Managing Virtual Machine Networks on Alpine Linux 🌐

Virtual machine networking is crucial for creating functional virtualized environments. This comprehensive guide will help you master VM networking on Alpine Linux, covering everything from basic bridging to complex multi-tenant network configurations.

Table of Contents

• Prerequisites
• Understanding VM Networking
• Installing Network Tools
• Bridge Network Configuration
• NAT Network Setup
• Host-Only Networks
• VLAN Configuration
• Open vSwitch Setup
• Network Isolation and Security
• Performance Optimization
• Advanced Routing
• Network Monitoring
• Multi-Host Networking
• Troubleshooting
• Best Practices
• Conclusion

Prerequisites

Before configuring VM networks, ensure you have:

• Alpine Linux with virtualization installed (KVM/QEMU)
• Root or sudo access
• Multiple network interfaces (recommended)
• Basic understanding of networking concepts
• libvirt installed and running
• At least 4GB RAM for testing

Understanding VM Networking

Network Types Overview

# Check current network configuration
ip addr show
ip route show
brctl show
virsh net-list --all

Common VM network types:

• Bridge: Direct connection to physical network
• NAT: Network Address Translation for internet access
• Host-only: Isolated network between VMs and host
• VLAN: Virtual LAN for network segmentation
• Overlay: Advanced software-defined networking

Installing Network Tools

Step 1: Install Essential Packages

# Update package repository
apk update

# Install networking tools
apk add bridge-utils iproute2 iptables
apk add vlan tcpdump netcat-openbsd
apk add dnsmasq dhcp-server

# Install advanced tools
apk add openvswitch wireguard-tools
apk add bird keepalived conntrack-tools

Step 2: Enable IP Forwarding

# Enable IP forwarding
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
echo "net.ipv6.conf.all.forwarding = 1" >> /etc/sysctl.conf
sysctl -p

# Verify forwarding enabled
cat /proc/sys/net/ipv4/ip_forward

Bridge Network Configuration

Step 1: Create Network Bridge

# Configure bridge interface
cat > /etc/network/interfaces << 'EOF'
# Loopback interface
auto lo
iface lo inet loopback

# Physical interface (no IP assignment)
auto eth0
iface eth0 inet manual
    up ip link set $IFACE up
    down ip link set $IFACE down

# Bridge interface
auto br0
iface br0 inet static
    address 192.168.1.10
    netmask 255.255.255.0
    gateway 192.168.1.1
    bridge_ports eth0
    bridge_stp off
    bridge_fd 0
    bridge_maxwait 0
    dns-nameservers 8.8.8.8 8.8.4.4
EOF

# Restart networking
rc-service networking restart

# Verify bridge creation
brctl show

Step 2: Configure libvirt Bridge Network

# Create bridge network XML
cat > /tmp/bridge-network.xml << 'EOF'
<network>
  <name>br0</name>
  <forward mode="bridge"/>
  <bridge name="br0"/>
</network>
EOF

# Define and start network
virsh net-define /tmp/bridge-network.xml
virsh net-start br0
virsh net-autostart br0

# List networks
virsh net-list --all

Step 3: Advanced Bridge Configuration

# Create bridge with custom settings
cat > /usr/local/bin/create-vm-bridge << 'EOF'
#!/bin/sh
# Create VM bridge with advanced settings

BRIDGE_NAME=${1:-vmbr0}
BRIDGE_IP=${2:-192.168.100.1/24}
PHYSICAL_IF=${3:-eth1}

# Create bridge
ip link add name $BRIDGE_NAME type bridge
ip link set $BRIDGE_NAME up

# Configure bridge parameters
echo 0 > /sys/class/net/$BRIDGE_NAME/bridge/stp_state
echo 0 > /sys/class/net/$BRIDGE_NAME/bridge/forward_delay
echo 1 > /sys/class/net/$BRIDGE_NAME/bridge/multicast_snooping

# Add physical interface to bridge
ip link set $PHYSICAL_IF master $BRIDGE_NAME
ip link set $PHYSICAL_IF up

# Assign IP to bridge
ip addr add $BRIDGE_IP dev $BRIDGE_NAME

# Enable promiscuous mode
ip link set $PHYSICAL_IF promisc on

echo "Bridge $BRIDGE_NAME created successfully"
EOF

chmod +x /usr/local/bin/create-vm-bridge

NAT Network Setup

Step 1: Configure NAT Network

# Create NAT network configuration
cat > /tmp/nat-network.xml << 'EOF'
<network>
  <name>natnet</name>
  <forward mode='nat'>
    <nat>
      <port start='1024' end='65535'/>
    </nat>
  </forward>
  <bridge name='virbr1' stp='on' delay='0'/>
  <mac address='52:54:00:12:34:56'/>
  <domain name='vm.local'/>
  <ip address='192.168.122.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.122.2' end='192.168.122.254'/>
      <host mac='52:54:00:12:34:67' name='vm1' ip='192.168.122.10'/>
      <host mac='52:54:00:12:34:68' name='vm2' ip='192.168.122.11'/>
    </dhcp>
  </ip>
  <ip family='ipv6' address='fd00:dead:beef:55::1' prefix='64'>
    <dhcp>
      <range start='fd00:dead:beef:55::100' end='fd00:dead:beef:55::1ff'/>
    </dhcp>
  </ip>
</network>
EOF

