I'm not sure what you mean. The host and guest can communicate already
with just the tap.
Forwarding (NAT and DNAT) is for facilitating communcation between the
guest and remote hosts.
But for sure you can use a bridge to bind tap0 and eth0 together at
lin level. It makes a different kind of networking setup.
If you want to go that way you still need the tap, but the IP
assignment steps are different since the bridge would facilitate link
level precence of the guest on the external network. Presumably you'd
then make the guest acquire its IP via DHCP.
Ralph.
On Sun, Aug 20, 2023 at 02:34:15PM +0200, Mario Marietto wrote:
> Your way to configure the network seems to be a little bit limited. I would
> like that the host and guest can communicate. What about using a bridge ? I
> found this tutorial :
>
> https://www.redhat.com/sysadmin/setup-network-bridge-VM
>
> where at the end it says :
>
> You can now ping your KVM host and guests.
>
> So,it seems that I will reach what I want.
>
> On Sun, Aug 20, 2023 at 1:24 PM Ralph Ronnquist <rrq@???> wrote:
>
> > No, the host acts as a NAT router and none of the VM ports are
> > accessible from "outside".
> >
> > Also, seen from the outside, all network traffic appear to be from/to
> > the host.
> >
> > To provide services in that setup, you'll need to set up "DNAT"
> > forwarding incoming packets for the service ports. I.e., let the host
> > forward traffic incoming on the selected ports to the VM, for it to
> > service it. E.g. to forward incoming tcp port 80 to the VM (assuming
> > it's at 10.0.2.2)::
> >
> > # iptables -t nat -A PREROUTING -i eth0 -p tcp --dports 80 \
> > -j DNAT --to-destination 10.0.2.2
> >
> > By that rule, incoming tcp packets destined for port 80 are forwarded
> > to the VM. The remote computer should thus connect using the host IP
> > (assuming that's reachable from outside) and it will forward the
> > traffic to the VM and its port 80 service. Return packets from the VM
> > will be NAT-ed like before, so the remote computer is unaware of the
> > internal forwarding.
> >
> > If your host can have a second IP, you can also use the DNAT setup for
> > all that traffic, and then the remote computer will "see" the VM as
> > any another host.
> >
> > Ralph.
> >
> > On Sun, Aug 20, 2023 at 12:59:14PM +0200, Mario Marietto wrote:
> > > Ok. It worked. Can I ask you if using this method,freebsd is reachable
> > from
> > > outside its network ? If for example I want to start a web server inside
> > > FreeBSD,can I reach the web page that it hosts if I try to connect to it
> > > from my workstation ? I have some doubts that I can because the IP
> > assigned
> > > to it seems to be private (10.0.2.1) :
> > >
> > > tap0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
> > > inet 10.0.2.1 netmask 255.255.255.0 broadcast 0.0.0.0
> > > ether 2a:00:9d:a5:77:07 txqueuelen 1000 (Ethernet)
> > > RX packets 0 bytes 0 (0.0 B)
> > > RX errors 0 dropped 0 overruns 0 frame 0
> > > TX packets 0 bytes 0 (0.0 B)
> > > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
> > >
> > >
> > > On Sun, Aug 20, 2023 at 12:51 PM Ralph Ronnquist <rrq@???> wrote:
> > >
> > > > Should be "tap0" not "eth0" (of course). Sorry about that.
> > > >
> > > > On Sun, Aug 20, 2023 at 08:47:48PM +1000, Ralph Ronnquist wrote:
> > > > > Ah, I forgot the "bring it up" command; you could verify this with
> > > > >
> > > > > # ipconfig -a
> > > > >
> > > > > That will present all interfaces; those that are down as well as
> > those
> > > > > that are up.
> > > > >
> > > > > The additional command is:
> > > > >
> > > > > # ip link set dev eth0 up
> > > > >
> > > > > .. usually to be done after adding it and setting its IP address, but
> > > > > can be done after IP configuration as well.
> > > > >
> > > > > Ralph.
