can't get firewalld/nftables/libvirt to masquerade from bridge to public

Posted on

Hi,
I have a remote server with one network interface, which has a public IP address (enp5s0).
this is a rhel 9
I've created an isolated network as follows:

<network>
  <name>LAN-bridge</name>
  <uuid>64XXXXXXXXXXXXXXXXXXXXXXXX</uuid>
  <bridge name="lanbrdige" stp="on" delay="0"/>
  <mac address="52:54:00:XX:XX:XX"/>
  <domain name="LAN-bridge"/>
  <ip address="192.168.200.1" netmask="255.255.255.0">
    <dhcp>
      <range start="192.168.200.128" end="192.168.200.254"/>
    </dhcp>
  </ip>
</network>

I've also created a routed network as follows:

<network>
  <name>WAN-bridge-zoned</name>
  <uuid>521XXXXXXXXXXXXXXXXXXXXXXXXXX</uuid>
  <forward dev="enp5s0" mode="route">
    <interface dev="enp5s0"/>
  </forward>
  <bridge name="wanbridge-zoned" stp="on" delay="0" zone="libvirt-public"/>
  <mac address="52:54:00:c0:ac:22"/>
  <domain name="WAN-bridge-zoned"/>
  <ip address="192.168.10.1" netmask="255.255.255.0">
  </ip>
</network>

and the custom zone libvirt-public has been created as follows:

<?xml version="1.0" encoding="utf-8"?>
<zone target="ACCEPT">
  <short>libvirt-public</short>
  <description>  custom libvirt-public zone   </description>
  <service name="dhcp"/>
  <service name="dns"/>
  <service name="ssh"/>
  <service name="tftp"/>
  <protocol value="icmp"/>
  <protocol value="tcp"/>
  <protocol value="udp"/>
  <rule priority="32767">
    <reject/>
  </rule>
  <forward/>

resulting in:

firewall-cmd --zone=libvirt-public --list-all
libvirt-public (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: wanbridge-zoned
  sources: 
  services: dhcp dns ssh tftp
  ports: 
  protocols: icmp tcp udp
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule priority="32767" reject

a custom policy has been created to enable zone-to-zone traffic with:

firewall-cmd --new-policy wanbrg_to_public --permanent
firewall-cmd --permanent --policy wanbrg_to_public --add-ingress-zone libvirt-public
firewall-cmd --permanent --policy wanbrg_to_public --add-egress-zone public
firewall-cmd --permanent --policy wanbrg_to_public --set-target ACCEPT

resulting in:

wanbrg_to_public (active)
  priority: -1
  target: ACCEPT
  ingress-zones: libvirt-public
  egress-zones: public
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

and finally masquerading has been enabled on the public zone with

firewall-cmd --zone=public --add-masquerade --permanent

firewall-cmd has been reloaded and afaik this should allow me to have vms with a network interface on the WAN-bridge-zoned network using that interface IP as default gateway being masqueraded and able to navigate, eventually I will need to also add port-forward to specific addresses on that interface/zone and I'd like to do that with firewalld

the firewalld backend is nftables.

this doesn't seem to be working tho, a pfsense firewall with an interface and a static IP on the WAN-bridge-zoned network cannot ping outside

MP

Responses