

default         192.168.0.1     0.0.0.0         UG    0      0        0 eth1

ip addr show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

    inet6 ::1/128 scope host 

       valid_lft forever preferred_lft forever

2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000

    link/ether 00:e0:18:db:78:e0 brd ff:ff:ff:ff:ff:ff

    inet 192.168.0.123/24 brd 192.168.0.255 scope global eth1

    inet6 fe80::2e0:18ff:fedb:78e0/64 scope link 

       valid_lft forever preferred_lft forever

3: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN 

    link/ether 92:31:2f:22:c1:cf brd ff:ff:ff:ff:ff:ff

    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0

    inet6 fe80::9031:2fff:fe22:c1cf/64 scope link 

       valid_lft forever preferred_lft forever

4: vboxnet0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000

    link/ether 0a:00:27:00:00:00 brd ff:ff:ff:ff:ff:ff

```

VM:  Ubuntu server:  assigned ip 192.168.0.130 via DHCP

```

ifconfig

eth0      Link encap:Ethernet  HWaddr 52:54:00:40:b9:07  

          inet addr:192.168.0.130  Bcast:192.168.0.255  Mask:255.255.255.0

          inet6 addr: fe80::5054:ff:fe40:b907/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:59344 errors:0 dropped:0 overruns:0 frame:0

          TX packets:30788 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:86553387 (86.5 MB)  TX bytes:2131977 (2.1 MB)

lo        Link encap:Local Loopback  

          inet addr:127.0.0.1  Mask:255.0.0.0

          inet6 addr: ::1/128 Scope:Host

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:15 errors:0 dropped:0 overruns:0 frame:0

          TX packets:15 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0 

          RX bytes:772 (772.0 B)  TX bytes:772 (772.0 B)

route

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

localnet        *               255.255.255.0   U     0      0        0 eth0

default         192.168.0.1     0.0.0.0         UG    100    0        0 eth0

ip addr show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

    inet6 ::1/128 scope host 

       valid_lft forever preferred_lft forever

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000

    link/ether 52:54:00:40:b9:07 brd ff:ff:ff:ff:ff:ff

    inet 192.168.0.130/24 brd 192.168.0.255 scope global eth0

    inet6 fe80::5054:ff:fe40:b907/64 scope link 

       valid_lft forever preferred_lft forever

```

I can ssh/ping from the host to both the VM and the Kubuntu Desktop computer, and I can ping the host from both the VM and the Kubuntu Desktop computer.  What I can not seem to do is ssh/ping the VM from another physical computer on the LAN such as the Kubuntu Desktop computer.  However, I did have success when I temporarily disable my firewall (iptables) on the host machine which leads me to believe that there is only an issue with firewall rules as previously mentioned by jamapii.  Iptables is another thing on my list of things to master, but its not there yet.  I looked at the rules and there is only one rule that brings my attention to but I not sure what doors I might be opening if I just out right remove the rule (rule #147 below).  Is there something else in my iptables rules that I need to change to get this working (besides I know..."Get a megaphone and a ladder. Get up as high as you can, then begin blasting as much detail as possible to anyone who will listen.")?

```

iptables-save -c | cat -n

     1   # Generated by iptables-save v1.4.12.1 on Thu Feb  2 21:58:25 2012

     2   *raw

     3   :PREROUTING ACCEPT [13115083:10049563998]

     4   :OUTPUT ACCEPT [5138885:7341377909]

     5   COMMIT

     6   # Completed on Thu Feb  2 21:58:25 2012

     7   # Generated by iptables-save v1.4.12.1 on Thu Feb  2 21:58:25 2012

     8   *nat

     9   :PREROUTING ACCEPT [57753:3757692]

    10   :INPUT ACCEPT [32044:2163246]

    11   :OUTPUT ACCEPT [20301:1402719]

    12   :POSTROUTING ACCEPT [4941:309163]

    13   [40527:2652644] -A POSTROUTING -o ppp0 -j MASQUERADE

    14   COMMIT

    15   # Completed on Thu Feb  2 21:58:25 2012

    16   # Generated by iptables-save v1.4.12.1 on Thu Feb  2 21:58:25 2012

    17   *mangle

    18   :PREROUTING ACCEPT [13115076:10049555006]

    19   :INPUT ACCEPT [8269087:5484942719]

    20   :FORWARD ACCEPT [4849056:4564763760]

    21   :OUTPUT ACCEPT [5138879:7341377549]

