Saturday, January 29, 2011

Bridge virtual machines out WLAN interface

It seems that my wlan card (intel 5100 AGN) firmware doesn't allow "spoofing" MAC addresses. This has the side effect of destroying the capability to bridge out my virtual machines on that interface. Apparently this is a common thing on wlan cards.

I can see the incoming traffic just fine in my virtual machines, but their DHCP queries don't get bridged out of the WLAN card. It works perfectly well when using the wired ethernet port.

Is there a workaround for this? MAC-NAT or something?

I don't want to route my virtual machines out to the Internet because I don't want my host OS to even have an IP address.

I'm using Linux and KVM for virtualization.

  • Unfortunately yes, it's a common restriction on wlan cards, to prevent you from using them as repeaters or something.

    Why don't you want the host to have an IP, and what's wrong with regular NAT on the host?

    Something I've thought of that might work:

    • assign 1 virtual interface (eth0:0 etc) on the host's wlan for each virtual machine
    • assign (from a different private range) IP addresses to the vms
    • use static nat to map each outside address to each inside address.

    Then all the traffic that comes out of the host will be sent with the host's MAC address.

    I think you might have to assign the host's wlan IPs statically, as DHCP will hand out one IP address per mac address.

    Some security systems don't like multiple IPs on one MAC, which there's little you can do about if you don't have control of those systems.

    Thomas : No IP address on the host because of security reasons. Then the host isn't vulnerable to ping of death, NAT inspection (state "related" in iptables for example) bugs, and DHCP client bugs, all of which have happened. (I need DHCP client, not static IP for when the networks use DHCP snooping with ARP inspection). I want no IP processing on the host OS whatsoever.
    pjc50 : I'm not sure that you're immune to those simply by not allocating an IP address ... If there's DHCP snooping with ARP inspection (which is based on MAC), AND the card firmware enforces that only packets with its MAC address may leave, then you can only have one IP address visible to the ouside world via that card. I'm not sure why you want to run your VM server through wireless, but is it feasible to connect it by wired network to a wireless bridge device? Or get a card which doesn't have this mac restriction.
    Gleb : Thomas, are you saying everything is buggy but bridge and KVM are magically invulnerable? Take it further, use a USB WLAN adapter directly from inside the VM.
    Thomas : @Gleb: Uh... no. But one blob of code is less that three blobs of code. The less code the host runs the better. And DHCP-client and NAT processing code has historically been much buggier than bridge-code.
    From pjc50
  • Bridging over an 802.11 network is not as straightforward as bridging over Ethernet, and it's not something a normal WiFi driver/adapter on a host would do.

    For most virtualization products, it's useful to be able to remotely manage them, so I don't think you're going to get away with not having the host have an IP address.

    If you don't configure a gateway, then the VM and your guests (if you're using NAT) won't be able to communicate with anything outside your LAN.

    Thomas : It's not straingforward because the firmware is actively blocking it. And I do get away with not having an IP on the host when I use my wired network. Bridging the guests works perfectly without NAT or the host OS having an IP address.
    : The firmware probably isn't actively blocking it. It probably lacks the functionality required to support it. Bridging over 802.11 requires using a 4-address frame (transmitter, receiver, source, destination) and requires cooperation by the AP. I should not have said "get away with". I should have said "there are benefits of being able to do remote management of the VM host."
    From

0 comments:

Post a Comment