The first and simplest solution comes into my mind is to use the direct type interface (aka. macvtap). <interface type='direct'> <source dev='eth0' mode='private'/> </interface> Note: "eth0" is the active interface on the host, with internet connection. With macvtap, your VM will be in the same subnet as the host. If there is a dhcp server in this subnet, the VM will get a dhcp address. With mode as "private", it can not access the endpoints (other VMs with the same setting: direct + eth0 + private). The VM will have the same internet connectivity as its host, but the VM and host can not access each other. But other devices on the same LAN *can* access the VM and vice versa (like other hosts in the same subnet as the host). Maybe you can use firewalld rules to fine tune it. And I wonder if we block the connection from the VM to all the hosts in the same subnet, how can it access the internet as it can not access the default gateway? Another solution is to use virtual network with forward mode as "open". With this mode, libvirt will not add any rules, so users can customize how it works by their needs, this may be more complicated. Hope it helps. BR, Yalan On Fri, May 17, 2024 at 11:50 AM <imthenachoman(a)gmail.com&gt; wrote: > I want to be able to create multiple VMs for testing purposes -- > questionable websites, files that could be infected with a virus, etc. > > > I tried `NAT` mode but that let's me access the host and other devices on > the LAN. > > I tried `Isolated` mode but that doesn't give me internet access. > > I don't want to run a second VM and route traffic through it. > > I want to avoid creating FW rules on the host or VMs because I'll be > creating and destroying VMs all the time. > > And I think I need to use some kind of NAT because I don't want my router > to know/see the VMs as clients. > > What do I need to do? > >

I think such a thing can be done with macvtap. Check about using different vlans and test macvtap modes that prevent communicating with the host.

On 5/17/24 14:21, Anchal Nigam wrote: macvtap IS purely host thing. No need to set anything on the router. In fact, you'd need a special switch if you wanted two guests using macvtap on the same host to talk to each other (it's called hairpinning). Michal

But to use VLANs I would create them on my router, right? Cause I need to block the VM from accessing the host or any other device on my network/LAN.

On 5/17/24 11:16 AM, Michal Prívozník wrote: More specifially, if the macvtap interface (type='direct' in the libvirt domain XML) has   <source dev='ethX' mode='private'/> *then* that guest can only communicate with other guests connected via dev='ethX' if the traffic is hair-pinned back from the bridge that connects device 'ethX' to the physical network. But if it is   <source dev='ethX' mode='bridge'/> then that guest *can* communicate with all other guests connected to ethX. In both cases, the guests cannot communicate with the host. But even mode='private' doesn't provide the level of isolation that's being requested. You might think you could combine macvtap/private with a few iptables/nftables rules on the host that reject any forwarded traffic that has source or destination on the local network, but none of the iptables hooks works with traffic on a macvtap interface. It *is* apparently possible (although I've not tried it) to do nftables filtering of traffic on a macvtap interface by using the "netdev" ingress and egress hooks, as outlined here: https://serverfault.com/questions/1147529/applying-nftables-rules-to-macv... (it even gives an example of implementing this in a libvirt hook script, which would be necessary for you to use it with a libvirt-created macvtap interface). An alternate implementation managed entirely on the host, would be to connect the guest via a libvirt network in nat/bridge/open forward mode (to ensure that a regular tap device is used) and then use libvirt's nwfilter to create a filter that rejects all traffic to the local network, but allows everything else. Basic information about libvirt's nwfilter driver is here:   https://libvirt.org/formatnwfilter.html