OVN but with a firewall VM as the uplink?

Hello,

To clarify what I am trying to do:

• I am doing teaching for a cybersecurity club, where I have offered Incus VM’s to students
• I would like for them to be able to semi-manage their own environments (hence why I am interested in OVN rather than Linuxbridge)
• I would like for them to deploy a setup similar to what’s described in this blog post, internally.

A TLDR of the blogpost: Author uses a firewall VM. They enable port isolation, mac filtering, and then use a interesting solution of telling VM’s are on a /32 subnet instead of the real /24 that they are actually on, in order to force the VM traffic to go through the firewall VM, and not get dropped because the VM’s can’t find eachother directly on the bridge due to port isolation. I think I can achieve something similar but more orthodox, by using ARP proxying, where you have one machine respond to ARP requests of another host, on a same or different subnet, which then forwards traffic.

Anyway, it’s a lot of work to achieve something similar to what Incus ACL’s can already do on OVN networks, controlling internal traffic flow. But I am trying to teach people networking concepts, like DHCP, subnetting, and firewalling, on an interface similar to what they would see on a real physical switch (thank you for the openwrt image), which is why I want to share this setup specifically.

I have something similar to what I want working with Linuxbridge, and then port isolation could be used to restrict traffic. But what I think would even cooler, is to have this on an OVN network(s) instead, because then an OVN ACL could be used to restrict the whole subnet’s traffic to eachother, except to the firewall vm on xxx.xxx.xxx.1. And then with OVN, people could create multiple logical networks and link them together and play with that.

However, OVN seems to restrict DHCP traffic by default, in ways that Linuxbridge does not. I am still investigating, but it looks like OVN has internal firewall rules or ACL’s that do so. I am wondering if it is possible to loosen those, and if it’s possible to loosen them for a bunch of OVN networks at once or automatically depending on factors like user creation in some way.

Okay I actually got it working. Still testing but I will post configs later™. Short version is that the subnet must match what the router vm wannts to give out, with ipv4.dhcp off.

But I am encountering this one weird issue, where whenever I detatch and reattach the vm, in order to test, it wants a higher named ethernet port. Like it went from eth-1 to eth-6…

I detatch the devices, destroy and recreate the network to test, and then recreate, and the number just keeps going up. And if I try to set it at a lower number when first attatching, it complains and doesn’t me do it.

Screenshot_20260321_1518331036×213 15.8 KB

Edit: although it looks like I can rename the device to a lower number, including n-1, after everything is setup.

edit2: Huh, here is what’s happening in the yaml:

Screenshot_20260322_1118081374×826 103 KB

It looks like detatch doesn’t delete the device, just set the type to none.

Okay, here is the minimum config I used to get it working:

project: default
name: moonpie-vlab
description: ''
type: ovn
config:
  ipv4.address: 192.168.40.1/24
  ipv4.dhcp: 'false'
  ipv6.address: none
  network: none

And then I connected an openwrt container, gave it a static ip, and told it to serve dhcp, and then other vm’s could get ip addresses.

The full config has bridge.mtu set to 1500, that seems to be auto set based on OVN magic, so I unset it here since the above is the actual config I saved and applied to Incus.

Alright, it looks like OVN ACL’s do not isolate Layer 2 traffic, which was part of what I was trying to do.

Incus can do it, via port isolation, but that option is only available on bridged networks. So I will be using that instead.

@stgraber

Is there any way I can put my own VM on OVN as an uplink without having to fill out the ip address field?