Networking Guide

QV-NET-001 Rev 1.0 â€” January 2026

Complete guide to QuantaVirt virtual networking â€” network modes, VirtIO-net and legacy NIC emulation, vhost acceleration, VLANs, PQC-encrypted tunnels, and firewall configuration. QuantaVirt provides flexible networking through software bridges, NAT, and direct physical NIC bridging.

Networking Overview #

Each VM connects to one or more virtual networks through emulated network interfaces. QuantaVirt manages virtual switches (bridges), DHCP, DNS forwarding, and NAT. Network traffic between VMs on the same bridge stays within the hypervisor; external traffic is routed through the host's physical NICs.

Mode	Connectivity	DHCP	Use Case
NAT	VMs access external networks via NAT through host IP	Built-in	Development, isolated environments, default for new installs
Bridge	VMs appear as peers on the physical LAN	External	Production servers, data center deployment
Isolated	VM-to-VM only â€” no external access	Built-in	Internal services, database tiers, testing
PQC Tunnel	Encrypted overlay between hypervisor hosts	Built-in	Cross-host VM communication with quantum-resistant encryption

Virtual Networks #

# List all virtual networks
quantavirt network list
# NAME        MODE      BRIDGE    SUBNET            ACTIVE VMs
# default     nat       qvbr0     10.0.100.0/24     3
# internal    isolated  qvbr1     10.0.200.0/24     2
# office      bridge    qvbr2     (external DHCP)   5

# Show detailed network info
quantavirt network show default
# Name:       default
# Mode:       NAT
# Bridge:     qvbr0
# Subnet:     10.0.100.0/24
# Gateway:    10.0.100.1
# DHCP Range: 10.0.100.100 â€“ 10.0.100.254
# DNS:        10.0.100.1 (forwarding to host resolv.conf)
# Attached:   ubuntu-server (52:54:00:a1:b2:c3 â†’ 10.0.100.101)

# Delete a network (must have no attached VMs)
quantavirt network delete internal

NAT Mode #

NAT networks provide outbound internet connectivity for VMs while hiding them behind the host's IP address. QuantaVirt runs a built-in DHCP server and DNS forwarder on the bridge interface. Inbound connections require explicit port forwarding rules.

# Create a NAT network
quantavirt network create \
  --name devnet \
  --mode nat \
  --subnet 10.0.50.0/24 \
  --dhcp-start 10.0.50.100 \
  --dhcp-end 10.0.50.200

# Port forwarding: host:8080 â†’ VM:80
quantavirt network forward devnet \
  --protocol tcp \
  --host-port 8080 \
  --guest-ip 10.0.50.101 \
  --guest-port 80

# List port forwards
quantavirt network forward-list devnet

Bridge Mode #

Bridged networking connects VMs directly to a physical network interface. VMs receive IP addresses from the physical network's DHCP server and appear as independent hosts on the LAN. This is the recommended mode for production server workloads.

# Create a bridged network attached to physical eth0
quantavirt network create \
  --name production \
  --mode bridge \
  --interface eth0

# Create bridged network with specific bridge name
quantavirt network create \
  --name dmz \
  --mode bridge \
  --interface eth1 \
  --bridge-name qvbr-dmz

Note: Bridging takes over the physical interface. If the hypervisor host uses the same interface for management, configure a management VLAN or use a separate NIC for the bridge to avoid losing connectivity.

Isolated Mode #

Isolated networks have no route to the host or external networks. VMs on an isolated network can only communicate with each other. This is ideal for backend database tiers, internal microservices, and testing environments.

# Create an isolated network
quantavirt network create \
  --name db-internal \
  --mode isolated \
  --subnet 10.0.200.0/24

Virtual NIC Types #

NIC Type	Paravirtual	Multi-Queue	Offload	Max Throughput	Guest Driver
VirtIO-net	âœ… Yes	âœ… Up to 256 queues	âœ… TSO, GSO, GRO, csum	~40 Gbps (vhost-user)	In-kernel (Linux), VirtIO-Win (Windows)
e1000	âŒ Emulated	âŒ Single queue	Partial (csum)	~1 Gbps	Built-in on most OS
e1000e	âŒ Emulated	âŒ Single queue	Partial (csum, TSO)	~1 Gbps	Built-in on most OS

Recommendation: Always use VirtIO-net for Linux guests and modern Windows guests with VirtIO-Win drivers installed. Use e1000/e1000e only for legacy guest OS without VirtIO driver support.

vhost Acceleration #

vhost moves the VirtIO data plane processing from the hypervisor's main loop into a dedicated kernel thread or userspace process, significantly improving network throughput and latency.

Backend	Processing	Throughput	Latency	When to Use
Userspace (default fallback)	Hypervisor main loop	~5 Gbps	~50 Î¼s	Compatibility fallback
vhost-net (kernel)	Host kernel thread	~20 Gbps	~15 Î¼s	General purpose, easy setup
vhost-user (DPDK)	Userspace DPDK process	~40 Gbps	~5 Î¼s	Maximum throughput, NFV workloads

# In VM configuration JSON â€” vhost is enabled by default
"network": [{
  "type": "virtio-net",
  "network": "production",
  "queues": 4,
  "vhost": true,
  "offload": {
    "tso4": true,
    "tso6": true,
    "gso": true,
    "gro": true,
    "csum": true
  }
}]

VLANs #

QuantaVirt supports IEEE 802.1Q VLAN tagging on virtual networks. VMs can be placed on specific VLANs for network segmentation without requiring multiple physical NICs.

