On 04/18/2014 01:58 AM, Lucio Crusca wrote: > Hello all, > > I need to setup a virtual subnet to create a test AD domain (server + > clients): guests need to talk to each other, they need to reach the internet > through a virtual router with nat (virbr0?), broadcasts must not reach the > host nor the physical network (because of conflicts with the existing real AD > domain) and libvirt must NOT offer a dhcp service inside the virtual subnet. > > What kind of networking model should I look at? The only part about this that seems odd is the requirement that the *host* not receive broadcast packets from the guests. Without this, the guests would not be able to reach the host (because ARP wouldn't work, and host would necessarily be the next-hop for IP routing), and therefore wouldn't be able to reach anything outside the virtual subnet. Aside from this restriction, you are exactly describing libvirt's "default" network (with the <dhcp> section removed). If there is just one kind of broadcast traffic that shouldn't reach the host from the guests, then you could create a network hook script to do add an iptables rule that does the requested blocking when the network is started (and removes it when the network is stopped) - see http://libvirt.org/hooks.html (note that network hook scripts are only available since libvirt 1.2.2, which is very new, so you may instead need to just add it somewhere in the host's own config). Alternately, if you want a guest network that isn't directly connected to the host, you could handle it in the following manner: 1) create a *completely empty* libvirt network - no IP address and no <forward>: <network> <name>pure-virtual</name> </name> (define this network, set it to autostart, and start it using virsh). 2) Create a virtual guest that has two network interfaces - a "public" interface that connects to libvirt's default network, and a "private" interface that connects to the new network named "pure-virtual". This guest will act as a router between the pure-virtual network and the host (and rest of the internet). 3) setup whatever services (dhcp, dns, etc) you like on the guest you created in (2) 4) when you create your test guests, connect their network interfaces to the "pure-virtual" network, *not* the default network. The router guest that you created in (2) will not need to perform NAT, as that is already being done by the host as the traffic egresses from the public side of the router guest (although it will probably still work for most things even if you do have double-NAT. And I guess if you want to guarantee that the host cannot initiate contact with any of the test guests, you actually may want to have NAT on the router guest as well). _______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users