Bridged Networking Setup

Introduction To Bridged Networking
------------------------------------------------------
Normally Xen and KVM virtual systems are configured so that they appear to be directly connected to the same LAN as the host system, and so can talk to the network without having their packets routed through the host. A bridge is typically created (`xenbr0` for Xen or `br0` for KVM), but this operates at the Ethernet level by connecting the host's real interface `eth0` with `peth` or `tap` interfaces used by virtual machines.

However, some colocation providers don't allow additional virtual systems to be directly connected to the same LAN as their hosts - Hetzner for example is one commonly used by Cloudmin customers that have this restrictions. Also, a direct connection limits the firewalling you can do to restrict or protect virtual systems. And it requires that each virtual system have an IP address that is valid on the same LAN as the host system, which is typically a real Internet IP address.

Address Ranges for Bridged Networking
------------------------------------------------------------
The first step to setup a network bridge is to work out the IP range that will be used by your virtual systems. Typically this is assigned by your hosting company, and includes a starting IP, ending IP and netmask. However, it is also possible to use an RFC 1918 address range like 192.168.1.1 to 192.168.1.255. In this case, you will also need to setup NAT so that your virtual systems can access the Internet.

Setting Up Bridged Networking
-----------------------------------------------
This page uses the term "bridged networking" to describe a setup in which virtual systems are connected to an additional bridge on the host, normally named `br1`. It is most commonly used with KVM, but the same principals apply to open-source Xen as well.

Bridge setup is best done before any virtual systems are created. It must be repeated on each host system, after Webmin, Cloudmin or Virtualmin is installed.

If your system runs the latest Webmin, the steps to setup a bridge are :

1. Login to Webmin on the host system, and go to Networking -> Network Configuration -> Network Interfaces.
2. Click on the **Add a new bridge** link. The number for a new bridge should be filled in auto
3. Select **Static configuration**, and fill in the **IPv4 address** and **Netmask** fields. The address should be the first IP in the range you plan to use for this bridge.
4. Select **None** in the **Connect bridge to interface** field.
5. Click the **Create and Apply** button.

Otherwise you can setup a bridge on Debian or Ubuntu Linux as follows :

1. Edit the `/etc/network/interfaces` and add a section like :

iface br1 inet static
address 192.168.1.1
netmask 255.255.255.0
broadcast 192.168.1.255
network 192.168.1.0
pre-up brctl addbr br1

2. Run the command `ifup br1`

Or on Redhat, Fedora or CentOS Linux :

1. Create the file `/etc/sysconfig/network-scripts/ifcfg-br1` containing :

BOOTPROTO=none
MACADDR=""
IPV6INIT=yes
TYPE=Bridge
DEVICE=br1
NETMASK=255.255.255.0
MTU=""
BROADCAST=192.168.1.255
IPADDR=192.168.1.1
NETWORK=192.168.1.0
ONBOOT=yes

2. Run the command `ifup br1`

Enabling Routing
--------------
Once the bridge has been created, you will need to make sure that your system is configured to route traffic between it and the LAN. This can be done in Webmin on the host as follows :

1. Go to Networking -> Network Configuration -> Routing and Gateways.
2. Change the **Act as router?** option to **Yes**, and click **Save**.
3. Click the **Apply Configuration** button.

If your Cloudmin master system is different from the host on which the bridge has been created, you may also need to add a static route for the bridge network with the host system as the gateway.

Enabling NAT
-----------
If your IP range is for internal use only, you should enable NAT so that virtual systems can access the Internet. Note that this will allow only outgoing connections, unless you also setup one to one destination NAT.

The steps to setup network address translation are :

1. Login to Webmin on the host system, and go to Networking -> Linux Firewall.
2. If your firewall has not been setup, you will be promoted for an initial configuration. Choose NAT, with `eth0` being the external interface.
3. Otherwise, select the **Network address translation** table and add a rule in the **POSTROUTING** chain with the action set to **Masquerade** and the **Outgoing interface** set to `eth0`.
4. Click the **Apply Configuration** button.

Using Bridged Networking in Cloudmin
-----------------------------------------------
Once a network bridge has been created, you can configure Cloudmin to use it on the host as follows :

1. Login to the Cloudmin master and go to **Host Systems** -> **KVM Host Systems** and click on the host machine. If the host has not been registered yet, follow the documentation on the Setting Up KVM Virtualization page.
2. In the **IP address allocation ranges** section, enter or select the IP range for your bridged network. In the **Bridge** column, select `br1`.
3. Enter the IP address of the host system that was assigned to `br1` as the default gateway.
4. In the **Bridges on host system for KVM interfaces** field, select `br1`
5. Click the **Save** button.