Building a fault-tolerant firewall system with virtual machines: Creating bridge devices and tap interfaces


The tap network backend is the most appropriate configuration option in qemu for us to create network interfaces for virtual machines because virtual ethernet interfaces created in such a way are considered as normal ethernet devices without any restriction. We also need bridge devices to connect the interfaces in the networks.
By design, a bridge device is used to attach ethernet interfaces at its bridge ports. The bridge device then becomes a logically large ethernet interface consisting of a bunch of attached ethernet interfaces. The bridge is addressed instead of the ethernet interfaces participating in the bridge. In this case the bridge becomes a gateway to the network of the participating ethernet interfaces. But our firewall system does not use such functionality.

Non-grounding bridge solution

In the diagram above we see there are two networks. The client is in the network and the omarine server is in the network. Firewalls are also the gateway for traffic to flow from one network to another. The interesting thing is that they are automatic routers. If the active router fw-1 suddenly stops, the router fw-2 will automatically take its place.
Imagine the machine omarine together with the bridge br0 is on the 1st floor, i.e. on the ground. Two firewalls are on the 2nd floor and the client is on the 3rd. A packet that wants to go from the client, i.e. on the 3rd floor to the omarine on the 1st floor, must go through the 2nd layer, ie through the firewall system. The bridge br0, which is inherent in the host machine (omarine), is addressed to as usual and is present in the main routing table. We call it a "grounding" bridge. The bridges br1 and br2 are overhead, unaddressed, and not present in any of the host's routing tables. The packets at these bridges have no path to go directly to the ground, it is forced to follow the network traffic that we have designed. We call the bridges br1 and br2 "non-grounding" bridges.

Creating bridge devices and tap interfaces
First we create two virtual bridge devices br1 and br2, and turn them up:

sudo ip link add br1 up type bridge
sudo ip link add br2 up type bridge

Then create tap interfaces: net01, net02 for bridge br0; net11, net12, net13 for bridge br1; net21, net22 for bridge br2:

sudo ip tuntap add net01 mode tap
sudo ip tuntap add net02 mode tap
sudo ip tuntap add net11 mode tap
sudo ip tuntap add net12 mode tap
sudo ip tuntap add net13 mode tap
sudo ip tuntap add net21 mode tap
sudo ip tuntap add net22 mode tap

Set the tap interfaces to up:

sudo ip link set net01 up
sudo ip link set net02 up
sudo ip link set net11 up
sudo ip link set net12 up
sudo ip link set net13 up
sudo ip link set net21 up
sudo ip link set net22 up

Attach net01, net02 to bridge br0; attach net11, net12, net13 to bridge br1; attach net21, net22 to bridge br2:

sudo brctl addif br0 net01
sudo brctl addif br0 net02
sudo brctl addif br1 net11
sudo brctl addif br1 net12
sudo brctl addif br1 net13
sudo brctl addif br2 net21
sudo brctl addif br2 net22

To view the bridges and the interfaces attached to them, run the command below:

sudo brctl show

Adding modules to the kernel
Once using the bridge devices, you need to add the module br_netfilter to the kernel if you want to filter packets at bridge ports and bridge interfaces. That is, use the module 'physdev' in iptables and the family 'bridge' in nftables. Also add the module nf_conntrack_bridge to the kernel to track packet filtering against the bridges if necessary. It is best to add these two modules at boot time (firewalld needs that). You add the following content to the kernel command line


You can edit the /boot/grub/grub.cfg file directly to modify the kernel command line, or run the two commands below:

echo GRUB_CMDLINE_LINUX=\"rd.driver.pre=br_netfilter,nf_conntrack_bridge\" | sudo tee -a /etc/default/grub
sudo grub-mkconfig -o /boot/grub/grub.cfg

Remove bridges from influence zones of firewalld
If you're running firewalld, you'll need to keep the bridges out of firewalld's zones of influence. We will write a set of specific packet filtering rules for firewall machines later.
You run the commands below:

sudo firewall-cmd --zone=trusted --add-interface=br0
sudo firewall-cmd --zone=trusted --add-interface=br1
sudo firewall-cmd --zone=trusted --add-interface=br2

Since br0 is automatically configured at host startup, we make it permanent:

sudo firewall-cmd --permanent --zone=trusted --add-interface=br0
Currently unrated


There are currently no comments

New Comment


required (not published)



What is 1 × 2?