Cheat Sheet

Monday, June 5, 2017

OpenNebula: Allowing Private Network accessing outside via host

This one is really a pickle. Spend hours of my time to figuring out what went wrong. My private network (interface virbr0 from libvirt daemon, 192.168.122.0/24) can't connect to outside world.

Actually it was a simple solution (have the same problem years ago, but i don't document it well - so i forget to remember).


Solution:
Use firewall or iptables to do NATting between virbr0 with current DMZ/host bridge at HOST. I hate iptables, hence:


firewall-cmd --zone=external --add-interface=virbr0
firewall-cmd --zone=external --add-interface=virbr0 --permanent


And yes. You didn't have to explicitly specify masquerade because external IS the forwarding zone duh! (ref manual: https://fedoraproject.org/wiki/Firewalld?rd=FirewallD#external)


And walla, you got yourself a deal - and a external connection.


PS: Just don't forgot to add DNS to your virbr0 settings (using nmtui should done it, UI-ly).


Why:
Since libvirt by default is configured as Host-Only, all connection via virbr0 can only see their peer, and not outside host. (Here i thought it might have something to do with my network config, libvirt.conf hance DNS not forwarded and not visible! dammit). And by attaching virbr0 to external zone, it will automatically enable NATting and forwarding + post/pre routing.

Guys, if you don't have any complex rule, just use firewall-cmd. Just forget about iptables. It's already 2017 dammit, not the 1997.

No comments:

Post a Comment