Using a VM as router

Dear all,

I’m trying to use Xen/Libvirt/virt-manager to virtualise a few applications of mine, however I’d like to have them behind a UTM. For this purpose I am using a UTM guest and giving it my computer’s NIC.

It all works great, it sees the NIC, however I am unable to let it communicate with the other virtual machines… Most certainly because I haven’t configured the virtual networks properly.

What I want to achieve is pretty clear, I want to route and policy my VMs with a Firewall VM and I want the host OS to not have to deal with it (i.e. off the Internet)… However I can’t find enough informations about how to do it, and I seem to be getting it wrong all the time.

Could anyone help me figure it out? Maybe tell me what to do and hold my hand through it? I only need help with the network configuration (I have deleted all Virtual networks and interfaces, so I can start fresh) and using virt-manager should be a breeze and just require a few lines for an answer…

Any kind soul?

First thing you need to describe is what you mean by “giving it my computer’s NIC.”
If you did a hardware pass-through, that’s probably unnecessary and maybe even inadvisable (in other words, describe why you might have done this).

In general though,
Setting a VM as a router is no different than setting up a physical machine as a router.

  • Typically the VM has to have 2 virtual NICs, one bound to your external (likely physical) network, and the other a virtual network which may or may not be bound to a physical network interface(advisable not to be the same physical NIC used for the external network).
  • The VM’s external network interface must be fully functional, communicating with the “outside” network.
  • The VM’s internal network interface must be defined with a different networkid (else there would not be any “routing”) and in the case of using libvirt (likely set up using vm manager) should be associated with an “internal virtual network”
  • All machines whether physical or virtual “behind” the routing VM should be configured with the internal virtual network and likely with the Default Gateway set with the router’s IP address. Depending on whether you wish machines in the internal virtual network should be accessible, routing table entries may need to be configured in machines in the external network.

As I said, except for the idea of setting up and configuring virtual networks, a VM as a router is no different than a physical machine set up as a router.



I’m sorry, I should have pointed out that the NIC is passed through.

What I don’t get is what I should create. A virtual network? A virtual interface as well? Creating a virtual (host) isolated network seems to be hit or miss to me, is there any step by step list I should follow?

I just want to separate the guests, some of them run less trusted code. And I’d also like to leave the host as is, without setting up bridges, firewall and other hardening, just deploy a UTM and be done with it.

As I described,
Is there any reason why you did a NIC hardware pass-through?
There are typically many downsides to doing any kind of hardware pass-through and relative few upsides, so unless there is a specific reason to do so, it’s highly discouraged.

When you create a virtual network in vm manager, you automatically create the Linux Bridge Device that is the defined virtual network, and is typically bound to a physical network adapter for external network functionality. It’s all done for you, you don’t have to know the detailed mechanics but should understand the concepts.

By using a network connection set up this way instead of hardware pass-through,

  • The hardware device is not monopolized by a machine, either virtual or the HostOS. When you do a pass-through, nothing other than that Guest can use that device, even the HostOS.
  • Once a Linux Bridge Device is created, it’s a shareable object. So, the hardware is not monopolized, any number of Guests and even the HostOS can use that hardware device.
  • A Linux Bridge Device is more than just a shareable object, it can contain a number of configurations, and a virtual network is defined by these settings… minimally the IP address range, but can also support various services like DHCP without having to set up a DHCP server. Libvirt’s vm manager is particularly good at making these configurations easy to set, if you tried to do this manually would be difficult.

As I described in my previous post, setting up a router configuration is no different than setting up a physical router.
You have an external network. If you configure this to use a virtual network, then the virtual network should be set up either as bridged or NAT, not Host-only. This is not different than setting up a physical router.
You have an internal network. This should be a virtual network with a different networkid than the external network. This virtual network can be bound to a physical NIC so that VMs and physical machines are “behind” this router or you can configure as a “Host-only” virtual network, typically only for VMs on the same machine.
Your router has to be functional on both networks.
You connect your “internal” Hosts (machines which can be virtual or real) to the internal network (remember what I stated above about a shareable object?)
If your router VM is also the gateway to the Internet for your internal network, then each of the machines connected to your internal network should configure your router’s internal network address as the Default Gateway.
If you also want to configure access from machines in the external network to access machines in the internal network, then you need to configure routing table entries.

Everything above is not much different than setting up a physical router.
If you take the path of least resistance and don’t specify things up front you don’t want to do or know about or insist on doing things in an abnormal way, this is actually quite easy because the setup will make a lot of sense.


I did something similar to this using VirtualBox - I have a software
router running an x86 build of openWRT. The network configuration that I
have is a bridged adapter for the router’s public interface, and a
private network (not host-only, but VirtualBox describes it as an
“internal network” (differs from host-only in that the host has no
address assigned on it - so the host can only access it through the
router), and then the VMs that are behind that are all on the internal
network only.

My soft router is configured using haproxy and port forwarding (there’s
some load balancing going on, and haproxy handles that), so routing to
the internal network isn’t really needed.



Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at