> > > > >
> > > > > You could verify beforhand with
> > > > >
> > > > > On Sun, Aug 20, 2023 at 12:27:30PM +0200, Mario Marietto wrote:
> > > > > > Finally,after a lot of kernel recompilations,I've been able to
> > issue
> > > > all
> > > > > > the commands suggested some time ago by @Ralph Ronnquist without
> > > > getting
> > > > > > errors :
> > > > > >
> > > > > > # ip tuntap add tap0 mode tap
> > > > > > ok
> > > > > >
> > > > > > # ip address add 10.0.2.1/24 dev tap0
> > > > > > ok
> > > > > >
> > > > > > # sysctl net.ipv4.ip_forward=1
> > > > > > ok
> > > > > >
> > > > > > # net.ipv4.ip_forward = 1
> > > > > > ok
> > > > > >
> > > > > > # iptables -t nat -A POSTROUTING -o mlan0 -j MASQUERADE
> > > > > > ok
> > > > > >
> > > > > > Now,the problem is that I don't see any tap0 interface :
> > > > > >
> > > > > > # ifconfig
> > > > > >
> > > > > > docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
> > > > > > inet 172.17.0.1 netmask 255.255.0.0 broadcast
> > 172.17.255.255
> > > > > > ether 02:42:c9:04:eb:64 txqueuelen 0 (Ethernet)
> > > > > > RX packets 0 bytes 0 (0.0 B)
> > > > > > RX errors 0 dropped 0 overruns 0 frame 0
> > > > > > TX packets 0 bytes 0 (0.0 B)
> > > > > > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
> > > > > >
> > > > > > lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
> > > > > > inet 127.0.0.1 netmask 255.0.0.0
> > > > > > inet6 ::1 prefixlen 128 scopeid 0x10<host>
> > > > > > loop txqueuelen 1000 (Local Loopback)
> > > > > > RX packets 49 bytes 5414 (5.2 KiB)
> > > > > > RX errors 0 dropped 0 overruns 0 frame 0
> > > > > > TX packets 49 bytes 5414 (5.2 KiB)
> > > > > > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
> > > > > >
> > > > > > mlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
> > > > > > inet 192.168.1.6 netmask 255.255.255.0 broadcast
> > 192.168.1.255
> > > > > > inet6 fe80::a200:9c1a:7783:969f prefixlen 64 scopeid
> > > > 0x20<link>
> > > > > > ether 60:21:c0:e9:44:63 txqueuelen 1000 (Ethernet)
> > > > > > RX packets 264 bytes 31934 (31.1 KiB)
> > > > > > RX errors 0 dropped 0 overruns 0 frame 0
> > > > > > TX packets 237 bytes 33545 (32.7 KiB)
> > > > > > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
> > > > > >
> > > > > > Is this normal ?
> > > > > >
> > > > > > On Thu, Aug 17, 2023 at 3:15 PM Mario Marietto <
> > marietto2008@???
> > > > >
> > > > > > wrote:
> > > > > >
> > > > > > > Can someone help me,please,to understand how to fix it ?
> > > > > > >
> > > > > > > loziomario <https://www.reddit.com/user/loziomario/> :
> > > > > > >
> > > > > > > root@devuan:~# nft add table nat
> > > > > > >
> > > > > > > root@devuan:~# nft 'add chain nat postrouting { type nat hook
> > > > postrouting
> > > > > > > priority 100 ; }'
> > > > > > >
> > > > > > > Error: Could not process rule: No such file or directory
> > > > > > >
> > > > > > > deeseearr <https://www.reddit.com/user/deeseearr/> :
> > > > > > >
> > > > > > > Your table has no family.
> > > > > > >
> > > > > > > You are also trying to add a chain to a table called
> > "postrouting"
> > > > in the
> > > > > > > "nat" family, which does not exist.
> > > > > > >
> > > > > > > All of your other rules are part of the "ip" family so this one
> > > > should be
> > > > > > > roo.
