# [Solved] Can't reach internet from guest or ping host.

## Wizumwalt

I'm running QEMU 4.2.0 and start a vm guest as such ...

```

qemu-system-x86_64 -netdev bridge,id=v0 -device virtio-net-pci,netdev=v0,mac=52:54:00:12:34:61 -smp 4 -kernel ./kernel-${KVERS} -append "root=/dev/vda console=ttyS0 video-nofb resolution=1024x768" -initrd ~/tools/gentoo-x86_64-initramfs.cpio.gz -m 1G -drive format=raw,file=./gentoo-x86_64-guest_2.img,if=virtio,cache=none -serial stdio

```

My problem is that once it boots, I can ping from the host to the guest, but cannot ping from guest to host. I also cannot reach the internet from the guest, but can from the host. My network is configured as follows.

```
$ ifconfig

br0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500

        inet 192.168.10.10  netmask 255.255.255.0  broadcast 192.168.10.255

        inet6 fd81:a47b:1113:0:5445:ebbf:fee7:b2f0  prefixlen 64  scopeid 0x0<global>

        inet6 fe80::53e5:aaff:feddd:b7f0  prefixlen 64  scopeid 0x20<link>

        ether 56:e5:ea:87:b7:f0  txqueuelen 1000  (Ethernet)

        RX packets 11071718  bytes 9111983055 (8.4 GiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 7195008  bytes 2522887087 (2.3 GiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500

        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255

        ether 02:42:d8:ce:d6:84  txqueuelen 0  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet6 fe80::96ee:80ef:fee4:7ec6  prefixlen 64  scopeid 0x20<link>

        ether 94:de:81:b5:73:c6  txqueuelen 1000  (Ethernet)

        RX packets 11199132  bytes 9319565919 (8.6 GiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 7233316  bytes 2555871135 (2.3 GiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        device interrupt 20  memory 0xf3100000-f3120000  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        inet6 ::1  prefixlen 128  scopeid 0x10<host>

        loop  txqueuelen 1000  (Local Loopback)

        RX packets 15221  bytes 10781359 (10.2 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 15221  bytes 10781359 (10.2 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tap0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500

        ether 56:e5:ea:87:b7:f0  txqueuelen 1000  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tap1: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500

        inet6 fe80::78a3:eaff:feec:af53  prefixlen 64  scopeid 0x20<link>

        ether 7a:a3:ea:ec:af:53  txqueuelen 1000  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 3 overruns 0  carrier 0  collisions 0

tap2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet6 fe80::fc40:e9ff:fed9:5fde  prefixlen 64  scopeid 0x20<link>

        ether fe:40:e9:d9:5f:de  txqueuelen 1000  (Ethernet)

        RX packets 5151  bytes 1141617 (1.0 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 8422  bytes 760458 (742.6 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

```

Here's my /etc/conf.d/net

```
# bridge setup

tuntap_tap0="tap"

tuntap_tap1="tap"

config_tap0="null"

config_tap1="null"

tunctl_tap0="-u me"

tunctl_tap1="-u me"

# bridge static config

bridge_br0="eno1 tap0 tap1"

rc_net_br0="net.tap0 net.tap1"

config_br0="192.168.10.10/24"

routes_br0="default via 192.168.10.1"

dns_servers_br0="abc.def.ghi.jkl"

bridge_forward_delay_br0=0

bridge_hello_time_br0=1000

bridge_stp_state_br0=0

```

Any help much appreciated.Last edited by Wizumwalt on Sat May 09, 2020 6:08 pm; edited 1 time in total

----------

## Hu

What is the network configuration on the guest?  The output you showed appears to be for the host.  For the guest, please show the output of ip a ; ip r, and an example of a failed command, including its error messages.

