QEMU VM on orange0 Bridge Interface

rainmakerxiii · 30 December 2025 16:28

I spent a lot of time trying to figure out how to have a virtual(bridged) orange0 interface to allow for a Qemu Virtual Machine to be on a virtual DMZ network and thought I would share. Below are the steps I followed that [finally] worked for me. I am now able to have an inbound firewall rule to a specific port on the virtual machine IP on orange0, while this VM on orange0 has no access to any other network(i.e. green or blue) and can only reach out to the internet via red.

I am open to suggestions as I am not a network expert and spent a lot of time interpreting the guides to achieve this setup.

1. Create orange0 Bridge by following the steps outlined in the following article and copied below:

To create “orange0” persistently at system startup, put this script as “brctl-orange0” in the /etc/init.d folder:

#!/bin/sh
set +x

. /etc/sysconfig/rc
. $rc_functions

case “${1}” in
start)
boot_mesg “Create bridge orange0…”
brctl addbr orange0
;;

stop)
boot_mesg "Destroy bridge orange0..."
brctl delbr orange0
;;
  *)
echo "Usage: ${0} {start|stop}"
exit 1
;;

esac

cd to /etc/rc.d/rc3.d and run the following command to create a symlink:

ln -sf /etc/init.d/brctl-orange0 S16orange

Update the file:

/var/ipfire/ethernet/settings

with something like:

ORANGE_MODE=bridge
ORANGE_DEV=orange0
ORANGE_ADDRESS=10.0.0.1
ORANGE_NETMASK=255.255.255.0
ORANGE_NETADDRESS=10.0.0.0

RUN SETUP Again and modify to include orange0 network. This will allow for the orange0 zone to show up in the web console.

*the above setup was a bit odd as it told me it could not see the orange0 adapter, but still added it*

2. After rebooting, I then followed the below steps from the linked article below.

NOTE: One thing I had to realize was that I needed to follow the section of “You have a real NIC..” as this was created by the above steps - even though technically it is a virtual NIC && it is already in bridge mode.

Start your QEMU Command and append the following to create and connect a bridged network for the VM:

    -netdev tap,id=net0,ifname=tap0,br=orange0,script=no,downscript=no \
    -device virtio-net-pci,netdev=net0

Full Example that I use:

qemu -vnc :1 -hda /data/disk.img -m 4048 -cdrom /mnt/share1/disk.iso -boot c -usbdevice tablet -smp 8 -vga qxl -device AC97 -emable-kvm -netdev tap,id=net0,ifname=tap0,br=orabge0,script=no,downscript=no -device virtio-net-pci,netdev=net0 &

wait 1 after the above command and then run the following commands, which will attach the tap0 interface to the orange bridge.

    ip link set tap0 master orange0
    ip link set tap0 up

EDIT: moderator formatted code block

mumpitz · 3 January 2026 00:08

Hi, welcome to the forum and happy new year.

Since you haven’t asked any questions, I might have one.

I think the difference between the two instructions is simply whether you have a physical network interface available or whether you only have two (red/green) and set up orange virtually with green.

I also think that the virtual interface can be easily created via the setup because it creates a virtual one and the bridge can then be set via the webGUI. But I can’t guarantee that.

My question is, QEMU provides a virtual machine in addition to IPfire, which you can use to set up an orange network for web services, as you mentioned.

What else would be possible? I can’t think of any other possible applications because the virtual machine cannot be used as a second security level, but only as a client in green/blue/orange. Or am I too stuck in my ways to come up with any other useful examples?

Thanks.

Greetz

brottus · 10 January 2026 14:25

Dear @rainmakerxiii ,
i had similar issues back then and the simple solution i found was the following.

www.ipfire.org - Zone Configuration i followed this guide to setup an orange zone in the first place
www.ipfire.org - QEMU use this guide to setup “/var/ipfire/ethernet/settings” with the ORANGE parameters. As mentioned in the guide only orange network related configs are important.
I assume only libvirt is installed so i tweaked the script from the author in step 2 to the following /etc/init.d/qemu-orange0:

#!/bin/sh
set +x

. /etc/sysconfig/rc
. $rc_functions

case "${1}" in
    start)
    boot_mesg "Create Network orange for qemu..."
    ip link add name orange0 type bridge
    sleep 1
    ip link set orange0 up
    ;;

    stop)
    boot_mesg "Remove Network orange for qemu..."
    ip link set orange0 down
    ip link delete orange0 type bridge
    ;;
      *)
    echo "Usage: ${0} {start|stop}"
    exit 1
    ;;
esac

As you can see i only use ip commands so that i don’t need to install openvpn. And then linked the new init.d script so that it would start with the os “ln -s /etc/init.d/qemu-orange0 /etc/rc.d/rc3.d/S16orange”
4. Then instead of creating another init.d script just use libvirts autostart capabilitys.
By adding whatever vm i need via the command “virsh autostart <vm>”. Cause virsh takes now care of the vms it also ensure a clean shutdown and boot.
Not sure if this helps you a bit but with this is only need one additional script and the rest is basically supported board tools from ipfire itself.
Have a great weekend.