# Create network
virsh net-define /tmp/nat-network.xml
virsh net-start natnet
virsh net-autostart natnet

Step 2: Custom NAT Configuration

# Manual NAT setup script
cat > /usr/local/bin/setup-nat-network << 'EOF'
#!/bin/sh
# Setup NAT network for VMs

BRIDGE="virbr-nat"
NETWORK="10.0.0.0/24"
GATEWAY="10.0.0.1"
DHCP_START="10.0.0.100"
DHCP_END="10.0.0.200"

# Create bridge
ip link add $BRIDGE type bridge
ip addr add $GATEWAY/24 dev $BRIDGE
ip link set $BRIDGE up

# Setup NAT
iptables -t nat -A POSTROUTING -s $NETWORK -j MASQUERADE
iptables -A FORWARD -i $BRIDGE -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o $BRIDGE -m state --state RELATED,ESTABLISHED -j ACCEPT

# Configure dnsmasq for DHCP
cat > /etc/dnsmasq.d/$BRIDGE.conf << EOC
interface=$BRIDGE
bind-interfaces
dhcp-range=$DHCP_START,$DHCP_END,12h
dhcp-option=option:router,$GATEWAY
dhcp-option=option:dns-server,$GATEWAY,8.8.8.8
dhcp-authoritative
EOC

# Restart dnsmasq
rc-service dnsmasq restart

echo "NAT network configured on $BRIDGE"
EOF

chmod +x /usr/local/bin/setup-nat-network

Step 3: Port Forwarding

# Create port forwarding script
cat > /usr/local/bin/vm-port-forward << 'EOF'
#!/bin/sh
# Port forwarding for VMs

ACTION=$1
HOST_PORT=$2
VM_IP=$3
VM_PORT=$4

if [ "$#" -ne 4 ]; then
    echo "Usage: $0 <add|remove> <host-port> <vm-ip> <vm-port>"
    exit 1
fi

case $ACTION in
    add)
        # Add port forwarding
        iptables -t nat -A PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to-destination $VM_IP:$VM_PORT
        iptables -A FORWARD -p tcp -d $VM_IP --dport $VM_PORT -j ACCEPT
        echo "Port forwarding added: $HOST_PORT -> $VM_IP:$VM_PORT"
        ;;
    remove)
        # Remove port forwarding
        iptables -t nat -D PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to-destination $VM_IP:$VM_PORT
        iptables -D FORWARD -p tcp -d $VM_IP --dport $VM_PORT -j ACCEPT
        echo "Port forwarding removed: $HOST_PORT -> $VM_IP:$VM_PORT"
        ;;
    *)
        echo "Invalid action. Use 'add' or 'remove'"
        exit 1
        ;;
esac

# Save iptables rules
/etc/init.d/iptables save
EOF

chmod +x /usr/local/bin/vm-port-forward

Host-Only Networks

Step 1: Create Isolated Network

# Create host-only network
cat > /tmp/hostonly-network.xml << 'EOF'
<network>
  <name>hostonly</name>
  <bridge name='virbr2' stp='on' delay='0'/>
  <mac address='52:54:00:22:33:44'/>
  <ip address='192.168.50.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.50.10' end='192.168.50.100'/>
    </dhcp>
  </ip>
</network>
EOF

virsh net-define /tmp/hostonly-network.xml
virsh net-start hostonly
virsh net-autostart hostonly

# Block external access
iptables -I FORWARD -i virbr2 -o eth0 -j REJECT
iptables -I FORWARD -i eth0 -o virbr2 -j REJECT

Step 2: Inter-VM Communication Only

# Create strict isolation script
cat > /usr/local/bin/create-isolated-network << 'EOF'
#!/bin/sh
# Create completely isolated VM network

NETWORK_NAME=$1
BRIDGE_NAME=${2:-virbr-isolated}
SUBNET=${3:-172.16.0.0/24}

# Create network XML
cat > /tmp/${NETWORK_NAME}.xml << EOX
<network>
  <name>${NETWORK_NAME}</name>
  <bridge name='${BRIDGE_NAME}'/>
  <ip address='${SUBNET%.*}.1' netmask='255.255.255.0'/>
</network>
EOX

# Define network
virsh net-define /tmp/${NETWORK_NAME}.xml
virsh net-start ${NETWORK_NAME}
virsh net-autostart ${NETWORK_NAME}

# Strict isolation rules
iptables -A FORWARD -i ${BRIDGE_NAME} -o ${BRIDGE_NAME} -j ACCEPT
iptables -A FORWARD -i ${BRIDGE_NAME} -j DROP
iptables -A FORWARD -o ${BRIDGE_NAME} -j DROP

echo "Isolated network ${NETWORK_NAME} created"
EOF

chmod +x /usr/local/bin/create-isolated-network

VLAN Configuration

Step 1: Enable VLAN Support

# Load VLAN module
modprobe 8021q
echo "8021q" >> /etc/modules

# Install VLAN tools
apk add vlan

Step 2: Create VLAN Interfaces

# Configure VLANs
cat >> /etc/network/interfaces << 'EOF'

# VLAN 10 - Production
auto eth0.10
iface eth0.10 inet manual
    vlan-raw-device eth0

auto vmbr10
iface vmbr10 inet static
    address 10.10.10.1
    netmask 255.255.255.0
    bridge_ports eth0.10
    bridge_stp off
    bridge_fd 0