----------

## Wizumwalt

Here's the configs for the guest.

```

$ ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo

       valid_lft forever preferred_lft forever

    inet6 ::1/128 scope host 

       valid_lft forever preferred_lft forever

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

    link/ether 52:54:00:12:34:60 brd ff:ff:ff:ff:ff:ff

    inet 192.168.10.20/24 brd 192.168.10.255 scope global eth0

       valid_lft forever preferred_lft forever

    inet6 fd81:a47a:1f13:0:5054:ff:fe12:3460/64 scope global dynamic mngtmpaddr 

       valid_lft forever preferred_lft forever

    inet6 fe80::5054:ff:fe12:3460/64 scope link 

       valid_lft forever preferred_lft forever

3: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000

    link/sit 0.0.0.0 brd 0.0.0.0

$ ip r

default via 192.168.10.1 dev eth0 metric 2 

127.0.0.0/8 via 127.0.0.1 dev lo 

192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.20 

```

And here is a command failing.

```

 $ curl https://curl.haxx.se

curl: (6) Couldn't resolve host 'curl.haxx.se'

```

----------

## Logicien

The host have 192.168.10.1 as the default route for br0, is this ok? The guest should have 192.168.10.10 as default route to rich the host br0. First hup for the guest  address 192.168.10.20 is 192.168.10.10 . So on the guest,

```
ip r del default

ip r default via 192.168.10.10
```

Have a try with this.

----------

## Wizumwalt

I believe this is correct. 192.168.10.1 is a router which the host is connected to.

I was unable to delete and add using your commands, so figured the following.

I can't seem to add a default route using 10.10 as I get the following.

```
$ sudo ip route add default via 192.168.10.10

Error: Nexthop has invalid gateway.

```

But doing the following results in being able to reach the guest from the host. 

```

$ sudo ip route add 192.168.10.0/24 dev eth0

```

And appears as ...

```

 $ ip r

127.0.0.0/8 via 127.0.0.1 dev lo 

192.168.10.0/24 dev eth0 scope link 

```

----------

## Jaglover

```
Couldn't resolve host 'curl.haxx.se'
```

Does ping by IP address work?

----------

## Wizumwalt

 *Jaglover wrote:*   

> 
> 
> ```
> Couldn't resolve host 'curl.haxx.se'
> ```
> ...

 

No, ip addresses don't work.

----------

## Logicien

Sorry for  the miss syntax of the ip command. What I wanted to do originally is

```
ip route del default via 192.168.10.1

ip route add default via 192.168.10.10
```

Check /etc/resolv.conf too, to be sure that the ip dns address are good and fonctionnal.

----------

## Wizumwalt

I do have a question about /etc/resolve.conf.

My OpenWRT router runs OpenVPN and so in the resolve.conf I have the DNS addresses of my VPN service. Is this correct since the guest is having to connect through the host machine?

My host machine's /etc/resolve.conf is also the DNS of my VPN service.

Here's my current routing setup.

```
$ ip route

default via 192.168.10.10 dev eth0 metric 2 

127.0.0.0/8 via 127.0.0.1 dev lo 

192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.20 

```

and 

```
$ route -n

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         192.168.10.10   0.0.0.0         UG    2      0        0 eth0

127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo

192.168.10.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0

```

```
$ sudo ip route del default via 192.168.10.1

RTNETLINK answers: No such process

```

Here's the /etc/conf.d/net on the guest.

```
config_eth0="192.168.10.20/24"

routes_eth0="default via 192.168.10.10" 

dns_servers_eth0="<DNS to VPN provider>"

```

curl  to https://curl.haxx.se

```

 $ curl 151.101.2.49

curl: (7) Failed to connect to 151.101.2.49 port 80: Connection timed out

```

Last edited by Wizumwalt on Sat May 02, 2020 7:57 pm; edited 2 times in total

----------

## Logicien

Try to have only this line for the moment in all your /etc/resolv.conf

nameserver 8.8.8.8

This is a Google dns server. You will use this server for domain names resolution. If you get Internet from the host and not with your vpn you can think that there is a problem with you vpn.

Same thing with the guest. It's important to know if it is the resolver who have a problem and/or your IP configuration.

----------

## Wizumwalt

Yeah, I had been using those DNS's as well, but to no avail. Still doesn't talk.

----------

## ipic

It's a long shot, but can you check the contents of:  /etc/qemu/bridge.conf

This caught me out with a similar problem - but in my case it was ipv6, so as I say, a long shot.

