Personally I'd avoid the bridge methods and add physical ports, so an additional eth card.
I'd use a combo of macvtap or vfio for each port. The host (L0) and macvtap guest (L1) are isolated, all macvtaps at L1 see each other. With extra ports the 'bridges' are external, with a switch maybe.
The extra ports can be unconfigured on the host and macvtap for a guest as emulated or virtio, or you may pass that port if possible with vfio and use the guest OS drivers directly. Same same.
So the external internet line into a dedicated eth on the firewall vm, out another dedicated eth on that vm. That line then goes directly to a host port (or switch) with macvtaps for any number of vm's, all see internet. Basically 3 ports total.
...or complexify with bridges.
I'd use a combo of macvtap or vfio for each port. The host (L0) and macvtap guest (L1) are isolated, all macvtaps at L1 see each other. With extra ports the 'bridges' are external, with a switch maybe.
The extra ports can be unconfigured on the host and macvtap for a guest as emulated or virtio, or you may pass that port if possible with vfio and use the guest OS drivers directly. Same same.
So the external internet line into a dedicated eth on the firewall vm, out another dedicated eth on that vm. That line then goes directly to a host port (or switch) with macvtaps for any number of vm's, all see internet. Basically 3 ports total.
...or complexify with bridges.
Statistics: Posted by CwF — 2024-02-09 19:43