# VLAN 20 - Development
auto eth0.20
iface eth0.20 inet manual
    vlan-raw-device eth0

auto vmbr20
iface vmbr20 inet static
    address 10.20.20.1
    netmask 255.255.255.0
    bridge_ports eth0.20
    bridge_stp off
    bridge_fd 0

# VLAN 30 - Management
auto eth0.30
iface eth0.30 inet manual
    vlan-raw-device eth0

auto vmbr30
iface vmbr30 inet static
    address 10.30.30.1
    netmask 255.255.255.0
    bridge_ports eth0.30
    bridge_stp off
    bridge_fd 0
EOF

# Restart networking
rc-service networking restart

Step 3: VLAN-aware Bridge

# Create VLAN-aware bridge configuration
cat > /usr/local/bin/setup-vlan-bridge << 'EOF'
#!/bin/sh
# Setup VLAN-aware bridge

BRIDGE="vmbr-vlan"
TRUNK_PORT="eth1"

# Create bridge
ip link add $BRIDGE type bridge vlan_filtering 1
ip link set $BRIDGE up

# Add trunk port
ip link set $TRUNK_PORT master $BRIDGE
ip link set $TRUNK_PORT up

# Configure VLANs on bridge
bridge vlan add dev $BRIDGE vid 10 self
bridge vlan add dev $BRIDGE vid 20 self
bridge vlan add dev $BRIDGE vid 30 self

# Allow all VLANs on trunk
bridge vlan add dev $TRUNK_PORT vid 10-30

# Create VLAN interfaces for host access
ip link add link $BRIDGE name ${BRIDGE}.10 type vlan id 10
ip link add link $BRIDGE name ${BRIDGE}.20 type vlan id 20
ip link add link $BRIDGE name ${BRIDGE}.30 type vlan id 30

# Assign IPs
ip addr add 10.10.10.1/24 dev ${BRIDGE}.10
ip addr add 10.20.20.1/24 dev ${BRIDGE}.20
ip addr add 10.30.30.1/24 dev ${BRIDGE}.30

# Bring up interfaces
ip link set ${BRIDGE}.10 up
ip link set ${BRIDGE}.20 up
ip link set ${BRIDGE}.30 up

echo "VLAN-aware bridge configured"
EOF

chmod +x /usr/local/bin/setup-vlan-bridge

Open vSwitch Setup

Step 1: Install Open vSwitch

# Install OVS
apk add openvswitch

# Enable and start OVS
rc-update add ovsdb-server default
rc-update add ovs-vswitchd default
rc-service ovsdb-server start
rc-service ovs-vswitchd start

# Initialize OVS database
ovs-vsctl --no-wait init

Step 2: Configure OVS Bridge

# Create OVS bridge
ovs-vsctl add-br ovsbr0

# Add physical interface
ovs-vsctl add-port ovsbr0 eth1

# Configure IP on bridge
ip addr add 192.168.200.1/24 dev ovsbr0
ip link set ovsbr0 up

# Create internal ports for VMs
ovs-vsctl add-port ovsbr0 vm1 -- set interface vm1 type=internal
ovs-vsctl add-port ovsbr0 vm2 -- set interface vm2 type=internal

Step 3: Advanced OVS Features

# Create OVS configuration script
cat > /usr/local/bin/ovs-vm-network << 'EOF'
#!/bin/sh
# Advanced OVS network configuration

# Create production network with QoS
setup_prod_network() {
    # Create bridge
    ovs-vsctl add-br ovs-prod
    
    # Add VLANs
    ovs-vsctl add-port ovs-prod eth1 trunk=10,20,30
    
    # Configure QoS
    ovs-vsctl set port eth1 qos=@newqos -- \
        --id=@newqos create qos type=linux-htb \
        other-config:max-rate=1000000000 \
        queues:10=@q10 queues:20=@q20 -- \
        --id=@q10 create queue other-config:max-rate=500000000 -- \
        --id=@q20 create queue other-config:max-rate=300000000
}

# Create isolated tenant networks
create_tenant_network() {
    TENANT_ID=$1
    VLAN_ID=$2
    SUBNET=$3
    
    # Create namespace
    ip netns add tenant-$TENANT_ID
    
    # Create OVS port
    ovs-vsctl add-port ovs-prod veth-$TENANT_ID tag=$VLAN_ID \
        -- set interface veth-$TENANT_ID type=internal
    
    # Move to namespace
    ip link set veth-$TENANT_ID netns tenant-$TENANT_ID
    
    # Configure IP in namespace
    ip netns exec tenant-$TENANT_ID ip addr add ${SUBNET}.1/24 dev veth-$TENANT_ID
    ip netns exec tenant-$TENANT_ID ip link set veth-$TENANT_ID up
    
    echo "Tenant network $TENANT_ID created on VLAN $VLAN_ID"
}

# Flow-based routing
setup_flow_routing() {
    # Drop all by default
    ovs-ofctl add-flow ovs-prod priority=0,actions=drop
    
    # Allow DHCP
    ovs-ofctl add-flow ovs-prod priority=100,udp,tp_src=68,tp_dst=67,actions=normal
    ovs-ofctl add-flow ovs-prod priority=100,udp,tp_src=67,tp_dst=68,actions=normal
    
