This article shows how to create a network bridge device and a TUN/TAP device, which then is added to the bridge. The CentOS 8 Stream is used along with the console NetworkManager program nmcli.
TUN/TAP devices are often used in the virtualization world as a link device between the host machine and the virtual machine.
This article is for the case when the bridge does not include the main network interface (Internet network interface and so on) of the server but is an additional device, which MAC and virtual machine MACs would not be exposed through the server’s main network interface.
If the server’s main network interface should be included in the bridge device, i.e. replace the main network interface with the bridge there is another article on the subject – Replace current interface configuration with a bridge device using nmcli (NetworkManager)
Device name are as follow:
- br0 is the name of the network bridge.
- 10.10.10.1 with mask /24 is the IP of the bridge device with name br0. Because the idea is to use the bridge only locally, a local interface is used. The IP is set manually.
- tap0 is the name of TUN/TAP device.
- enp0s3is the server’s main network connection. Not used in this howto.
Here are all the commands to create a bridge, create a TUN/TAP device and add it to the bridge, and then activate the bridge‘s link.
nmcli connection add type bridge ifname br0 con-name br0 ipv4.method manual ipv4.addresses "10.10.10.1/24"
nmcli con up br0
nmcli connection add type tun ifname tap0 con-name tap0 mode tap owner 0 ip4 0.0.0.0/24
nmcli con add type bridge-slave ifname tap0 master br0
Here are the steps with much more details and information including all the command output.
The networking before any reconfiguration:
[root@srv ~]# nmcli
enp0s3: connected to enp0s3
ethernet (e1000), 08:00:27:03:C9:2E, hw, mtu 1500
route4 192.168.0.0/24 metric 100
route4 0.0.0.0/0 via 192.168.0.1 metric 100
route6 fe80::/64 metric 100
loopback (unknown), 00:00:00:00:00:00, sw, mtu 65536
servers: 220.127.116.11 18.104.22.168
Use "nmcli device show" to get complete information about known devices and
"nmcli connection show" to get an overview on active connection profiles.
Consult nmcli(1) and nmcli-examples(7) manual pages for complete usage details.
[root@srv ~]# nmcli con
NAME UUID TYPE DEVICE
enp0s3 09497bbf-da59-42b7-a72c-d69369760b36 ethernet enp0s3
Keep on reading!
If you happen to use CentOS 8 you have already discovered that Red Hat (i.e. CentOS) switch to podman, which is a fork of docker. So probably the following fix might help to someone, which does not use CentOS 8 or podman. For now, podman and docker are 99.99% the same.
So creating and starting a container is easy and in most cases one command only, but you may stumble on the error your container could not resolve or could not connect to an IP even there is a ping to the IP!
The service in the container may live a happy life without Internet access but just the mapped ports from the outside world. Still, it may happen to need Internet access, let’s say if an update should be performed.
Here is how to fix podman (docker) missing the Internet access in the container:
- No ping to the outside world. The chances you are missing
sysctl -w net.ipv4.ip_forward=1
And do not forget to make it permanent by adding the “net.ipv4.ip_forward=1” to /etc/sysctl.conf (or a file “.conf” in /etc/sysctl.d/).
- ping to the outside IP of the container is available, but no connection to any service is available! Probably the NAT is not enabled in your podman docker configuration. In the case with firewalld, at least, you must enable the masquerade option of the public zone
firewall-cmd --zone=public --add-masquerade
firewall-cmd --permanent --zone=public --add-masquerade
The second command with “–permanent” is to make the option permanent over reboots.
The error – Could not resolve host (Name or service not known) despite having servers in /etc/resolv.conf and ping to them!
One may think having IPs in /etc/resolv.conf and ping to them in the container should give the container access to the Internet. But the following error occurs:
[root@srv /]# yum install telnet
Loaded plugins: fastestmirror, ovl
Determining fastest mirrors
* base: artfiles.org
* extras: centos.mirror.net-d-sign.de
* updates: centos.bio.lmu.de
http://mirror.fra10.de.leaseweb.net/centos/7.7.1908/os/x86_64/repodata/repomd.xml: [Errno 14] curl#6 - "Could not resolve host: mirror.fra10.de.leaseweb.net; Unknown error"
Trying other mirror.
http://artfiles.org/centos.org/7.7.1908/os/x86_64/repodata/repomd.xml: [Errno 14] curl#6 - "Could not resolve host: artfiles.org; Unknown error"
Trying other mirror.
Exiting on user cancel
[root@srv /]# ^C
[root@srv /]# ping 22.214.171.124
PING 126.96.36.199 (188.8.131.52) 56(84) bytes of data.
64 bytes from 184.108.40.206: icmp_seq=1 ttl=56 time=5.05 ms
64 bytes from 220.127.116.11: icmp_seq=2 ttl=56 time=5.06 ms
--- 18.104.22.168 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 5.050/5.055/5.061/0.071 ms
[root@srv ~]# cat /etc/resolv.conf
[root@srv /]# ping google.com
ping: google.com: Name or service not known
The error 2 – Can’t connect to despite having ping to the IP!
[root@srv /]# ping 22.214.171.124
PING 126.96.36.199 (188.8.131.52) 56(84) bytes of data.
64 bytes from 184.108.40.206: icmp_seq=1 ttl=56 time=9.15 ms
64 bytes from 220.127.116.11: icmp_seq=2 ttl=56 time=9.16 ms
[root@srv2 /]# mysql -h18.104.22.168 -uroot -p
ERROR 2003 (HY000): Can't connect to MySQL server on '22.214.171.124' (113)
Despite having ping the MySQL server on 126.96.36.199 and despite the firewall on 188.8.131.52 allows outside connections the container could not connect to it. And testing other services like HTTP, HTTPS, FTP and so on resulted in “unable to connect“, too. Simply because the NAT (aka masquerade is not enabled in the firewall).