Guest can reach outside network, but cannot reach host when using Macvtap interface

Http://wiki.libvirt.org/page/Guest_can_reach_outside_network,_but_can%27t_reach_host_%28macvtap%29

MACVTAP interfaces (type= ' direct '-the Libvirt documentation on the topic) can is useful even when not connecting to A Vepa or vnlink capable switch-setting the mode of such a interface to ' bridge ' would allow the guest to be directly co Nnected to the physical network in a very simple manner without the setup hassles (or NetworkManager incompatibility) Accompany use of the a traditional host bridge device.

However, once a guest has been configured to use a "type= ' direct '" Network interface (a.k.a. Macvtap), users would commonly Being surprised that the guest are able to communicate with other guests, and also with other external hosts on the network, The but cannot communicate with the Virt host is which the guest in question.

This isn't a bug, it is the defined behavior of macvtap-due to the way that the host ' s physical Ethernet are at Tached to the "Macvtap Bridge", traffic into "bridge" from "guests", "forwarded to" physical interface cannot Be bounced the "host" IP stack (and also, traffic from the host's IP stack that's sent to the physical Interfa Ce cannot be bounced the Macvtap bridge for forwarding to the guests. [Edit] Solution

One possible method of eliminating this problem would is to create a separate MACVTAP the for host use, and interface it The IP configuration previously on the physical Ethernet ("This page is example to" manually an int Erface on the "physical" to "use Macvtap", and this page is script)-In this way, the host would is an equal peer Ached to the Macvlap bridge, and thus guest and host could communicate directly.

However, this solution has two problems-1) it reintroduces just as more complexity to the configuration as would ing up a traditional Linux host bridge and 2) Just as NetworkManager currently doesn "t understand bridge devices, it also Doesn ' t understand macvtap devices, so NetworkManager would is unable to monitor the online state of the Macvtap interface , and would give erroneous reports about the online status of the host. In other words, it's really no better than just using a traditional host bridge (with the added problem the even Itional Methods of network configuration (e.g. initscripts on Fedora and RHEL) don ' t support configuration of a macvtap de Vice). [Edit] less painful Solution

There is a alternate solution which preserves networkmanager compatibility while allowing guest and host to directly comm Unicate. In short, the solution are use Libvirt to create a isolated network, and give each guest a second interface this is Connec Ted to this network; Host<-->guest communication would then take place over the isolated network.

1) Save The following XML to/tmp/isolated.xml:

   <network>
     <name>isolated</name>
       <ip address= ' 192.168.254.1 ' netmask= ' 255.255.255.0 ' >
       <dhcp>
         <range start= ' 192.168.254.2 ' end= ' 192.168.254.254 '/>
       </dhcp>
     </ Ip>
   </network>

(If the 192.168.254.0/24 network is already in-use elsewhere on your network, can choose a different).

2 Create The network, set it to Autostart, and start it:

   Virsh net-define/tmp/isolated.xml
   virsh net-autostart isolated virsh net-start isolated
   

3 edit (using "Virsh Edit $guestname") the configuration of each guest, uses direct (MACVTAP) for its network Connect Ion and add a new <interface> in the <devices> section similar to the following:

   <interface type= ' network ' >
     <source network= ' isolated '/> <model ' type= ' virtio '/> <--
     This is optional.
   </interface>

4) shutdown, then restart each of these guests.

The guests'll now is able to reach the host in the address 192.168.254.1, and the host would be able to reach the guests At whatever IP address they acquired to DHCP (alternately you can manually configure). Since This new network are isolated to only the host and guests, all other communication from the guests would use the MACVT AP interface.