    22   :POSTROUTING ACCEPT [9987781:11906097529]

    23   :THESHAPER - [0:0]

    24   [44860:2722592] -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

    25   [3776264:325524432] -A POSTROUTING -o ppp0 -j THESHAPER

    26   [2997321:160590422] -A THESHAPER -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK ACK -m length --length 0:64 -j CLASSIFY --set-class 0001:0002

    27   [442:240053] -A THESHAPER -p icmp -m length --length 512:65535 -j CLASSIFY --set-class 0001:0004

    28   [11262:1984064] -A THESHAPER -p icmp -m length --length 0:512 -j CLASSIFY --set-class 0001:0002

    29   [0:0] -A THESHAPER -p udp -m udp --sport 22 -j CLASSIFY --set-class 0001:0002

    30   [0:0] -A THESHAPER -p udp -m udp --dport 22 -j CLASSIFY --set-class 0001:0002

    31   [0:0] -A THESHAPER -p tcp -m tcp --sport 22 -j CLASSIFY --set-class 0001:0002

    32   [0:0] -A THESHAPER -p tcp -m tcp --dport 22 -j CLASSIFY --set-class 0001:0002

    33   [0:0] -A THESHAPER -p udp -m udp --sport 23 -j CLASSIFY --set-class 0001:0002

    34   [0:0] -A THESHAPER -p udp -m udp --dport 23 -j CLASSIFY --set-class 0001:0002

    35   [0:0] -A THESHAPER -p tcp -m tcp --sport 23 -j CLASSIFY --set-class 0001:0002

    36   [0:0] -A THESHAPER -p tcp -m tcp --dport 23 -j CLASSIFY --set-class 0001:0002

    37   [0:0] -A THESHAPER -p udp -m udp --sport 53 -j CLASSIFY --set-class 0001:0002

    38   [15618:1027629] -A THESHAPER -p udp -m udp --dport 53 -j CLASSIFY --set-class 0001:0002

    39   [0:0] -A THESHAPER -p tcp -m tcp --sport 53 -j CLASSIFY --set-class 0001:0002

    40   [0:0] -A THESHAPER -p tcp -m tcp --dport 53 -j CLASSIFY --set-class 0001:0002

    41   [0:0] -A THESHAPER -p udp -m udp --sport 3389 -j CLASSIFY --set-class 0001:0002

    42   [0:0] -A THESHAPER -p udp -m udp --dport 3389 -j CLASSIFY --set-class 0001:0002

    43   [55:2200] -A THESHAPER -p tcp -m tcp --sport 3389 -j CLASSIFY --set-class 0001:0002

    44   [1:40] -A THESHAPER -p tcp -m tcp --dport 3389 -j CLASSIFY --set-class 0001:0002

    45   [0:0] -A THESHAPER -p udp -m udp --sport 5900 -j CLASSIFY --set-class 0001:0002

    46   [0:0] -A THESHAPER -p udp -m udp --dport 5900 -j CLASSIFY --set-class 0001:0002

    47   [17:680] -A THESHAPER -p tcp -m tcp --sport 5900 -j CLASSIFY --set-class 0001:0002

    48   [0:0] -A THESHAPER -p tcp -m tcp --dport 5900 -j CLASSIFY --set-class 0001:0002

    49   [18869:14448825] -A THESHAPER -p udp -m udp --sport 5060:5100 -j CLASSIFY --set-class 0001:0003

    50   [18857:14448052] -A THESHAPER -p udp -m udp --dport 5060:5100 -j CLASSIFY --set-class 0001:0003

    51   [0:0] -A THESHAPER -p tcp -m tcp --sport 5060:5100 -j CLASSIFY --set-class 0001:0003

    52   [0:0] -A THESHAPER -p tcp -m tcp --dport 5060:5100 -j CLASSIFY --set-class 0001:0003

    53   [489947:97677378] -A THESHAPER -p udp -m udp --sport 10000:20000 -j CLASSIFY --set-class 0001:0003

    54   [488004:97570389] -A THESHAPER -p udp -m udp --dport 10000:20000 -j CLASSIFY --set-class 0001:0003

    55   [5502:220080] -A THESHAPER -p tcp -m tcp --sport 10000:20000 -j CLASSIFY --set-class 0001:0003

    56   [11178:1546928] -A THESHAPER -p tcp -m tcp --dport 10000:20000 -j CLASSIFY --set-class 0001:0003

    57   [13:832] -A THESHAPER -p udp -m udp --sport 5000:5059 -j CLASSIFY --set-class 0001:0003