----------

## Wizumwalt

 *ipic wrote:*   

> It's a long shot, but can you check the contents of:  /etc/qemu/bridge.conf
> 
> This caught me out with a similar problem - but in my case it was ipv6, so as I say, a long shot.

 

I checked it over and I have a line that points to another file with the contents

/etc/qemu/bridge.conf

```
include /etc/qemu/myuser.conf
```

myuser.conf

```
allow all
```

----------

## papas

I might be wrong but  i think you have to enable ipv4_forwarding.

----------

## alamahant

You also need a kernel compiled with FULL functionality of iptables.

Run

```

grep -i netfilter /usr/src/linux/.config

grep -i netfilter /usr/src/linux/.config | grep -i bridge

```

and check if you have a long list of enabled modules and in addition entries for "bridge".

Also in "/etc/conf.d/net" your br0 should only have your primary physical interface as slave..

You do NOT need all these "tun tap........" entries. 

 :Very Happy: 

----------

## Wizumwalt

AFAIK, I've got what I need in the kernel ...

```
$ grep -i netfilter /usr/src/linux/.config | grep -i bridge

CONFIG_BRIDGE_NETFILTER=y

CONFIG_NETFILTER_FAMILY_BRIDGE=y
```

```
$ grep -i netfilter /usr/src/linux/.config

CONFIG_NETFILTER=y

CONFIG_NETFILTER_ADVANCED=y

CONFIG_BRIDGE_NETFILTER=y

# Core Netfilter Configuration

CONFIG_NETFILTER_INGRESS=y

CONFIG_NETFILTER_NETLINK=y

CONFIG_NETFILTER_FAMILY_BRIDGE=y

# CONFIG_NETFILTER_NETLINK_ACCT is not set

# CONFIG_NETFILTER_NETLINK_QUEUE is not set

CONFIG_NETFILTER_NETLINK_LOG=y

# CONFIG_NETFILTER_NETLINK_OSF is not set

# CONFIG_NETFILTER_NETLINK_GLUE_CT is not set

CONFIG_NETFILTER_XTABLES=y

CONFIG_NETFILTER_XT_MARK=m

# CONFIG_NETFILTER_XT_CONNMARK is not set

# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set

# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set

# CONFIG_NETFILTER_XT_TARGET_CLASSIFY is not set

# CONFIG_NETFILTER_XT_TARGET_CONNMARK is not set

CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=y

# CONFIG_NETFILTER_XT_TARGET_DSCP is not set

# CONFIG_NETFILTER_XT_TARGET_HL is not set

# CONFIG_NETFILTER_XT_TARGET_HMARK is not set

# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set

# CONFIG_NETFILTER_XT_TARGET_LED is not set

CONFIG_NETFILTER_XT_TARGET_LOG=m

# CONFIG_NETFILTER_XT_TARGET_MARK is not set

CONFIG_NETFILTER_XT_NAT=y

CONFIG_NETFILTER_XT_TARGET_NETMAP=y

CONFIG_NETFILTER_XT_TARGET_NFLOG=y

# CONFIG_NETFILTER_XT_TARGET_NFQUEUE is not set

# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set

