How are you bridging your KVMs onto public IP space

How are you bridging your KVMs onto public IP space

WSSWSS Member

Hi!

The title says it all- there are a few different trains of thought about bridging KVMs onto public IP space. One of the most common I have seen use a local private bridge between the host and KVM client, and then a secondary assigned IP to the KVM itself.

Personally, I'd prefer the IP by itself, but I'm having problems getting it to work- I've aliased the entire /29 onto the br0 interface (with the primary IP for the host itself), and did an installation with the built-in dhcp bridging in QEMU- but can't quite get it to work with only a public IP. I've set it up as the native /29 with both host IP, and actual gateway- and I can ping when I go through the gateway, but seem to be blocked on the return path, even with the host set to forward packets for the client.

This is a semi-stock Debian Jessie, with a recent QEMU build from backports. How'd you do yours- and what lead you to figuring it out?

Friandise pour Shartsœurs

Comments

  • The answer to that changes depending on the network setup for the physical node the VM's are running on.

    Different providers have different ways of handing over IP blocks.

    Thanked by 1WSS
  • WSSWSS Member

    @dragon2611 said: The answer to that changes depending on the network setup for the physical node the VM's are running on.

    Different providers have different ways of handing over IP blocks.

    This is assuming that the /29 is directly routed to my port, rather than independent /32s. I thought I might be able to address them as /32s or on the /29, but neither seem to actually work.

    Friandise pour Shartsœurs

  • If it's just a /29 on your port then no you'd add them to the VM as IP/29 with the gateway being the upstream providers router ip

    If it's actually routed to your Servers primary IP then you can route them how you please.

    Assuming your provider isn't doing any horrible mac filtering their side.

    Thanked by 1WSS
  • Depends on the host.

    OVH has a good system in my opinion.

    Let's say I buy /29 from OVH (Total 8 IP's). Then OVH would assign me these IP's: 95.50.80.64 - 95.50.80.71

    I could either use default gateway inside the Failover IP-range (95.50.80.70), or I could use the .254 of host machine IP-address as a default gateway outside the failover IP range.

    Since we're limited to 16 additional Failover IP's, I prefer to use them all, so I'll just use .254 of host IP as my default gateway for all failover IP's.

    Basically I generate MAC address for each IP, then add the info for each corresponding VM's and thats about it.

    Thanked by 1WSS
  • FalzoFalzo Member

    @stefeman said: Depends on the host.

    OVH has a good system in my opinion.

    Let's say I buy /29 from OVH (Total 8 IP's). Then OVH would assign me these IP's: 95.50.80.64 - 95.50.80.71

    I could either use default gateway inside the Failover IP-range (95.50.80.70), or I could use the .254 of host machine IP-address as a default gateway outside the failover IP range.

    Since we're limited to 16 additional Failover IP's, I prefer to use them all, so I'll just use .254 of host IP as my default gateway for all failover IP's.

    Basically I generate MAC address for each IP, then add the info for each corresponding VM's and thats about it.

    if you are unable to generate virtual MACs for each IP (depending on the provider) you should almost always be able to add all IPs of the /29 to your bridge like single ones and use a routed setup on your VM to make use of every single IP like @dragon2611 pointed out.

    netcup special offer: DE KVM 2x E5, 3GB, 240GB HD from 4,99€

    Coupons to get 5€ off your first order: 36nc14824169620 / 36nc14824169622 / 36nc14824169625 / 36nc14824169627

    Thanked by 1WSS
  • @Falzo said:

    if you are unable to generate virtual MACs for each IP (depending on the provider) you should almost always be able to add all IPs of the /29 to your bridge like single ones and use a routed setup on your VM to make use of every single IP like @dragon2611 pointed out.

    Only if they are routed to your server, some providers stick you on a VLAN and assign one of the IPs to their gateway device (Either their router or L3 switch) in which case you don't have enough control of the subnet to use all of the IP's and you just have to bridge (or proxy arp)

    Some will actually route you an IP range properly (as in make you the next hop) at which point you can do what you like with it.

    I actually have one co-lo'd location where I have an RFC1918 /30 address on the uplink to the provider, since all it's used for is to link my router to theirs so they could add a route for my public ip range (Why waste a public for that, as long as those 2 routers can reach each other ;-) )

    Thanked by 1WSS
  • WSSWSS Member

    Long story short, I ended up fixing this by rebuilding a current QEMU. Imagine that.

    Friandise pour Shartsœurs

Sign In or Register to comment.