    58   [1:128] -A THESHAPER -p udp -m udp --dport 5000:5059 -j CLASSIFY --set-class 0001:0003

    59   [1:40] -A THESHAPER -p tcp -m tcp --sport 5000:5059 -j CLASSIFY --set-class 0001:0003

    60   [5:212] -A THESHAPER -p tcp -m tcp --dport 5000:5059 -j CLASSIFY --set-class 0001:0003

    61   [2:134] -A THESHAPER -p udp -m udp --sport 8000:8016 -j CLASSIFY --set-class 0001:0003

    62   [0:0] -A THESHAPER -p udp -m udp --dport 8000:8016 -j CLASSIFY --set-class 0001:0003

    63   [0:0] -A THESHAPER -p tcp -m tcp --sport 8000:8016 -j CLASSIFY --set-class 0001:0003

    64   [0:0] -A THESHAPER -p tcp -m tcp --dport 8000:8016 -j CLASSIFY --set-class 0001:0003

    65   [0:0] -A THESHAPER -p udp -m udp --sport 5004 -j CLASSIFY --set-class 0001:0003

    66   [0:0] -A THESHAPER -p udp -m udp --dport 5004 -j CLASSIFY --set-class 0001:0003

    67   [0:0] -A THESHAPER -p tcp -m tcp --sport 5004 -j CLASSIFY --set-class 0001:0003

    68   [0:0] -A THESHAPER -p tcp -m tcp --dport 5004 -j CLASSIFY --set-class 0001:0003

    69   [1:63] -A THESHAPER -p udp -m udp --sport 1720 -j CLASSIFY --set-class 0001:0003

    70   [0:0] -A THESHAPER -p udp -m udp --dport 1720 -j CLASSIFY --set-class 0001:0003

    71   [0:0] -A THESHAPER -p tcp -m tcp --sport 1720 -j CLASSIFY --set-class 0001:0003

    72   [0:0] -A THESHAPER -p tcp -m tcp --dport 1720 -j CLASSIFY --set-class 0001:0003

    73   [0:0] -A THESHAPER -p udp -m udp --sport 1731 -j CLASSIFY --set-class 0001:0003

    74   [0:0] -A THESHAPER -p udp -m udp --dport 1731 -j CLASSIFY --set-class 0001:0003

    75   [0:0] -A THESHAPER -p tcp -m tcp --sport 1731 -j CLASSIFY --set-class 0001:0003

    76   [0:0] -A THESHAPER -p tcp -m tcp --dport 1731 -j CLASSIFY --set-class 0001:0003

    77   [0:0] -A THESHAPER -p udp -m udp --sport 80 -j CLASSIFY --set-class 0001:0004

    78   [0:0] -A THESHAPER -p udp -m udp --dport 80 -j CLASSIFY --set-class 0001:0004

    79   [473:101960] -A THESHAPER -p tcp -m tcp --sport 80 -j CLASSIFY --set-class 0001:0004

    80   [1540229:104170849] -A THESHAPER -p tcp -m tcp --dport 80 -j CLASSIFY --set-class 0001:0004

    81   [0:0] -A THESHAPER -p udp -m udp --sport 443 -j CLASSIFY --set-class 0001:0004

    82   [0:0] -A THESHAPER -p udp -m udp --dport 443 -j CLASSIFY --set-class 0001:0004

    83   [0:0] -A THESHAPER -p tcp -m tcp --sport 443 -j CLASSIFY --set-class 0001:0004

    84   [1527454:93479594] -A THESHAPER -p tcp -m tcp --dport 443 -j CLASSIFY --set-class 0001:0004

    85   [0:0] -A THESHAPER -p udp -m udp --sport 8080 -j CLASSIFY --set-class 0001:0004

    86   [0:0] -A THESHAPER -p udp -m udp --dport 8080 -j CLASSIFY --set-class 0001:0004

    87   [57:6880] -A THESHAPER -p tcp -m tcp --sport 8080 -j CLASSIFY --set-class 0001:0004

    88   [6:360] -A THESHAPER -p tcp -m tcp --dport 8080 -j CLASSIFY --set-class 0001:0004

    89   [0:0] -A THESHAPER -p udp -m udp --sport 110 -j CLASSIFY --set-class 0001:0006

    90   [0:0] -A THESHAPER -p udp -m udp --dport 110 -j CLASSIFY --set-class 0001:0006