CONFIG_NETFILTER_XT_TARGET_REDIRECT=y

# CONFIG_NETFILTER_XT_TARGET_TEE is not set

# CONFIG_NETFILTER_XT_TARGET_TPROXY is not set

CONFIG_NETFILTER_XT_TARGET_SECMARK=y

CONFIG_NETFILTER_XT_TARGET_TCPMSS=y

# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set

CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y

# CONFIG_NETFILTER_XT_MATCH_BPF is not set

# CONFIG_NETFILTER_XT_MATCH_CGROUP is not set

# CONFIG_NETFILTER_XT_MATCH_CLUSTER is not set

# CONFIG_NETFILTER_XT_MATCH_COMMENT is not set

# CONFIG_NETFILTER_XT_MATCH_CONNBYTES is not set

# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set

# CONFIG_NETFILTER_XT_MATCH_CONNLIMIT is not set

# CONFIG_NETFILTER_XT_MATCH_CONNMARK is not set

CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y

# CONFIG_NETFILTER_XT_MATCH_CPU is not set

# CONFIG_NETFILTER_XT_MATCH_DCCP is not set

# CONFIG_NETFILTER_XT_MATCH_DEVGROUP is not set

# CONFIG_NETFILTER_XT_MATCH_DSCP is not set

# CONFIG_NETFILTER_XT_MATCH_ECN is not set

# CONFIG_NETFILTER_XT_MATCH_ESP is not set

# CONFIG_NETFILTER_XT_MATCH_HASHLIMIT is not set

# CONFIG_NETFILTER_XT_MATCH_HELPER is not set

# CONFIG_NETFILTER_XT_MATCH_HL is not set

# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set

# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set

# CONFIG_NETFILTER_XT_MATCH_L2TP is not set

# CONFIG_NETFILTER_XT_MATCH_LENGTH is not set

# CONFIG_NETFILTER_XT_MATCH_LIMIT is not set

# CONFIG_NETFILTER_XT_MATCH_MAC is not set

# CONFIG_NETFILTER_XT_MATCH_MARK is not set

# CONFIG_NETFILTER_XT_MATCH_MULTIPORT is not set

# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set

# CONFIG_NETFILTER_XT_MATCH_OSF is not set

# CONFIG_NETFILTER_XT_MATCH_OWNER is not set

CONFIG_NETFILTER_XT_MATCH_POLICY=y

# CONFIG_NETFILTER_XT_MATCH_PHYSDEV is not set

# CONFIG_NETFILTER_XT_MATCH_PKTTYPE is not set

# CONFIG_NETFILTER_XT_MATCH_QUOTA is not set

# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set

# CONFIG_NETFILTER_XT_MATCH_REALM is not set

# CONFIG_NETFILTER_XT_MATCH_RECENT is not set

# CONFIG_NETFILTER_XT_MATCH_SCTP is not set

# CONFIG_NETFILTER_XT_MATCH_SOCKET is not set

CONFIG_NETFILTER_XT_MATCH_STATE=y

# CONFIG_NETFILTER_XT_MATCH_STATISTIC is not set

# CONFIG_NETFILTER_XT_MATCH_STRING is not set

# CONFIG_NETFILTER_XT_MATCH_TCPMSS is not set

# CONFIG_NETFILTER_XT_MATCH_TIME is not set

# CONFIG_NETFILTER_XT_MATCH_U32 is not set

# IP: Netfilter Configuration

# IPv6: Netfilter Configuration

# iptables trigger is under Netfilter config (LED target)

