How to Configure Open vSwitch as Gateway with iptables MASQUERADE for Virtual Machines


2 views

When working with virtual machines in VirtualBox, Open vSwitch provides a flexible way to create virtual networks. Here's how to establish the basic bridge configuration:

# Create the OVS bridge
ovs-vsctl add-br sw0

# Add tap interfaces for VM connectivity
ovs-vsctl add-port sw0 tap0
ovs-vsctl add-port sw0 tap1

Assign IP addresses to both the host and guest machines to establish connectivity:

# On the host machine (gateway)
ifconfig sw0 192.168.1.1/24 up

# On guest VM (example)
ifconfig eth0 192.168.1.2/24 up
route add default gw 192.168.1.1

The critical step is configuring NAT through iptables to allow VMs to access external networks:

# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Configure MASQUERADE for outbound traffic
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j MASQUERADE

# Optional: Allow established connections back in
iptables -A FORWARD -i eth1 -o sw0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i sw0 -o eth1 -j ACCEPT

If you encounter problems where VMs can ping the host but not external networks, check these aspects:

# Verify routing on the host
ip route show

# Check NAT rules
iptables -t nat -L -n -v

# Test DNS resolution
nslookup google.com 8.8.8.8

# Verify forwarding is enabled
sysctl net.ipv4.ip_forward

To make these changes survive reboots:

# Add to /etc/sysctl.conf
net.ipv4.ip_forward = 1

# Save iptables rules (Ubuntu specific)
iptables-save > /etc/iptables.rules

# Add to /etc/network/interfaces
auto sw0
iface sw0 inet static
  address 192.168.1.1
  netmask 255.255.255.0
  pre-up /usr/share/openvswitch/scripts/ovs-ctl start

For more complex setups, consider these additional measures:

# Quality of Service configuration
ovs-vsctl set port tap0 qos=@newqos -- \
--id=@newqos create qos type=linux-htb \
other-config:max-rate=1000000000 queues=0=@q0 \
-- --id=@q0 create queue other-config:min-rate=1000000000

# VLAN tagging if needed
ovs-vsctl set port tap0 tag=100

When working with Open vSwitch (OVS) in a VirtualBox environment, we often need to connect virtual machines to external networks. Here's a typical scenario:

# Create OVS bridge and add tap interface
ovs-vsctl add-br sw0
ovs-vsctl add-port sw0 tap0

For the virtual machine (Lubuntu in this case):

# Set static IP on VM
ifconfig eth0 192.168.1.3/24 up
route add -net 0.0.0.0/0 gw 192.168.1.1

On the host machine (Ubuntu host):

# Configure OVS bridge IP
ifconfig sw0 192.168.1.1/24 up

The key step is setting up Network Address Translation (NAT) using iptables:

# Enable IP forwarding
sysctl -w net.ipv4.ip_forward=1

# Configure masquerade rule
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j MASQUERADE

Common issues and solutions:

# Verify basic connectivity
ping 192.168.1.1  # Should work (host)
ping 8.8.8.8      # Might fail if NAT isn't working

# Check DNS resolution
nslookup google.com
dig @8.8.8.8 yahoo.com
  • Ensure your physical interface (eth1) has proper connectivity
  • Check firewall rules that might block traffic
  • Verify default routes on all systems

To make changes persist across reboots:

# Add to /etc/sysctl.conf
net.ipv4.ip_forward=1

# Save iptables rules
iptables-save > /etc/iptables.rules

Open vSwitch 2.11+ supports native NAT functionality:

ovs-vsctl set Interface sw0 options:nat-addresses="192.168.1.1"
ovs-vsctl set Controller sw0 connection-mode=out-of-band