On 9/17/24 10:07 AM, Alvin Starr via Users wrote:

On 2024-09-17 08:05, bd730c5053df9efb via Users wrote:

...

Hi all!

I have a question about networking and haven't been able to find it online. I need to replicate a server installation in a host to be able to test a procedure but the host is on the same network as the servers so I am not being able to create an isolated network on the host because there is an interface in the same range of ip adresses. Is there any way to create this isolated virtual network without it conflicting with the hosts network?

my quick guess is that you have created a copy of the VM with identical MAC addresses for the NIC. Each NIC on your network needs to have a unique MAC address.

There are a few tools to generate random MAC addresses. Grab one of these and then just change the mac address in the clone VM.

If that is the problem (it wasn't clear from the original message exactly what the problem was), then it can be solved by simply editing the config of the guest (with "virsh edit $guestname") and removing the <mac address='blah'/> element from the <interface>. As soon as you save that config, libvirt will see that there is no MAC address, and automatically generate a random address within 52:54:00:*.

On 9/17/24 12:27 PM, bd730c5053df9efb via Users wrote:

Hi! Thanks for the reply and I'm sorry if my question wasn't clear enough.

I have a network, let's say 192.168.0.0/24, and two servers 192.168.0.1 and 192.168.0.2. On this same network I have a wokstation, lets call it 192.168.0.100 which is running libvirt using qemu for the emultation. This workstation has a network device called br0 which has the ip address 192.168.0.100 and when I try to create an isolated network which is also on the 192.168.0.0/24 range I get an error stating that this range is already in use on the host. I need to be able to recreate an absolutely isolated network in the 192.168.0.0/24 range to be able to copy the servers 192.168.0.1 and 192.168.0.2 in here and perform the tests I need.

I hope I've been able to clarify.

Yep! That was one of my guesses, but I didn't want to assume anything :-). The most straightforward solution to what you're talking about requires the libvirt network to be in a separate network namespace. This is an idea I've thought about in the past, but haven't done anything for it, and nobody else has either, so so it's unfortunately not supported by libvirt (as always, patches welcome :-) Although... if the tests you need to perform involve having your workstation (192.168.0.100 in your example) interact with the servers at 192.168.0.1 & .2, then you're going to have to disconnect your workstation from the physical network for the duration of the test anyway. So here's a solution if those are the parameters (and even if you just need the two servers to communicate with each other and nothing else): If it's just the two test servers and the workstation that need to be able to interact during your test, and the workstation won't need to directly contact any other machine on the 192.168.0.0/24 network, then you could probably rig up a solution with a small consumer router - just insert the router in between the workstation and the *real* 192.168.0.0/24 network with the "internet" side towards that network and the "local" side plugged into the workstation, with the router configured to do NAT and have use a local-side subnet of, say, 192.168.1.0/24, and get a new IP address for the workstation from that subnet (either automatically with DHCP, or by manually setting it to, e.g. 192.168.1.100/24. then create an isolated network similar to this: https://www.libvirt.org/formatnetwork.html#isolated-network-config but with the ip address set to 192.168.0.100. Now you can configure you test servers to connect their interface to this isolated network. With this setup, the workstation will still be able to get to the internet (except for the *real* 192.168.0.0/24 subnet) via its connection to the router, and also will be able to interact with the test servers via the isolated network that you created. When you're done with your tests, just shutdown the to test VMs (with their own internal shutdown command, possibly followed by "virsh destroy" if the qemu processes aren't automatically terminated by the shutdown) then "virsh net-destroy" the isolated network (you can leave it defined so that it's simple to do the test again later), and plug the workstation directly into the real network again (updating its IP address if necessary). Does that make sense, or is it too much rambling?

On Wednesday, September 18th, 2024 at 12:39, bd730c5053df9efb via Users <users@lists.libvirt.org> wrote:

On Tuesday, September 17th, 2024 at 17:27, Laine Stump laine@redhat.com wrote:

...

On 9/17/24 12:27 PM, bd730c5053df9efb via Users wrote:

...

Hi! Thanks for the reply and I'm sorry if my question wasn't clear enough.

I have a network, let's say 192.168.0.0/24, and two servers 192.168.0.1 and 192.168.0.2. On this same network I have a wokstation, lets call it 192.168.0.100 which is running libvirt using qemu for the emultation. This workstation has a network device called br0 which has the ip address 192.168.0.100 and when I try to create an isolated network which is also on the 192.168.0.0/24 range I get an error stating that this range is already in use on the host. I need to be able to recreate an absolutely isolated network in the 192.168.0.0/24 range to be able to copy the servers 192.168.0.1 and 192.168.0.2 in here and perform the tests I need.

I hope I've been able to clarify.