```

----------

## alamahant

Are you certain that the "not set" ones are not required for networking?

Maybe if you tried with all enabled?

I am not sure it will work but you might as well give it a try:

```

CONFIG_NETFILTER=y

CONFIG_NETFILTER_ADVANCED=y

CONFIG_BRIDGE_NETFILTER=m

# Core Netfilter Configuration

CONFIG_NETFILTER_INGRESS=y

CONFIG_NETFILTER_NETLINK=m

CONFIG_NETFILTER_FAMILY_BRIDGE=y

CONFIG_NETFILTER_FAMILY_ARP=y

CONFIG_NETFILTER_NETLINK_ACCT=m

CONFIG_NETFILTER_NETLINK_QUEUE=m

CONFIG_NETFILTER_NETLINK_LOG=m

CONFIG_NETFILTER_NETLINK_OSF=m

CONFIG_NETFILTER_CONNCOUNT=m

CONFIG_NETFILTER_NETLINK_GLUE_CT=y

CONFIG_NETFILTER_SYNPROXY=m

CONFIG_NETFILTER_XTABLES=m

CONFIG_NETFILTER_XT_MARK=m

CONFIG_NETFILTER_XT_CONNMARK=m

CONFIG_NETFILTER_XT_SET=m

CONFIG_NETFILTER_XT_TARGET_AUDIT=m

CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m

CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m

CONFIG_NETFILTER_XT_TARGET_CONNMARK=m

CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m

CONFIG_NETFILTER_XT_TARGET_CT=m

CONFIG_NETFILTER_XT_TARGET_DSCP=m

CONFIG_NETFILTER_XT_TARGET_HL=m

CONFIG_NETFILTER_XT_TARGET_HMARK=m

CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m

CONFIG_NETFILTER_XT_TARGET_LED=m

CONFIG_NETFILTER_XT_TARGET_LOG=m

CONFIG_NETFILTER_XT_TARGET_MARK=m

CONFIG_NETFILTER_XT_NAT=m

CONFIG_NETFILTER_XT_TARGET_NETMAP=m

CONFIG_NETFILTER_XT_TARGET_NFLOG=m

CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m

CONFIG_NETFILTER_XT_TARGET_NOTRACK=m

CONFIG_NETFILTER_XT_TARGET_RATEEST=m

CONFIG_NETFILTER_XT_TARGET_REDIRECT=m

CONFIG_NETFILTER_XT_TARGET_MASQUERADE=m

CONFIG_NETFILTER_XT_TARGET_TEE=m

CONFIG_NETFILTER_XT_TARGET_TPROXY=m

CONFIG_NETFILTER_XT_TARGET_TRACE=m

CONFIG_NETFILTER_XT_TARGET_SECMARK=m

CONFIG_NETFILTER_XT_TARGET_TCPMSS=m

CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m

CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m

CONFIG_NETFILTER_XT_MATCH_BPF=m

CONFIG_NETFILTER_XT_MATCH_CGROUP=m

CONFIG_NETFILTER_XT_MATCH_CLUSTER=m

CONFIG_NETFILTER_XT_MATCH_COMMENT=m

CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m

CONFIG_NETFILTER_XT_MATCH_CONNLABEL=m

CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m

CONFIG_NETFILTER_XT_MATCH_CONNMARK=m

CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m

CONFIG_NETFILTER_XT_MATCH_CPU=m

CONFIG_NETFILTER_XT_MATCH_DCCP=m

CONFIG_NETFILTER_XT_MATCH_DEVGROUP=m

CONFIG_NETFILTER_XT_MATCH_DSCP=m

CONFIG_NETFILTER_XT_MATCH_ECN=m

CONFIG_NETFILTER_XT_MATCH_ESP=m

CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m

CONFIG_NETFILTER_XT_MATCH_HELPER=m

CONFIG_NETFILTER_XT_MATCH_HL=m

CONFIG_NETFILTER_XT_MATCH_IPCOMP=m

CONFIG_NETFILTER_XT_MATCH_IPRANGE=m

CONFIG_NETFILTER_XT_MATCH_IPVS=m

CONFIG_NETFILTER_XT_MATCH_L2TP=m

CONFIG_NETFILTER_XT_MATCH_LENGTH=m

CONFIG_NETFILTER_XT_MATCH_LIMIT=m

CONFIG_NETFILTER_XT_MATCH_MAC=m

CONFIG_NETFILTER_XT_MATCH_MARK=m

CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m

CONFIG_NETFILTER_XT_MATCH_NFACCT=m

CONFIG_NETFILTER_XT_MATCH_OSF=m

CONFIG_NETFILTER_XT_MATCH_OWNER=m

CONFIG_NETFILTER_XT_MATCH_POLICY=m

CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m

CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m

CONFIG_NETFILTER_XT_MATCH_QUOTA=m

CONFIG_NETFILTER_XT_MATCH_RATEEST=m

CONFIG_NETFILTER_XT_MATCH_REALM=m

CONFIG_NETFILTER_XT_MATCH_RECENT=m

CONFIG_NETFILTER_XT_MATCH_SCTP=m

CONFIG_NETFILTER_XT_MATCH_SOCKET=m

CONFIG_NETFILTER_XT_MATCH_STATE=m

CONFIG_NETFILTER_XT_MATCH_STATISTIC=m

CONFIG_NETFILTER_XT_MATCH_STRING=m

CONFIG_NETFILTER_XT_MATCH_TCPMSS=m

CONFIG_NETFILTER_XT_MATCH_TIME=m

CONFIG_NETFILTER_XT_MATCH_U32=m

# end of Core Netfilter Configuration

# IP: Netfilter Configuration

# end of IP: Netfilter Configuration

# IPv6: Netfilter Configuration

# end of IPv6: Netfilter Configuration

# iptables trigger is under Netfilter config (LED target)

CONFIG_SECURITY_SMACK_NETFILTER=y

```

It couldnt hurt could it?