    91   [0:0] -A THESHAPER -p tcp -m tcp --sport 110 -j CLASSIFY --set-class 0001:0006

    92   [0:0] -A THESHAPER -p tcp -m tcp --dport 110 -j CLASSIFY --set-class 0001:0006

    93   [0:0] -A THESHAPER -p udp -m udp --sport 25 -j CLASSIFY --set-class 0001:0006

    94   [0:0] -A THESHAPER -p udp -m udp --dport 25 -j CLASSIFY --set-class 0001:0006

    95   [0:0] -A THESHAPER -p tcp -m tcp --sport 25 -j CLASSIFY --set-class 0001:0006

    96   [0:0] -A THESHAPER -p tcp -m tcp --dport 25 -j CLASSIFY --set-class 0001:0006

    97   [0:0] -A THESHAPER -p udp -m udp --sport 21 -j CLASSIFY --set-class 0001:0006

    98   [0:0] -A THESHAPER -p udp -m udp --dport 21 -j CLASSIFY --set-class 0001:0006

    99   [0:0] -A THESHAPER -p tcp -m tcp --sport 21 -j CLASSIFY --set-class 0001:0006

   100   [22:1420] -A THESHAPER -p tcp -m tcp --dport 21 -j CLASSIFY --set-class 0001:0006

   101   [0:0] -A THESHAPER -p udp -m udp --sport 143 -j CLASSIFY --set-class 0001:0006

   102   [0:0] -A THESHAPER -p udp -m udp --dport 143 -j CLASSIFY --set-class 0001:0006

   103   [0:0] -A THESHAPER -p tcp -m tcp --sport 143 -j CLASSIFY --set-class 0001:0006

   104   [0:0] -A THESHAPER -p tcp -m tcp --dport 143 -j CLASSIFY --set-class 0001:0006

   105   [0:0] -A THESHAPER -p udp -m udp --sport 445 -j CLASSIFY --set-class 0001:0006

   106   [0:0] -A THESHAPER -p udp -m udp --dport 445 -j CLASSIFY --set-class 0001:0006

   107   [0:0] -A THESHAPER -p tcp -m tcp --sport 445 -j CLASSIFY --set-class 0001:0006

   108   [0:0] -A THESHAPER -p tcp -m tcp --dport 445 -j CLASSIFY --set-class 0001:0006

   109   [0:0] -A THESHAPER -p udp -m udp --sport 137:139 -j CLASSIFY --set-class 0001:0006

   110   [0:0] -A THESHAPER -p udp -m udp --dport 137:139 -j CLASSIFY --set-class 0001:0006

   111   [0:0] -A THESHAPER -p tcp -m tcp --sport 137:139 -j CLASSIFY --set-class 0001:0006

   112   [0:0] -A THESHAPER -p tcp -m tcp --dport 137:139 -j CLASSIFY --set-class 0001:0006

   113   [0:0] -A THESHAPER -p udp -m udp --sport 4662 -j CLASSIFY --set-class 0001:0006

   114   [0:0] -A THESHAPER -p udp -m udp --dport 4662 -j CLASSIFY --set-class 0001:0006

   115   [0:0] -A THESHAPER -p tcp -m tcp --sport 4662 -j CLASSIFY --set-class 0001:0006

   116   [0:0] -A THESHAPER -p tcp -m tcp --dport 4662 -j CLASSIFY --set-class 0001:0006

   117   [0:0] -A THESHAPER -p udp -m udp --sport 4664 -j CLASSIFY --set-class 0001:0006

   118   [0:0] -A THESHAPER -p udp -m udp --dport 4664 -j CLASSIFY --set-class 0001:0006

   119   [0:0] -A THESHAPER -p tcp -m tcp --sport 4664 -j CLASSIFY --set-class 0001:0006

   120   [0:0] -A THESHAPER -p tcp -m tcp --dport 4664 -j CLASSIFY --set-class 0001:0006

   121   [2040:248328] -A THESHAPER -p udp -m udp --sport 6881:6999 -j CLASSIFY --set-class 0001:0006

   122   [48:5506] -A THESHAPER -p udp -m udp --dport 6881:6999 -j CLASSIFY --set-class 0001:0006

   123   [0:0] -A THESHAPER -p tcp -m tcp --sport 6881:6999 -j CLASSIFY --set-class 0001:0006

   124   [2876:184626] -A THESHAPER -p tcp -m tcp --dport 6881:6999 -j CLASSIFY --set-class 0001:0006

