How to macvtap multiple NICs on Ubuntu KVM?

Question

Is anyone running Sophos as a virtual machine on Ubuntu KVM? Is so, please read on (sorry for the long post).

I have been running KVM on some CentOS 7 servers but have decided instead to get KVM up and running on Ubuntu as that is what all my other servers are based on. The KVM host machine has 3 NICs so Sopghos UTM can have 1 for local LAN management interface, 1 for a DMZ and 1 for the WAN internet connection. I had this all working nicely on CentOS KVM but I'm having a problem with the WAN NIC on the Ubuntu KVM host. I think it's because I haven't defined it correctly in /etc/network/interfaces:

auto br0
iface br0 inet static
address 192.168.0.102
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.254
dns-nameservers 192.168.0.254
dns-search edwards.local
bridge_ports em1
bridge_stp on
bridge_maxwait 0

# DMZ NIC
auto p255p1
iface p255p1 inet dhcp

# WAN NIC
auto p255p2
iface p255p2 inet dhcp

On the CentOS KVM host the 2 additional NICs don't have IP4 addresses (I'm ignoring the IP6 stuff):

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP qlen 1000
link/ether 08:2e:5f:1b:18:02 brd ff:ff:ff:ff:ff:ff
inet6 fe80::a2e:5fff:fe1b:1802/64 scope link
valid_lft forever preferred_lft forever
3: enp5s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:11:0a:55:d9:50 brd ff:ff:ff:ff:ff:ff
inet6 fe80::211:aff:fe55:d950/64 scope link
valid_lft forever preferred_lft forever
4: enp5s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:11:0a:55:d9:51 brd ff:ff:ff:ff:ff:ff
inet6 fe80::211:aff:fe55:d951/64 scope link
valid_lft forever preferred_lft forever
5: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether 08:2e:5f:1b:18:02 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.103/24 brd 192.168.0.255 scope global br0
valid_lft forever preferred_lft forever
inet6 fe80::a2e:5fff:fe1b:1802/64 scope link
valid_lft forever preferred_lft forever
6: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN
link/ether 52:54:00:04:90:00 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
7: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN qlen 500
link/ether 52:54:00:04:90:00 brd ff:ff:ff:ff:ff:ff
35: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN qlen 500
link/ether fe:54:00:2e:43:af brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:fe2e:43af/64 scope link
valid_lft forever preferred_lft forever
36: macvtap0@enp5s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
link/ether 00:0c:29:79:d4:e5 brd ff:ff:ff:ff:ff:ff
inet6 fe80::20c:29ff:fe79:d4e5/64 scope link
valid_lft forever preferred_lft forever
37: macvtap1@enp5s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
link/ether 00:0c:29:79:d4:f2 brd ff:ff:ff:ff:ff:ff
inet6 fe80::20c:29ff:fe79:d4f2/64 scope link
valid_lft forever preferred_lft forever

But on the Ubuntu KVM host the 2 additional NICs do have IP4 addresses, which results in the host's physical NIC getting an IP address from my cable modem, whereas the virtual NIC on the firewall VM should be getting that IP address:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
link/ether 08:2e:5f:0e:64:3a brd ff:ff:ff:ff:ff:ff
3: p255p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:15:17:2e:62:44 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.10/24 brd 192.168.0.255 scope global p255p1
valid_lft forever preferred_lft forever
inet6 fe80::215:17ff:fe2e:6244/64 scope link
valid_lft forever preferred_lft forever
4: p255p2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:15:17:2e:62:45 brd ff:ff:ff:ff:ff:ff
inet 220.239.102.151/20 brd 220.239.111.255 scope global p255p2
valid_lft forever preferred_lft forever
inet6 fe80::215:17ff:fe2e:6245/64 scope link
valid_lft forever preferred_lft forever
5: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 08:2e:5f:0e:64:3a brd ff:ff:ff:ff:ff:ff
inet 192.168.0.102/24 brd 192.168.0.255 scope global br0
valid_lft forever preferred_lft forever
inet6 fe80::a2e:5fff:fe0e:643a/64 scope link
valid_lft forever preferred_lft forever
6: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether d2:5c:3f:47:92:60 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
7: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN group default qlen 500
link/ether fe:54:00:84:05:c5 brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:fe84:5c5/64 scope link
valid_lft forever preferred_lft forever
8: vnet1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN group default qlen 500
link/ether fe:54:00:fa:f7:f0 brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:fefa:f7f0/64 scope link
valid_lft forever preferred_lft forever
9: vnet2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN group default qlen 500
link/ether fe:54:00:ca:03:24 brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:feca:324/64 scope link
valid_lft forever preferred_lft forever
10: vnet3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN group default qlen 500
link/ether fe:54:00:dc:9b:80 brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:fedc:9b80/64 scope link
valid_lft forever preferred_lft forever

My old CentOS KVM host had the NICs defined as follows (different format on CentOS than Ubuntu):

/etc/sysconfig/network-scripts/ifcfg-eno1 :
TYPE="Ethernet"
BOOTPROTO="dhcp"
DEFROUTE="yes"
PEERDNS="yes"
PEERROUTES="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_PEERDNS="yes"
IPV6_PEERROUTES="yes"
IPV6_FAILURE_FATAL="no"
NAME="eno1"
#UUID="d514c48c-a68a-43c6-8f70-093f39b128cf"
DEVICE="eno1"
ONBOOT="yes"
BRIDGE=br0

/etc/sysconfig/network-scripts/ifcfg-enp5s0f0 :
DEVICE=enp5s0f0
ONBOOT=no
BOOTPROTO=dhcp
PEERDNS=yes
IPV6INIT=yes
IPV6_AUTOCONF=yes
DHCPV6C=no

/etc/sysconfig/network-scripts/ifcfg-enp5s0f1 :
DEVICE=enp5s0f1
ONBOOT=yes
BOOTPROTO=dhcp
PEERDNS=yes
IPV6INIT=yes
IPV6_AUTOCONF=yes
DHCPV6C=no

Can anyone please tell me how to define the host's physical NICs on Ubuntu so that they get set up as macvtap and don't "steal" the cable modem from the VM.

This thread was automatically locked due to age.

philled · Answer

Sorry, I did manage to solve this in the end and it was quite simple. The key was to enable the NIC but not have it get an IP address. The way to do that in Ubuntu was to define the NIC with "manual" in /etc/network/interfaces (as per http://lastoctet.com/2009/04/12/bring-up-interface-in-debian-ubuntu-with/ ) : 
 auto enp1s0f0 iface enp1s0f0 inet manual up ifconfig enp1s0f0 up