Sandbox99 Chronicles

libvirt Networking: Beyond the Default NAT

libvirt nat

Written by Jose Mendez

Hi, I’m Jose Mendez, the creator of sandbox99.cc. with a passion for technology and a hands-on approach to learning, I’ve spent more than fifteen years navigating the ever-evolving world of IT.

Linux Tips | Networking Fundamentals | Virtualization

KVM | libvirt | NAT | Network Address Translation | qemu | virsh | virt-manager

Published Aug 8, 2025 | Last updated on Aug 8, 2025 at 5:12PM

Follow me on LinkedIn

Reading Time: 3 minutes
Table of Contents show

Introduction

Just as VirtualBox automatically sets up a default NAT network for its virtual machines, libvirt also provides a default NAT network out of the box, allowing your VMs to access the internet. However, libvirt offers far more flexibility. We can create entirely new, isolated NAT networks with their own subnets and DHCP servers. This is particularly useful for segmenting different groups of VMs, like separating a development environment from a test environment or creating a specific VLAN-like setup for a dedicated application without interfering with the default network.

Step-by-Step Walkthrough

Step 1: Create the Network XML File

First, we’ll define the new network’s configuration in an XML file. This file specifies the network’s name, the bridge it will use, and the IP range for its NAT and DHCP services. Create a file named custom_name-nat.xml with the following content.

New Libvirt NAT Network XML

<network>
  <name>custom_name-nat</name>
  <forward mode='nat'>
    <nat>
      <port start='1024' end='65535'/>
    </nat>
  </forward>
  <bridge name='virbr101'/>
  <ip address='192.168.101.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.101.2' end='192.168.101.254'/>
    </dhcp>
  </ip>
</network>
  • <name>custom_name-nat</name>: This is the unique name for our new network.
  • <bridge name='virbr101'/>: The new bridge device that libvirt will create for this network. It must be different from the default virbr0.
  • <ip address='192.168.101.1' .../>: The gateway IP address for the new network and the subnet range.
  • <dhcp>...</dhcp>: Configures the DHCP server for this network, providing IP addresses to connected VMs.
  • The <forward mode='nat'> line is a key part of the network definition. In simple terms, it’s the instruction that tells libvirt how to handle traffic leaving your virtual network.
    • The <forward> tag defines the networking type.
    • The mode='nat' attribute specifies that Network Address Translation (NAT) should be used.
    • This means that any traffic originating from a VM on this test-nat network will have its source IP address translated by the host machine before it is sent out to the internet. The host acts as a router, and the VMs appear to have the same external IP address as the host itself. This is what allows your VMs to get internet access even though they are on a private, isolated subnet.

Step 2: Define and Start the Network

Use the virsh command-line tool to define the new network from the XML file we just created, and then start it.

# Define the new network
sudo virsh net-define custom_name-nat.xml

# Start the network
sudo virsh net-start custom_name-nat

Step 3: Enable Autostart

To ensure the network starts automatically every time the host machine reboots, set the autostart flag.

# Set the network to autostart
sudo virsh net-autostart custom_name-nat

Step 4: Verify the New Network

You can now confirm that the new network is active and configured correctly.

# List all networks (active and inactive)
virsh net-list --all

# Inspect the details of the new network
virsh net-info custom_name-nat

You should see test-nat in the list and the correct details when you inspect it. You can also check your host’s networking interfaces to see the new virbr1 bridge.

Step 5: Attach a VM to the New Network

Finally, to use this new network, you need to configure a VM to connect to it. Edit the VM’s XML configuration using virsh edit <vm_name>. Find the <interface> section and change the network source to point to our new network.

<interface type='network'>
  <source network='custom_name-nat'/>
  <model type='virtio'/>
</interface>

Save the file, and the next time the VM is started, it will connect to the custom_name-nat network and receive an IP address from the 192.168.101.0/24 subnet.

Final Thoughts

This process demonstrates the power of libvirt’s networking capabilities. By defining custom NAT networks, you gain fine-grained control over your virtual environments. This approach is superior to relying solely on the default network for all VMs, as it allows for logical isolation, prevents IP address conflicts, and provides a clean, scalable way to manage complex virtualization setups. This ability to create tailored networks is a key differentiator for professional virtualization management. Let me know if you’d like to explore how to set up more complex bridged or routed networks.

Calendar

September 2025
S M T W T F S
 123456
78910111213
14151617181920
21222324252627
282930  

Related Post