I have a CentOS server running KVM and need to connect a virtual network to the internet. The network must be routed or NATted, it must not be bridged (port security). If possible, I would like to connect the network to an alias of eth0 with a second IP address and leave the first IP for the host, but it might be possible to reverse that. The guests don't provide services that need to be internet-accessible, but do need access out and to the host.
I'm unable to find any instructions on doing this with just KVM's networking facilities. There are a good few mentions of how to attach a single machine, or single ports from multiple machines, but nothing discussing how to attach an entire network and have it handle switching traffic between machines. There are a few articles that suggest used a routed virtual network, but that doesn't seem to act any different from a NATed one in this case.
Open vSwitch has been mentioned a few times, although what little documentation exists seems to discuss running it with a bridge. A few articles say that they're running it in NAT mode, and then go on to set up what appears to be a bridge. Regardless, I'm working on building OVS in an attempt to set that up.
Best Answer
No matter what you will need a bridge on the host. How else will a guest communicate with the network? The distinction is whether you add a host interface to the bridge and forwarding happens at layer 2 (ethernet) or you don't and forwarding happens at layer 3 (network).
Because port security is in place only the MAC of the host is allowed. Thus you cannot forward at layer 2. You have two layer 3 options: have the host route (leave IPs alone) or NAT (rewrite IPs to the host IP(s)).
If you route the rest of the network needs to know that to reach your guests they send the traffic to your host (which is the default gateway for the guest network). You were not given a routed subnet, only 2 IPs. Thus you must NAT.
The guests attach their interfaces to the bridge and you write IP tables rules to NAT traffic coming from the bridge interface. libvirt will handle this for you. See http://wiki.libvirt.org/page/Networking#NAT_forwarding_.28aka_.22virtual_networks.22.29