> > > > > > >
> > > > > > > On Wed, Aug 16, 2023 at 9:33 PM Mario Marietto <
> > > > marietto2008@???>
> > > > > > > wrote:
> > > > > > >
> > > > > > >> I've created a post on Reddit :
> > > > > > >>
> > > > > > >>
> > > >
> > https://www.reddit.com/r/devuan/comments/15swwij/neither_iptables_nor_nftable_are_working_for_me/
> > > > > > >>
> > > > > > >> where I tried to explain what my problem is. Unfortunately no
> > one
> > > > replied right now.
> > > > > > >>
> > > > > > >>
> > > > > > >> On Wed, Aug 16, 2023 at 7:13 PM Mario Marietto <
> > > > marietto2008@???>
> > > > > > >> wrote:
> > > > > > >>
> > > > > > >>> They also suggest to check these kernel parameters :
> > > > > > >>>
> > > > > > >>> root@devuan:~# grep CONFIG_NF_TABLES_INET=
> > /boot/config-`uname -r`
> > > > > > >>> CONFIG_NF_TABLES_INET=y
> > > > > > >>>
> > > > > > >>> root@devuan:~# grep CONFIG_NFT_COUNTER= /boot/config-`uname
> > -r`
> > > > > > >>> CONFIG_NFT_COUNTER=y
> > > > > > >>>
> > > > > > >>> root@devuan:~# grep CONFIG_NFT_OBJREF= /boot/config-`uname -r`
> > > > > > >>> CONFIG_NFT_OBJREF=y
> > > > > > >>>
> > > > > > >>> but they seem correct,right ?
> > > > > > >>>
> > > > > > >>>
> > > > > > >>> On Wed, Aug 16, 2023 at 7:04 PM Mario Marietto <
> > > > marietto2008@???>
> > > > > > >>> wrote:
> > > > > > >>>
> > > > > > >>>> Reading from here :
> > > >
> > https://unix.stackexchange.com/questions/537912/nftables-rule-no-such-file-or-directory-error
> > > > > > >>>>
> > > > > > >>>> I tried to do the following :
> > > > > > >>>>
> > > > > > >>>> root@devuan:~# nft add table ip filter
> > > > > > >>>>
> > > > > > >>>> root@devuan:~# nft add chain ip filter INPUT { type filter
> > hook
> > > > input priority 0 \; } # create chain
> > > > > > >>>> root@devuan:~# nft add rule ip nat POSTROUTING oifname
> > "mlan0"
> > > > counter masquerade
> > > > > > >>>> Error: Could not process rule: No such file or directory
> > > > > > >>>> add rule ip nat POSTROUTING oifname mlan0 counter masquerade
> > > > > > >>>> ^^^
> > > > > > >>>>
> > > > > > >>>> root@devuan:~# nft list ruleset
> > > > > > >>>> table ip filter {
> > > > > > >>>> chain INPUT {
> > > > > > >>>> type filter hook input priority filter; policy
> > > > accept;
> > > > > > >>>> }
> > > > > > >>>> }
> > > > > > >>>>
> > > > > > >>>>
> > > > > > >>>>
> > > > > > >>>> On Wed, Aug 16, 2023 at 6:58 PM Mario Marietto <
> > > > marietto2008@???>
> > > > > > >>>> wrote:
> > > > > > >>>>
> > > > > > >>>>> root@devuan:~# iptables-translate -t nat -A POSTROUTING -o
> > > > eth0 -j
> > > > > > >>>>> MASQUERADE
> > > > > > >>>>> nft add rule ip nat POSTROUTING oifname "eth0" counter
> > masquerade
> > > > > > >>>>>
> > > > > > >>>>> root@devuan:~# ifconfig
> > > > > > >>>>>
> > > > > > >>>>> lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
> > > > > > >>>>> inet 127.0.0.1 netmask 255.0.0.0
> > > > > > >>>>> inet6 ::1 prefixlen 128 scopeid 0x10<host>
> > > > > > >>>>> loop txqueuelen 1000 (Local Loopback)
> > > > > > >>>>> RX packets 28 bytes 3449 (3.3 KiB)
> > > > > > >>>>> RX errors 0 dropped 0 overruns 0 frame 0
> > > > > > >>>>> TX packets 28 bytes 3449 (3.3 KiB)
> > > > > > >>>>> TX errors 0 dropped 0 overruns 0 carrier 0