    # Allow established connections
    ovs-ofctl add-flow ovs-prod priority=50,tcp,tcp_flags=+ack,actions=normal
    
    # Custom routing rules
    ovs-ofctl add-flow ovs-prod priority=60,ip,nw_src=10.10.10.0/24,nw_dst=10.20.20.0/24,actions=normal
    ovs-ofctl add-flow ovs-prod priority=60,ip,nw_src=10.20.20.0/24,nw_dst=10.10.10.0/24,actions=normal
}

# Main execution
case "$1" in
    setup)
        setup_prod_network
        ;;
    tenant)
        create_tenant_network $2 $3 $4
        ;;
    flows)
        setup_flow_routing
        ;;
    *)
        echo "Usage: $0 {setup|tenant <id> <vlan> <subnet>|flows}"
        ;;
esac
EOF

chmod +x /usr/local/bin/ovs-vm-network

Network Isolation and Security

Step 1: Network Segmentation

# Create security zones
cat > /usr/local/bin/create-security-zones << 'EOF'
#!/bin/sh
# Create network security zones for VMs

# DMZ Network
create_dmz_network() {
    virsh net-define << EOX
<network>
  <name>dmz</name>
  <forward mode='nat'/>
  <bridge name='virbr-dmz' stp='on' delay='0'/>
  <ip address='10.0.1.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='10.0.1.10' end='10.0.1.50'/>
    </dhcp>
  </ip>
</network>
EOX
    
    virsh net-start dmz
    virsh net-autostart dmz
    
    # DMZ firewall rules
    iptables -A FORWARD -i virbr-dmz -o virbr-dmz -j DROP
    iptables -A FORWARD -i virbr-dmz -o eth0 -p tcp --dport 80,443 -j ACCEPT
    iptables -A FORWARD -i virbr-dmz -o eth0 -j DROP
}

# Internal Network
create_internal_network() {
    virsh net-define << EOX
<network>
  <name>internal</name>
  <bridge name='virbr-int' stp='on' delay='0'/>
  <ip address='10.0.2.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='10.0.2.10' end='10.0.2.100'/>
    </dhcp>
  </ip>
</network>
EOX
    
    virsh net-start internal
    virsh net-autostart internal
    
    # Internal network can access DMZ but not internet
    iptables -A FORWARD -i virbr-int -o virbr-dmz -j ACCEPT
    iptables -A FORWARD -i virbr-dmz -o virbr-int -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -i virbr-int -o eth0 -j DROP
}

# Management Network
create_management_network() {
    virsh net-define << EOX
<network>
  <name>management</name>
  <bridge name='virbr-mgmt' stp='on' delay='0'/>
  <ip address='10.0.3.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='10.0.3.10' end='10.0.3.20'/>
    </dhcp>
  </ip>
</network>
EOX
    
    virsh net-start management
    virsh net-autostart management
    
    # Management network has full access
    iptables -A FORWARD -i virbr-mgmt -j ACCEPT
    iptables -A FORWARD -o virbr-mgmt -m state --state RELATED,ESTABLISHED -j ACCEPT
}

# Create all zones
create_dmz_network
create_internal_network
create_management_network

echo "Security zones created successfully"
EOF

chmod +x /usr/local/bin/create-security-zones

Step 2: Microsegmentation

# Create microsegmentation rules
cat > /usr/local/bin/vm-microsegmentation << 'EOF'
#!/bin/sh
# VM microsegmentation with iptables

VM_NAME=$1
VM_IP=$2
ALLOWED_PORTS=$3
ALLOWED_SOURCES=$4

if [ -z "$VM_IP" ]; then
    echo "Usage: $0 <vm-name> <vm-ip> <allowed-ports> <allowed-sources>"
    echo "Example: $0 webserver 10.0.1.10 80,443 10.0.2.0/24"
    exit 1
fi

# Create custom chain for VM
iptables -N VM_${VM_NAME} 2>/dev/null

# Default drop
iptables -A VM_${VM_NAME} -j DROP

# Allow established connections
iptables -I VM_${VM_NAME} -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow specific ports
IFS=',' read -ra PORTS <<< "$ALLOWED_PORTS"
for port in "${PORTS[@]}"; do
    iptables -I VM_${VM_NAME} -p tcp --dport $port -j ACCEPT
done

# Allow from specific sources
if [ -n "$ALLOWED_SOURCES" ]; then
    IFS=',' read -ra SOURCES <<< "$ALLOWED_SOURCES"
    for src in "${SOURCES[@]}"; do
        iptables -I VM_${VM_NAME} -s $src -j ACCEPT
    done
fi

# Apply chain to VM traffic
iptables -A FORWARD -d $VM_IP -j VM_${VM_NAME}
iptables -A FORWARD -s $VM_IP -j VM_${VM_NAME}

echo "Microsegmentation rules applied for $VM_NAME ($VM_IP)"
EOF

chmod +x /usr/local/bin/vm-microsegmentation

Performance Optimization

Step 1: Network Performance Tuning

# Create network optimization script
cat > /usr/local/bin/optimize-vm-network << 'EOF'
#!/bin/sh
# Optimize VM network performance

# Enable offloading features
optimize_interface() {
    IFACE=$1
    
    # Enable offloading
    ethtool -K $IFACE rx on tx on sg on tso on gso on gro on lro on
    
    # Increase ring buffer
    ethtool -G $IFACE rx 4096 tx 4096
    
    # Set interrupt coalescing
    ethtool -C $IFACE adaptive-rx on adaptive-tx on
}

# Optimize bridge settings
optimize_bridge() {
    BRIDGE=$1
    
    # Disable unnecessary features
    echo 0 > /sys/class/net/$BRIDGE/bridge/multicast_snooping
    echo 0 > /sys/class/net/$BRIDGE/bridge/multicast_querier
    
