Skip to content
TopicTracker
From HackerNewsView original
TranslationTranslation

Per-VM Guest Networking Without a Bridge

Explains how to configure per-VM guest networking on Linux without a bridge, using macvtap or ipvlan interfaces to connect VMs directly to the physical network, improving performance and simplifying configuration.

Background

- **Bridge networking** is the standard way VMs connect to the outside world: the host creates a software bridge (like a virtual switch) and plugs each VM into it. Works well but adds complexity, limits performance, and can be a security risk if guests must not see each other's traffic. - **Without a bridge** means giving each VM a direct, isolated path to the physical network — often by passing through a dedicated NIC, using MACVLAN/IPVLAN, or routing traffic at Layer 3. This avoids the shared-L2-domain problem. - **Who this matters to**: anyone running multiple VMs (KVM/QEMU, Proxmox, etc.) who needs high throughput, low latency, or strict tenant isolation — common in homelabs, edge computing, and bare-metal cloud setups. - **Why now**: as network cards get faster (25/100 Gbps) and security requirements tighten, the bridge's bottlenecks and shared-namespace risks become harder to ignore.

Related stories

  • The article contrasts the open-source software model, where a single maintainer handles ten million weekly downloads for free, with the invisible hand of market economics, highlighting the sustainability challenges and unpaid labor behind widely used digital infrastructure.