   125   [7716:1021547] -A THESHAPER -s 192.168.0.124/32 -j CLASSIFY --set-class 0001:0003

   126   [0:0] -A THESHAPER -d 192.168.0.124/32 -j CLASSIFY --set-class 0001:0003

   127   COMMIT

   128   # Completed on Thu Feb  2 21:58:25 2012

   129   # Generated by iptables-save v1.4.12.1 on Thu Feb  2 21:58:25 2012

   130   *filter

   131   :INPUT ACCEPT [3636:584155]

   132   :FORWARD DROP [14:4592]

   133   :OUTPUT ACCEPT [309876:510067666]

   134   [5068014:1894271762] -A INPUT -i br0 -j ACCEPT

   135   [514690:314770038] -A INPUT -s 127.0.0.0/8 -j ACCEPT

   136   [0:0] -A INPUT ! -i br0 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable

   137   [0:0] -A INPUT ! -i br0 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable

   138   [494696:99015054] -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT

   139   [5531:276461] -A INPUT -p tcp -m tcp --dport 10000:20000 -j ACCEPT

   140   [36:17869] -A INPUT -p udp -m udp --dport 5060 -j ACCEPT

   141   [0:0] -A INPUT -p tcp -m tcp --dport 5060 -j ACCEPT

   142   [18696:12118601] -A INPUT -p udp -m udp --dport 5080 -j ACCEPT

   143   [0:0] -A INPUT -p tcp -m tcp --dport 5080 -j ACCEPT

   144   [567:81467] -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

   145   [398:21612] -A INPUT ! -i br0 -p tcp -m tcp --dport 0:1023 -j DROP

   146   [4:302] -A INPUT ! -i br0 -p udp -m udp --dport 0:1023 -j DROP

   147   [50:5452] -A FORWARD -d 192.168.0.0/16 -i br0 -j DROP

   148   [1711827:122814403] -A FORWARD -s 192.168.0.0/16 -i br0 -j ACCEPT

   149   [3137027:4441890997] -A FORWARD -d 192.168.0.0/16 -i ppp0 -j ACCEPT

   150   COMMIT

   151   # Completed on Thu Feb  2 21:58:25 2012

iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             anywhere            

ACCEPT     all  --  loopback/8           anywhere            

REJECT     udp  --  anywhere             anywhere             udp dpt:bootps reject-with icmp-port-unreachable

REJECT     udp  --  anywhere             anywhere             udp dpt:domain reject-with icmp-port-unreachable

ACCEPT     udp  --  anywhere             anywhere             udp dpts:10000:20000

ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:10000:20000

ACCEPT     udp  --  anywhere             anywhere             udp dpt:5060

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:5060

ACCEPT     udp  --  anywhere             anywhere             udp dpt:5080

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:5080

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http

DROP       tcp  --  anywhere             anywhere             tcp dpts:0:1023

DROP       udp  --  anywhere             anywhere             udp dpts:0:1023

Chain FORWARD (policy DROP)

target     prot opt source               destination         

DROP       all  --  anywhere             192.168.0.0/16

ACCEPT     all  --  192.168.0.0/16       anywhere            

ACCEPT     all  --  anywhere             192.168.0.0/16      

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination   

iptables -t nat -L

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination         

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination         

MASQUERADE  all  --  anywhere             anywhere 

```

if you need more info please let me know, I thank you for your time and effort.

----------

## NeddySeagoon

mondjef,

This has to be wrong. You may not have two interfaces in the same subnet

```
Kernel IP routing table 

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface 

xxx.xxx.xxx.xxx *               255.255.255.255 UH    0      0        0 ppp0 

192.168.0.0     *               255.255.255.0   U     0      0        0 br0 

192.168.0.0     *               255.255.255.0   U     0      0        0 eth1 

loopback        rivermistbeast  255.0.0.0       UG    0      0        0 lo 

default         xxx.xxx.xxx.xxx 0.0.0.0         UG    4006   0        0 ppp0 
```

```
br0       Link encap:Ethernet  HWaddr 00:1b:21:3d:eb:49  

          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0

 

eth1      Link encap:Ethernet  HWaddr 00:24:1d:21:37:6e  

          inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0
```

Lets consider what happens to a packet the kernel wants to send to the 192.168.0.0/24 subnet.

It tries the rouring rules from the top of your routing table down until it gets a match. So anything sent to 192.168.0.0/24 is sent via br0.

No traffic ever goes out of eth1.

----------