> > collisions 0
> > > > > > >>>>>
> > > > > > >>>>> mlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
> > > > > > >>>>> inet 192.168.1.6 netmask 255.255.255.0 broadcast
> > > > > > >>>>> 192.168.1.255
> > > > > > >>>>> inet6 fe80::47b1:6a1e:c9a8:5e73 prefixlen 64 scopeid
> > > > > > >>>>> 0x20<link>
> > > > > > >>>>> ether 50:22:c1:e9:44:63 txqueuelen 1000 (Ethernet)
> > > > > > >>>>> RX packets 656 bytes 59350 (57.9 KiB)
> > > > > > >>>>> RX errors 0 dropped 0 overruns 0 frame 0
> > > > > > >>>>> TX packets 351 bytes 35970 (35.1 KiB)
> > > > > > >>>>> TX errors 0 dropped 0 overruns 0 carrier 0
> > collisions 0
> > > > > > >>>>>
> > > > > > >>>>> root@devuan:~# nft add rule ip nat POSTROUTING oifname
> > "mlan0"
> > > > > > >>>>> counter masquerade
> > > > > > >>>>>
> > > > > > >>>>> Error: Could not process rule: No such file or directory
> > > > > > >>>>> add rule ip nat POSTROUTING oifname mlan0 counter masquerade
> > > > > > >>>>> ^^^
> > > > > > >>>>>
> > > > > > >>>>>
> > > > > > >>>>>
> > > > > > >>>>> On Wed, Aug 16, 2023 at 1:03 PM wirelessduck--- via Dng <
> > > > > > >>>>> dng@???> wrote:
> > > > > > >>>>>
> > > > > > >>>>>>
> > > > > > >>>>>>
> > > > > > >>>>>> > On 16 Aug 2023, at 20:13, Mario Marietto <
> > > > marietto2008@???>
> > > > > > >>>>>> wrote:
> > > > > > >>>>>> >
> > > > > > >>>>>> >
> > > > > > >>>>>> > It's too much out of my knowledge. I'm not able to
> > understand
> > > > > > >>>>>> what's the correct syntax to use.
> > > > > > >>>>>>
> > > > > > >>>>>> The manpage for iptables-translate says it takes the same
> > > > arguments
> > > > > > >>>>>> as iptables. You can try:
> > > > > > >>>>>>
> > > > > > >>>>>> iptables-translate -t nat -A POSTROUTING -o eth0 -j
> > MASQUERADE
> > > > > > >>>>>>
> > > > > > >>>>>> and that should output the equivalent nftables command. I
> > don’t
> > > > have
> > > > > > >>>>>> a terminal here to try that myself right now.
> > > > > > >>>>>>
> > > > > > >>>>>> Tom
> > > > > > >>>>>> _______________________________________________
> > > > > > >>>>>> Dng mailing list
> > > > > > >>>>>> Dng@???
> > > > > > >>>>>> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
> > > > > > >>>>>>
> > > > > > >>>>>
> > > > > > >>>>>
> > > > > > >>>>> --
> > > > > > >>>>> Mario.
> > > > > > >>>>>
> > > > > > >>>>
> > > > > > >>>>
> > > > > > >>>> --
> > > > > > >>>> Mario.
> > > > > > >>>>
> > > > > > >>>
> > > > > > >>>
> > > > > > >>> --
> > > > > > >>> Mario.
> > > > > > >>>
> > > > > > >>
> > > > > > >>
> > > > > > >> --
> > > > > > >> Mario.
> > > > > > >>
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Mario.
> > > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Mario.
> > > > > _______________________________________________
> > > > > Dng mailing list
> > > > > Dng@???
> > > > > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
> > > > _______________________________________________
> > > > Dng mailing list
> > > > Dng@???
> > > > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
> > > >
> > >
> > >
> > > --
> > > Mario.
> > _______________________________________________
> > Dng mailing list
> > Dng@???
> > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
> >
>
>
> --
> Mario.