# Create a VLAN-tagged network on physical interface eth0
quantavirt network create \
  --name engineering \
  --mode bridge \
  --interface eth0 \
  --vlan 100

quantavirt network create \
  --name finance \
  --mode bridge \
  --interface eth0 \
  --vlan 200

# Attach VM to VLAN network
# In config: "network": [{ "type": "virtio-net", "network": "engineering" }]

PQC-Encrypted Tunnels #

QuantaVirt can encrypt all VM network traffic with post-quantum cryptography. PQC tunnels create point-to-point encrypted channels between hypervisor hosts, protecting VM-to-VM traffic from quantum-capable adversaries performing traffic capture.

Tunnel Component	Algorithm	Purpose
Key Exchange	ML-KEM-768	Establish shared session key between hosts
Authentication	ML-DSA-65	Authenticate tunnel endpoints (host identity)
Data Encryption	AES-256-GCM	Encrypt each network packet payload
Nonces	QRNG	Hardware-generated nonces for each packet (if QUAC 100 present)

# Create a PQC-encrypted tunnel network between two hosts
quantavirt network create \
  --name pqc-overlay \
  --mode tunnel \
  --tunnel-peer 192.168.1.20 \
  --tunnel-kem ML-KEM-768 \
  --tunnel-aead AES-256-GCM \
  --subnet 10.0.250.0/24

# Per-VM tunnel (encrypt only specific VM traffic)
"network": [{
  "type": "virtio-net",
  "network": "production",
  "pqc_tunnel": true
}]

# Check tunnel status
quantavirt network tunnel-status pqc-overlay
# Peer:        192.168.1.20
# State:       ESTABLISHED
# KEM:         ML-KEM-768 (QUAC 100 hardware)
# AEAD:        AES-256-GCM
# Session Key: rotated 2m ago (next rotation in 58m)
# Packets TX:  1,234,567  (encrypted)
# Packets RX:  1,234,401  (verified)

Performance Impact: PQC tunnel encryption adds approximately 2â€“5 Î¼s latency per packet with QUAC 100 hardware acceleration. Without hardware acceleration (software backend), expect 15â€“30 Î¼s additional latency. Throughput impact is minimal at line rates below 25 Gbps with QUAC 100.

Firewall Rules #

QuantaVirt includes a built-in packet filter for virtual networks. Rules are applied at the bridge level and can filter by protocol, port, source/destination IP, and direction.

# Allow SSH to a specific VM
quantavirt network rule add default \
  --direction in \
  --protocol tcp \
  --dest-port 22 \
  --dest-ip 10.0.100.101 \
  --action accept

# Block all outbound traffic from a VM
quantavirt network rule add default \
  --direction out \
  --source-ip 10.0.100.105 \
  --action drop

# List firewall rules
quantavirt network rule list default

# Default policy: ACCEPT (all traffic allowed unless explicitly denied)
# Change default policy to DROP
quantavirt network rule set-policy default --default drop

Advanced Networking #

Jumbo Frames

# Set MTU on virtual network
quantavirt network set production --mtu 9000

# Per-VM MTU override in config
"network": [{ "type": "virtio-net", "network": "production", "mtu": 9000 }]

SR-IOV Passthrough

For maximum network performance, QuantaVirt supports SR-IOV passthrough. Physical NIC Virtual Functions (VFs) are assigned directly to VMs via IOMMU, bypassing the virtual switch entirely.

# Enable SR-IOV VFs on physical NIC
quantavirt system sriov enable --interface eth0 --num-vfs 8

# Assign VF to VM via PCI passthrough
quantavirt vm set myvm --pci-add 0000:05:02.0  # VF BDF address

Multi-NIC Configuration

# VM with three NICs on different networks
"network": [
  { "type": "virtio-net", "network": "management", "mac": "52:54:00:00:01:01" },
  { "type": "virtio-net", "network": "production", "mac": "52:54:00:00:01:02", "queues": 8 },
  { "type": "virtio-net", "network": "storage-net", "mac": "52:54:00:00:01:03", "mtu": 9000 }
]

Network Troubleshooting #

Symptom	Likely Cause	Resolution
VM has no IP address	DHCP server not running, wrong network	Check `quantavirt network show <name>`, verify DHCP range
VM can't reach internet	NAT not configured, DNS forwarding issue	Verify NAT mode, check host resolv.conf, test `ping 8.8.8.8`
VM-to-VM traffic fails	VMs on different networks, firewall rules	Verify both VMs on same network, check `network rule list`
Low throughput	vhost disabled, wrong NIC type	Enable vhost, use VirtIO-net, enable multi-queue
Bridged VM not reachable from LAN	MAC filtering on physical switch	Allow new MACs on switch port, or use macvtap
PQC tunnel fails to establish	Firewall blocking, key mismatch	Check UDP port 4789 open between hosts, verify PQC backend status

Was this page helpful? Send feedback to docs@dyber.org