    # Optimize forwarding
    echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables
    echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables
}

# System-wide optimizations
echo "Applying system optimizations..."

# Network buffer tuning
cat >> /etc/sysctl.conf << EOC
# VM Network Optimization
net.core.rmem_max = 134217728
net.core.wmem_max = 134217728
net.ipv4.tcp_rmem = 4096 87380 134217728
net.ipv4.tcp_wmem = 4096 65536 134217728
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_congestion_control = bbr
net.ipv4.tcp_mtu_probing = 1
EOC

sysctl -p

# Optimize all bridges
for bridge in $(brctl show | grep -v 'bridge name' | awk '{print $1}'); do
    optimize_bridge $bridge
done

# Optimize physical interfaces
for iface in $(ls /sys/class/net | grep -E '^(eth|ens)'); do
    optimize_interface $iface
done

echo "Network optimization complete"
EOF

chmod +x /usr/local/bin/optimize-vm-network

Step 2: SR-IOV Configuration

# Enable SR-IOV for supported network cards
cat > /usr/local/bin/enable-sriov << 'EOF'
#!/bin/sh
# Enable SR-IOV for VM networking

PF_DEVICE=${1:-eth1}
NUM_VFS=${2:-8}

# Check if device supports SR-IOV
if [ ! -f /sys/class/net/$PF_DEVICE/device/sriov_totalvfs ]; then
    echo "Device $PF_DEVICE does not support SR-IOV"
    exit 1
fi

# Get max VFs
MAX_VFS=$(cat /sys/class/net/$PF_DEVICE/device/sriov_totalvfs)
echo "Device supports up to $MAX_VFS VFs"

# Enable VFs
echo $NUM_VFS > /sys/class/net/$PF_DEVICE/device/sriov_numvfs

# Configure VFs
for i in $(seq 0 $((NUM_VFS-1))); do
    # Set MAC address
    ip link set $PF_DEVICE vf $i mac 52:54:00:00:00:$(printf "%02x" $i)
    
    # Enable spoofchk
    ip link set $PF_DEVICE vf $i spoofchk on
    
    # Set VLAN (optional)
    # ip link set $PF_DEVICE vf $i vlan 10
done

# Show VF configuration
ip link show $PF_DEVICE

echo "SR-IOV enabled with $NUM_VFS virtual functions"
EOF

chmod +x /usr/local/bin/enable-sriov

Advanced Routing

Step 1: Policy-Based Routing

# Create policy routing for VMs
cat > /usr/local/bin/vm-policy-routing << 'EOF'
#!/bin/sh
# Policy-based routing for VM networks

# Add routing tables
echo "100 dmz" >> /etc/iproute2/rt_tables
echo "200 internal" >> /etc/iproute2/rt_tables
echo "300 management" >> /etc/iproute2/rt_tables

# DMZ routing
ip route add default via 10.0.1.1 dev virbr-dmz table dmz
ip rule add from 10.0.1.0/24 table dmz
ip rule add to 10.0.1.0/24 table dmz

# Internal routing
ip route add default via 10.0.2.1 dev virbr-int table internal
ip route add 10.0.1.0/24 via 10.0.2.1 dev virbr-int table internal
ip rule add from 10.0.2.0/24 table internal

# Management routing
ip route add default via 10.0.3.1 dev virbr-mgmt table management
ip rule add from 10.0.3.0/24 table management

# Mark packets for different routing
iptables -t mangle -A PREROUTING -i virbr-dmz -j MARK --set-mark 100
iptables -t mangle -A PREROUTING -i virbr-int -j MARK --set-mark 200
iptables -t mangle -A PREROUTING -i virbr-mgmt -j MARK --set-mark 300

# Route based on marks
ip rule add fwmark 100 table dmz
ip rule add fwmark 200 table internal
ip rule add fwmark 300 table management

echo "Policy routing configured"
EOF

chmod +x /usr/local/bin/vm-policy-routing

Step 2: Dynamic Routing with BIRD

# Install BIRD
apk add bird

# Configure BIRD for VM networks
cat > /etc/bird.conf << 'EOF'
# BIRD routing configuration for VMs

router id 10.0.0.1;

# Define networks
protocol static {
    route 10.0.1.0/24 via "virbr-dmz";
    route 10.0.2.0/24 via "virbr-int";
    route 10.0.3.0/24 via "virbr-mgmt";
}

# OSPF for dynamic routing between VM hosts
protocol ospf {
    area 0.0.0.0 {
        interface "eth0" {
            cost 10;
            hello 10;
            dead 40;
        };
        interface "virbr-*" {
            stub yes;
        };
    };
}

# BGP for external connectivity
protocol bgp {
    local as 65001;
    neighbor 192.168.1.254 as 65000;
    import all;
    export where net ~ [ 10.0.0.0/8+ ];
}

# Kernel routing table
protocol kernel {
    persist;
    scan time 20;
    export all;
}

# Device protocol
protocol device {
    scan time 10;
}
EOF

# Enable and start BIRD
rc-update add bird default
rc-service bird start

Network Monitoring

Step 1: Traffic Monitoring Setup

# Create network monitoring script
cat > /usr/local/bin/monitor-vm-network << 'EOF'
#!/bin/sh
# Monitor VM network traffic