Also I strongly suspect you /etc/conf.d/net is complicated.

Maybe you could have 

```

bridge_br0="eno1"

# Bridge static config

config_br0="xxxxxx"

routes_br0="default via xxxxxxxxx"

dns_servers_br0="xxxxxxxxx"

bridge_forward_delay_br0=0

bridge_hello_time_br0=1000

```

You dont need these tap ifaces.

By just assigning the "br0" to guest it will work just fine.

In my case from vm xml

```

 <interface type="bridge">

      <mac address="52:54:00:c7:55:40"/>

      <source bridge="br0"/>

      <model type="virtio"/>

      <address type="pci" domain="0x0000" bus="0x01" slot="0x00" function="0x0"/>

    </interface>

```

It works just fine for me for sharing host's network.

 :Smile: 

----------

## Wizumwalt

 *papas wrote:*   

> I might be wrong but  i think you have to enable ipv4_forwarding.

 

```
$ sudo sysctl net.ipv4.ip_forward

net.ipv4.ip_forward = 1
```

----------

## Wizumwalt

 *alamahant wrote:*   

> Are you certain that the "not set" ones are not required for networking?
> 
> 

 

Guess I'm a bit confused now about not needing the tap interfaces. I've been following the networking section here and basically have the "Network bridge" section using OpenRC setup.

https://wiki.gentoo.org/wiki/QEMU/Options#Networking

Posting my latest /etc/conf.d/net. With this config, I've noticed my interfaces are coming up a lot quicker.

```
tuntap_tap0="tap"

tuntap_tap1="tap"

config_tap0="null"

config_tap1="null"

tunctl_tap0="-t tap0 -u me"

tunctl_tap1="-t tap1 -u me"

config_eno1="null"

config_br0="192.168.10.10/24"  

routes_br0="default via 192.168.10.1"

bridge_br0="eno1 tap0 tap1"

dns_servers_br0="209.222.18.222 209.222.18.218"

bridge_forward_delay_br0=0

bridge_hello_time_br0=1000

bridge_stp_state_br0=0

depend_br0() {

        need net.eno1

        need net.tap0

}

```

As far as what LKM's are required, I've included all listed here on this page. https://wiki.gentoo.org/wiki/QEMU

However, I'll give it a try to simplify things.

----------

## alamahant

So basically tap1 belongs to vm1,tap2 to vm2 etc?

If this is the case you do NOT need to specify them in /etc/conf.d/net.

Just bridge your main ethernet iface to br0.

That is sufficient.

Qemu will do all the work to create the needed ifaces for guests when you assign just "br0" to each guest.

At least this is how I do it in qemu-libvirt-virt-manager.

Also maybe 

```

net-firewall/ebtables

```

is also needed........

Just in case.......

 :Smile: 

----------

## Hu

 *alamahant wrote:*   

> I am not sure it will work but you might as well give it a try:

 Most netfilter symbols are for specific features that OP would need to be trying to use.  If he tried to use one he did not have, he should get an error message.

----------

## riowilliam80

Restart the servers!

----------

## Hu

 *riowilliam80 wrote:*   

> Restart the servers!

 Why do you believe that would be relevant or useful here?

----------

## Wizumwalt

Ugh, finally got this fixed. 

I shutdown iptables and was able to reach the internet. This never crossed my mind because of how the bridge is behind NAT which is behind the interface of the host which already gets out. I don't quite understand this part yet, but I'll go figure out what needs to change with the firewall.

I apologize for wasting so much time with this. Thanks for ya'lls help.

----------

## Hu

I suggest using tcpdump on the firewall system to monitor what traffic the guest is generating, and compare that to the output of iptables-save to see why your existing rules are not permitting the traffic.

----------

