Solved Connect to bhyve host via VM

biggsy · Aug 9, 2024

I have a 14.1-RELEASE system running as a bhyve host with two NICs and two VMs.
This was all set up using vm-bhyve. Both VMs are also FreeBSD.

There are three switches defined in the bhyve host:
WAN - bridged to em0
LAN - bridged to em1
DMZ - not bridged to an interface

VM1 (firewall) has connections to all three.
VM2 (postfix/dovecot) only has connection to DMZ.

This all works but I need to pass through the two NICs in the host to VM1 to prevent the host from grabbing an IP from the modem attached to em0. Unfortunately, that would mean losing access to the host except through its console. Ideally, the host will be headless.

What I can't figure out is whether I can connect the host OS to the DMZ and gain SSH access to it via VM1 (as I do with VM2).

Is this even possible and, if so, how? Any suggestions appreciated.

bakul · Aug 9, 2024

You can passthrough a PCI device to the VM. You can find out which one you want by looking at the output of pciconf -lv.

As an example, in host's /boot/loader.conf I have: pptdevs="7/0/0 11/0/3" and I pass them to separate VMs. I use bhyve (but vm-bhyve must have a similar feature) and have -s 7,passthru,7/0/0 \ for one VM and -s 12,passthru,11/0/3 \ for another.

VladiBG · Aug 9, 2024

You don't need VM to serve as Firewall/VPN/Router etc. Those services belongs to the host not to VM or jail.

Some Anon Guy · Aug 9, 2024

You do not need to passthru the NICs to the guest just to stop them from getting an IP from the modem/router provided by the ISP.
You can configure the NICs either statically, or configure them to just be UP with out an IP address.

here is a section from my rc.conf on my bhyve host...


ifconfig_igc1="up"
ifconfig_igc0="DHCP"
ifconfig_igc0_ipv6="inet6 accept_rtadv"

igc1 is a member of my "public" bridge and is just "up" without an IP address.
igc0 is DHCP (with a reservation from my router) for the management / host network address.

You could statically configure the "host" interface, and use your virtual router as the gateway.

Emrion · Aug 9, 2024

I have something close enough of what I understand you want. In my config, I put my modem in DMZ mode and redirect all the traffic to the firewall (pfsense). And it's the firewall that does DHCP. I just passthru one of my two physical interfaces into pfsense for the WAN part.
See here: https://forums.freebsd.org/threads/a-freebsd-box-for-home.70451/

biggsy · Aug 9, 2024

Thank you fro the replies. In my case VM1 is the firewall and it is pfSense.
If the host passes both em0 and em1 to pfSense, it seems I'll have no way to access the host other than through the console.
I would like to connect the bhyve host to the DMZ switch and access it via pfSense - either locally from the LAN or remotely via WireGuard.
Maybe there is a simpler way but I can't find one.

Some Anon Guy · Aug 9, 2024

Another thought could be to use epair devices. epair(4)
Connect one to pfSense, and one to the host. you then have a virtual cross over cable between them. Add a seperate management subnet to the pair, or in pfSense bridge the epair interface to the DMZ.

Emrion · Aug 9, 2024

It's not clear what you want. If you passthru a physical interface in a VM, there is no point to make this interface connected to a bridge because it simply disappear for the host, so it's not connected to this bridge in fact.

biggsy said:
to prevent the host from grabbing an IP from the modem attached to em0.

You just have to remove ifconfig_em0="dhcp" in /etc/rc.conf.

In general, in a VM, you use a tap(4) as a virtual interface. In your case, you may passthru em1 (or em0) and ask for a dhcp address from the modem (wan). You have to set an ip address (lan) for the VM side of the tap (vtnet0 for pfSense) and you can set an ip for the host side of the tap. There, you can ssh from the VM to the host using this last ip address. Choose a different subnet than your modem uses.

I don't know what you want to do with VM2.

biggsy · Aug 10, 2024

Emrion said:
It's not clear what you want. If you passthru a physical interface in a VM, there is no point to make this interface connected to a bridge because it simply disappear for the host, so it's not connected to this bridge in fact.

You just have to remove ifconfig_em0="dhcp" in

/etc/rc.conf[/FILE

Click to expand...

]. In general, in a VM, you use a tap(4) as a virtual interface. In your case, you may passthru em1 (or em0) and ask for a dhcp address from the modem (wan). You have to set an ip address (lan) for the VM side of the tap (vtnet0 for pfSense) and you can set an ip for the host side of the tap. There, you can ssh from the VM to the host using this last ip address. Choose a different subnet than your modem uses. I don't know what you want to do with VM2.

Thank you for you help.

I removed the
ifconfig_em0="dhcp" from /etc/rc.conf. That worked for getting the pfSense WAN an IP from the ISP modem.

I don't follow the part about assigning the host an IP on the tap .
How would I do that? Do I just need to have an ifconfig for tap4 (the LAN, in this case) on the host?

Apologies for the dumb questions. This is my first try at using bhyve.

Emrion · Aug 10, 2024

See the output of your ifconfig on the host. You will see an interface that belongs to the tap group and was opened by the pid of the pfSense VM. Then you just have to assign an ip/mask for this interface. See ifconfig(8).

As you use vm-bhyve, i think there are some ways to automate this. Read the corresponding man pages.