# Monitor bridge traffic
monitor_bridge() {
    BRIDGE=$1
    echo "Monitoring traffic on $BRIDGE..."
    
    # Real-time bandwidth
    iftop -i $BRIDGE -n -P
}

# Capture VM traffic
capture_vm_traffic() {
    VM_NAME=$1
    INTERFACE=$(virsh domiflist $VM_NAME | grep -E '^\s*vnet' | awk '{print $1}')
    
    if [ -n "$INTERFACE" ]; then
        echo "Capturing traffic for VM $VM_NAME on $INTERFACE"
        tcpdump -i $INTERFACE -n -w /tmp/${VM_NAME}_capture.pcap
    else
        echo "VM interface not found"
    fi
}

# Generate traffic statistics
generate_stats() {
    echo "=== VM Network Statistics ==="
    
    # Per-bridge statistics
    for bridge in $(brctl show | grep -v 'bridge name' | awk '{print $1}'); do
        echo -e "\nBridge: $bridge"
        ip -s link show $bridge
        
        # Connected VMs
        echo "Connected interfaces:"
        brctl show $bridge | tail -n +2
    done
    
    # Per-VM statistics
    echo -e "\n=== Per-VM Statistics ==="
    for vm in $(virsh list --name); do
        if [ -n "$vm" ]; then
            echo -e "\nVM: $vm"
            virsh domifstat $vm $(virsh domiflist $vm | grep -E '^\s*vnet' | awk '{print $1}')
        fi
    done
}

# Flow monitoring
monitor_flows() {
    if command -v ovs-ofctl >/dev/null; then
        echo "=== OVS Flow Statistics ==="
        ovs-ofctl dump-flows ovsbr0
    fi
    
    # Connection tracking
    echo -e "\n=== Active Connections ==="
    conntrack -L | grep -E 'src=10\.'
}

# Main menu
case "$1" in
    bridge)
        monitor_bridge $2
        ;;
    capture)
        capture_vm_traffic $2
        ;;
    stats)
        generate_stats
        ;;
    flows)
        monitor_flows
        ;;
    *)
        echo "Usage: $0 {bridge <name>|capture <vm>|stats|flows}"
        ;;
esac
EOF

chmod +x /usr/local/bin/monitor-vm-network

Step 2: Network Diagnostics

# Create network diagnostic tool
cat > /usr/local/bin/vm-net-diag << 'EOF'
#!/bin/sh
# VM network diagnostics

diagnose_vm_network() {
    VM_NAME=$1
    
    echo "=== Network Diagnostics for VM: $VM_NAME ==="
    
    # Get VM network info
    echo -e "\n1. VM Network Configuration:"
    virsh domiflist $VM_NAME
    
    # Get interface details
    INTERFACE=$(virsh domiflist $VM_NAME | grep -E '^\s*vnet' | awk '{print $1}')
    if [ -n "$INTERFACE" ]; then
        echo -e "\n2. Interface Statistics:"
        ip -s link show $INTERFACE
        
        echo -e "\n3. Bridge Connection:"
        bridge link show | grep $INTERFACE
        
        echo -e "\n4. ARP Entries:"
        arp -n | grep $INTERFACE
    fi
    
    # Check connectivity
    echo -e "\n5. Connectivity Tests:"
    
    # Get VM IP
    VM_IP=$(virsh domifaddr $VM_NAME | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}')
    if [ -n "$VM_IP" ]; then
        echo "VM IP: $VM_IP"
        ping -c 3 $VM_IP
    else
        echo "Could not determine VM IP"
    fi
    
    # Check firewall rules
    echo -e "\n6. Firewall Rules:"
    iptables -L -n -v | grep -E "(virbr|vnet|$VM_IP)"
}

# Network path trace
trace_network_path() {
    SRC_VM=$1
    DST_VM=$2
    
    echo "Tracing network path from $SRC_VM to $DST_VM"
    
    # Get IPs
    SRC_IP=$(virsh domifaddr $SRC_VM | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}')
    DST_IP=$(virsh domifaddr $DST_VM | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}')
    
    if [ -n "$SRC_IP" ] && [ -n "$DST_IP" ]; then
        echo "Source IP: $SRC_IP"
        echo "Destination IP: $DST_IP"
        
        # Check routing
        echo -e "\nRouting table:"
        ip route get $DST_IP from $SRC_IP
        
        # Trace path
        traceroute -n $DST_IP
    fi
}

# Main execution
case "$1" in
    diagnose)
        diagnose_vm_network $2
        ;;
    trace)
        trace_network_path $2 $3
        ;;
    *)
        echo "Usage: $0 {diagnose <vm>|trace <src-vm> <dst-vm>}"
        ;;
esac
EOF

chmod +x /usr/local/bin/vm-net-diag

Multi-Host Networking

Step 1: VXLAN Overlay Network

# Create VXLAN overlay network
cat > /usr/local/bin/create-vxlan-overlay << 'EOF'
#!/bin/sh
# Create VXLAN overlay for multi-host VM networking

VXLAN_ID=${1:-100}
VXLAN_NAME="vxlan${VXLAN_ID}"
MULTICAST_GROUP="239.1.1.1"
LOCAL_IP=$(ip route get 8.8.8.8 | awk '{print $7; exit}')
BRIDGE_NAME="br-vxlan${VXLAN_ID}"

