Combining masquerading and a network bridge for virtual machines

I have a network configuration puzzle.

I have a remote SUSE (Leap15.1) machine on a standard private network With a local ethernet adaptor ‘eth0’

I access that macine using a wireguard vpn. As I need to access the whole network I masquerade eth0 and all the routing issues get taken care of with no issues.

Now here is the problem. I want to run virtual machines on that remote server using the KVM hypervisor and have done this with no problems except I can’t get the networking right as I want to be able to access not only the physical network but also the virtual machines on the host. I have a bridge device, ‘br0’ (the virtual machines are automatically added as ‘vnet0’ etc.) if I add ‘eth0’ to the bridge all internet access is fine but can only access the host If I masqerade ‘eth0’ or ‘br0’ I am able to access the rest of the network but not the virtual machines attached to the bridge.

It feels like I want to create a vitual ethernet device on the SUSE box which is masqueraded and then add that to the bridge along with the physical ‘eth0’. I guess it wants to look like this:

192.168    | 192.168              |
200.2      | 200.1                                       |
           |                          --------           |
           |                          |      |           |
---- wg0 ---- (masquerading here) ----|  br0 |------------- eth0 and the rest of
           |                          |      |           |
wireguard  |                          |      |--- vnet0  |
vpn con    |                          |      |           |
           |                          |      |--- vnet1  |
           |                          |      |           |
           |                          |      |--- vnet2  |
           |                          --------

or am I just approaching this in the wrong way?

Obvious answer - create internal-only bridge for virtual machines and use your remote host as router between external interface and this bridge.

OK. I get the topology but, sorry if this sound dumb, but how do I build the router part?

Assuming IPv4 only:

sysctl -w net.ipv4.ip_forward=1

Make sure your host IP on internal bridge is set as default gateway in your VM.

I don’t know if I understand fully what you’re trying to do,
But I may not need to understand your whole configuration…

I think you are asking
If you have a br0 (which is a bridge device providing bridging mode),
Then how you can provide access to virtual machines on a different virtual network.
Not sure what your vnet devices are, I suspect you really mean individual vm network connections and not each representing a separate virtual network.
If my assumption is correct, then it seems to me your solution is simple…
Use your libvirt vm-manager to create a new virtual network, define it as a NAT network, configure it appropriately and simply configure your VMs to use the bridge device that’s created for your new NAT network.

You’d be taking advantage of the fact that a network interface (I think eth0 in this case) can support any number of bridge devices simultaneously, and each bridge device would have its own unique purpose. In your case, the br0 device allows devices that use it to be recognized like any other host on the physical network, and the new NAT device (If this is your first created device may be called virbr0) allows any machines that use it to belong to the same virtual network, masqueraded from the physical network.

Generally speaking, any networking questions that involve bridge devices like br0 should be asked and posted to the Virtualization forum since the issues have to do with virtual networks and virtual machines.


Thanks arvidjaar. Much simpler than expected, I thought I would have to be setting loads of things up in iptables!

Thanks for the reply tsu. The vnet interfaces were just those to the bridge from the VMs. I’ll use the right forum next time.