Yep! That was one of my guesses, but I didn't want to assume anything :-).

The most straightforward solution to what you're talking about requires the libvirt network to be in a separate network namespace. This is an idea I've thought about in the past, but haven't done anything for it, and nobody else has either, so so it's unfortunately not supported by libvirt (as always, patches welcome :-)

Although... if the tests you need to perform involve having your workstation (192.168.0.100 in your example) interact with the servers at 192.168.0.1 & .2, then you're going to have to disconnect your workstation from the physical network for the duration of the test anyway.

So here's a solution if those are the parameters (and even if you just need the two servers to communicate with each other and nothing else):

If it's just the two test servers and the workstation that need to be able to interact during your test, and the workstation won't need to directly contact any other machine on the 192.168.0.0/24 network, then you could probably rig up a solution with a small consumer router - just insert the router in between the workstation and the real 192.168.0.0/24 network with the "internet" side towards that network and the "local" side plugged into the workstation, with the router configured to do NAT and have use a local-side subnet of, say, 192.168.1.0/24, and get a new IP address for the workstation from that subnet (either automatically with DHCP, or by manually setting it to, e.g. 192.168.1.100/24. then create an isolated network similar to this:

https://www.libvirt.org/formatnetwork.html#isolated-network-config

but with the ip address set to 192.168.0.100. Now you can configure you test servers to connect their interface to this isolated network.

With this setup, the workstation will still be able to get to the internet (except for the real 192.168.0.0/24 subnet) via its connection to the router, and also will be able to interact with the test servers via the isolated network that you created.

When you're done with your tests, just shutdown the to test VMs (with their own internal shutdown command, possibly followed by "virsh destroy" if the qemu processes aren't automatically terminated by the shutdown) then "virsh net-destroy" the isolated network (you can leave it defined so that it's simple to do the test again later), and plug the workstation directly into the real network again (updating its IP address if necessary).

Does that make sense, or is it too much rambling?

Hi Laine! Thank you very much for your answer, it does make perfect sense but my use case is much simpler. The two servers are two samba 4 ad domain controllers and I have to demote one of them remove it from the net and then add another one with the same ip address as the demoted one. All the test is between these two servers, the host workstation doesn't get involved in this test and I can't change their ip addresses. I had considered created an isolated network in the 192.168.1.0/24 address space and keep the manually set address on the servers in the 192.168.0.0/24 address space but I'm not quite sure that will work. I I needed to test a workstation I could add to the test another guest workstation also in the 192.168.0.0/24 address space, but it wont be the host.

Thanks again. Best regards, Dave.

Hi all! As follow up to my own mail. I was able to test the procedure creating an isolated network in the 192.168.1.0/24 address space and placing in there the replica of the two samba ad dc servers with their ip addresses fixed in the 192.168.0.0/24 address space and the servers where able to contact each other but where completely isolated from the host and the 192.168.0.0/24 physical network. Best regards! Dave.

On Thursday, September 19th, 2024 at 13:20, Laine Stump <laine@redhat.com> wrote:

On 9/18/24 11:39 AM, bd730c5053df9efb via Users wrote:

...

Hi Laine! Thank you very much for your answer, it does make perfect sense but my use case is much simpler. The two servers are two samba 4 ad domain controllers and I have to demote one of them remove it from the net and then add another one with the same ip address as the demoted one. All the test is between these two servers, the host workstation doesn't get involved in this test and I can't change their ip addresses. I had considered created an isolated network in the 192.168.1.0/24 address space and keep the manually set address on the servers in the 192.168.0.0/24 address space but I'm not quite sure that will work. I I needed to test a workstation I could add to the test another guest workstation also in the 192.168.0.0/24 address space, but it wont be the host.

Well, if the two servers have statically configured IP addresses (which I guess they do, since they're servers :-P) then you can create a "very isolated" network, which is a network that has no <ip> section at all.

Then the guests can communicate with each other (IPv4 only, there is another attribute that needs to be added to enable IPv6 in this case) but can't get to the host (or beyond, of course). Keep in mind that means they also won't have access to other infrastructure things, e.g. the DNS server.

https://libvirt.org/formatnetwork.html#network-config-with-no-gateway-addres...

(Sorry if the "addresses" after the final - is split to the next line. my email client autowraps everything, and I've never found a simple way to turn it off :-))

Hi Laine! Again thank you very much for your response! This answer is great! It's exactly what I was needing! I've read https://libvirt.org/formatnetwork.html several times but I've never noticed that last section, sorry about that. In this case as the servers are ad dc controllers they are dns servers so no need to have them query an outside DNS server and all the prep work which required getting things from the internet where done previously so as I said, this is exactly what I needed. Thank you very much! Best regards, Dave.