# Create VXLAN interface
ip link add $VXLAN_NAME type vxlan \
    id $VXLAN_ID \
    group $MULTICAST_GROUP \
    dev eth0 \
    dstport 4789

# Create bridge for VXLAN
ip link add $BRIDGE_NAME type bridge
ip link set $VXLAN_NAME master $BRIDGE_NAME

# Bring up interfaces
ip link set $VXLAN_NAME up
ip link set $BRIDGE_NAME up

# Assign IP to bridge (different on each host)
LAST_OCTET=$(echo $LOCAL_IP | cut -d. -f4)
ip addr add 192.168.${VXLAN_ID}.${LAST_OCTET}/24 dev $BRIDGE_NAME

echo "VXLAN overlay network created:"
echo "  VXLAN ID: $VXLAN_ID"
echo "  Bridge: $BRIDGE_NAME"
echo "  IP: 192.168.${VXLAN_ID}.${LAST_OCTET}/24"

# Create libvirt network for VXLAN
cat > /tmp/vxlan-network.xml << EOX
<network>
  <name>vxlan${VXLAN_ID}</name>
  <forward mode='bridge'/>
  <bridge name='${BRIDGE_NAME}'/>
</network>
EOX

virsh net-define /tmp/vxlan-network.xml
virsh net-start vxlan${VXLAN_ID}
virsh net-autostart vxlan${VXLAN_ID}
EOF

chmod +x /usr/local/bin/create-vxlan-overlay

Step 2: GRE Tunnel Setup

# Create GRE tunnel for VM communication
cat > /usr/local/bin/setup-gre-tunnel << 'EOF'
#!/bin/sh
# Setup GRE tunnel between hosts

LOCAL_IP=$1
REMOTE_IP=$2
TUNNEL_NAME="gre-vm"
TUNNEL_NET="172.16.0.0/30"

if [ -z "$REMOTE_IP" ]; then
    echo "Usage: $0 <local-ip> <remote-ip>"
    exit 1
fi

# Create GRE tunnel
ip tunnel add $TUNNEL_NAME mode gre remote $REMOTE_IP local $LOCAL_IP ttl 255
ip link set $TUNNEL_NAME up

# Assign IP based on host
if [ "$LOCAL_IP" \< "$REMOTE_IP" ]; then
    ip addr add 172.16.0.1/30 dev $TUNNEL_NAME
else
    ip addr add 172.16.0.2/30 dev $TUNNEL_NAME
fi

# Add routes for remote VM networks
ip route add 10.0.0.0/16 dev $TUNNEL_NAME

# Create bridge for GRE
ip link add br-gre type bridge
ip link set $TUNNEL_NAME master br-gre
ip link set br-gre up

echo "GRE tunnel established:"
echo "  Local: $LOCAL_IP"
echo "  Remote: $REMOTE_IP"
echo "  Tunnel: $TUNNEL_NAME"
EOF

chmod +x /usr/local/bin/setup-gre-tunnel

Troubleshooting

Common Issues

1. VM cannot get DHCP address:

# Check dnsmasq
ps aux | grep dnsmasq
cat /var/lib/misc/dnsmasq.leases

# Restart dnsmasq
rc-service dnsmasq restart

# Check bridge configuration
brctl show
ip addr show virbr0

2. No connectivity between VMs:

# Check bridge forwarding
cat /proc/sys/net/bridge/bridge-nf-call-iptables

# Check iptables rules
iptables -L FORWARD -n -v

# Test with tcpdump
tcpdump -i virbr0 -n

3. Poor network performance:

# Check offloading
ethtool -k eth0

# Check for errors
ip -s link show

# Monitor interrupts
watch -n 1 cat /proc/interrupts

Debug Tools

# Create network debug script
cat > /usr/local/bin/debug-vm-network << 'EOF'
#!/bin/sh
# Debug VM network issues

echo "=== VM Network Debug Information ==="

# List all networks
echo -e "\n1. Libvirt Networks:"
virsh net-list --all

# Show bridge details
echo -e "\n2. Bridge Configuration:"
brctl show
bridge vlan show

# Check routing
echo -e "\n3. Routing Tables:"
ip route show
ip rule show

# Check iptables
echo -e "\n4. Firewall Rules:"
iptables -L -n -v | grep -E "(virbr|FORWARD)"

# OVS status
if command -v ovs-vsctl >/dev/null; then
    echo -e "\n5. Open vSwitch Status:"
    ovs-vsctl show
fi

# Network namespaces
echo -e "\n6. Network Namespaces:"
ip netns list

# Connection tracking
echo -e "\n7. Active Connections:"
conntrack -L 2>/dev/null | head -20

# Performance stats
echo -e "\n8. Network Performance:"
for iface in $(ls /sys/class/net); do
    if [ -d "/sys/class/net/$iface/statistics" ]; then
        rx=$(cat /sys/class/net/$iface/statistics/rx_bytes)
        tx=$(cat /sys/class/net/$iface/statistics/tx_bytes)
        if [ $rx -gt 0 ] || [ $tx -gt 0 ]; then
            echo "$iface: RX=$((rx/1024/1024))MB TX=$((tx/1024/1024))MB"
        fi
    fi
done
EOF

chmod +x /usr/local/bin/debug-vm-network

Best Practices

Network Design Guidelines

# Create network design validator
cat > /usr/local/bin/validate-vm-network << 'EOF'
#!/bin/sh
# Validate VM network configuration

echo "=== VM Network Configuration Validator ==="

# Check IP forwarding
echo -n "IP Forwarding: "
if [ "$(cat /proc/sys/net/ipv4/ip_forward)" = "1" ]; then
    echo "✓ Enabled"
else
    echo "✗ Disabled"
fi

# Check bridge settings
echo -e "\nBridge Configuration:"
for bridge in $(brctl show | grep -v 'bridge name' | awk '{print $1}'); do
    echo -n "  $bridge - STP: "
    if [ "$(cat /sys/class/net/$bridge/bridge/stp_state)" = "0" ]; then
        echo "✓ Disabled (good for VMs)"
    else
        echo "! Enabled (may cause issues)"
    fi
done

# Check for IP conflicts
echo -e "\nIP Address Conflicts:"
ip addr show | grep -E 'inet ' | awk '{print $2}' | sort | uniq -d

# Check MTU consistency
echo -e "\nMTU Settings:"
for iface in $(ls /sys/class/net); do
    mtu=$(cat /sys/class/net/$iface/mtu 2>/dev/null)
    if [ -n "$mtu" ]; then
        echo "  $iface: $mtu"
    fi
done

# Security checks
echo -e "\nSecurity Configuration:"
echo -n "  iptables rules: "
iptables -L -n | grep -c "^Chain" | xargs echo "chains"

echo -n "  ebtables rules: "
if command -v ebtables >/dev/null; then
    ebtables -L | grep -c "^Bridge chain" | xargs echo "chains"
else
    echo "not installed"
fi

# Performance checks
echo -e "\nPerformance Settings:"
echo "  net.core.netdev_max_backlog: $(sysctl -n net.core.netdev_max_backlog)"
echo "  net.ipv4.tcp_congestion_control: $(sysctl -n net.ipv4.tcp_congestion_control)"
EOF

chmod +x /usr/local/bin/validate-vm-network

Automation Scripts

# Create VM network automation
cat > /usr/local/bin/automate-vm-network << 'EOF'
#!/bin/sh
# Automate VM network setup

# Configuration file
CONFIG_FILE="/etc/vm-networks.conf"

# Load configuration
if [ -f "$CONFIG_FILE" ]; then
    . "$CONFIG_FILE"
else
    echo "Configuration file not found: $CONFIG_FILE"
    exit 1
fi

# Setup all networks
setup_networks() {
    echo "Setting up VM networks..."
    
    # Create bridges
    for network in $NETWORKS; do
        eval bridge=\$${network}_BRIDGE
        eval subnet=\$${network}_SUBNET
        eval vlan=\$${network}_VLAN
        
        echo "Creating network: $network"
        
        # Create bridge
        if [ -n "$vlan" ]; then
            vconfig add eth0 $vlan
            brctl addbr $bridge
            brctl addif $bridge eth0.$vlan
        else
            brctl addbr $bridge
        fi
        
        # Configure IP
        ip addr add ${subnet}.1/24 dev $bridge
        ip link set $bridge up
        
        # Create libvirt network
        create_libvirt_network $network $bridge $subnet
    done
}

# Create libvirt network
create_libvirt_network() {
    local name=$1
    local bridge=$2
    local subnet=$3
    
    cat > /tmp/${name}-network.xml << EOX
<network>
  <name>$name</name>
  <forward mode='bridge'/>
  <bridge name='$bridge'/>
</network>
EOX
    
    virsh net-define /tmp/${name}-network.xml
    virsh net-start $name
    virsh net-autostart $name
}

# Apply security policies
apply_security_policies() {
    echo "Applying security policies..."
    
    # Implement policies from config
    for policy in $SECURITY_POLICIES; do
        eval rule=\$${policy}_RULE
        eval "$rule"
    done
}

# Main execution
setup_networks
apply_security_policies

echo "VM network automation complete"
EOF

chmod +x /usr/local/bin/automate-vm-network

# Create sample configuration
cat > /etc/vm-networks.conf << 'EOF'
# VM Network Configuration

# Network definitions
NETWORKS="production development testing"

# Production network
production_BRIDGE="vmbr-prod"
production_SUBNET="10.10.10"
production_VLAN="10"

# Development network
development_BRIDGE="vmbr-dev"
development_SUBNET="10.20.20"
development_VLAN="20"

# Testing network
testing_BRIDGE="vmbr-test"
testing_SUBNET="10.30.30"
testing_VLAN=""

# Security policies
SECURITY_POLICIES="isolate_dev block_test"

# Policy rules
isolate_dev_RULE="iptables -A FORWARD -i vmbr-dev -o vmbr-prod -j DROP"
block_test_RULE="iptables -A FORWARD -i vmbr-test -o eth0 -j DROP"
EOF

Conclusion

You’ve successfully mastered virtual machine networking on Alpine Linux. From basic bridging to advanced overlay networks, you now have the tools and knowledge to build complex, secure, and high-performance VM network infrastructures. This setup supports everything from simple development environments to production-ready multi-tenant configurations.

Remember to regularly monitor network performance, keep security policies updated, and document your network architecture. With proper planning and implementation, your VM networking infrastructure will provide reliable, scalable connectivity for all your virtualization needs.