ZWRM allocates a /30 subnet per VM with a TAP device for host-to-guest networking. NAT and iptables rules handle outbound connectivity.
Network configuration
[network]
subnet = "172.16.0.0/16" # VM network subnet
external_interface = "eth0" # Host interface for NAT
/16 subnet provides ~16,000 VMs (each VM uses a /30 block of 4 IPs).
IP forwarding
IP forwarding must be enabled for VMs to reach the internet. The install script handles this automatically:
sudo sysctl -w net.ipv4.ip_forward=1
echo "net.ipv4.ip_forward=1" | sudo tee /etc/sysctl.d/99-zwrmd.conf
IPAM
Each VM is allocated a /30 subnet from the configured range:
.1 — TAP gateway (host side).2 — Guest IP (VM side)
VMs receive their IP via kernel boot parameters (static configuration, no DHCP). IP allocations are tracked in the database and released when VMs are destroyed.
NAT rules
ZWRM creates iptables NAT masquerade and FORWARD rules at startup so VMs can reach external networks. Without iptables-persistent, these rules are lost on host reboot but recreated when zwrmd starts.
To persist rules across reboots:
sudo apt-get install -y iptables-persistent
sudo systemctl enable netfilter-persistent
Private networking
Enable firewall-based private networking so VMs within the same app can communicate:
[network.bridge]
enabled = true
name = "zwrmd0"
subnet = "10.0.0.0/16"
Private networking uses iptables rules, not a Linux bridge for inter-VM traffic. Bridge attachment is intentionally avoided because it breaks host-to-VM L3 routing.
Firewall chain
The ZWRM iptables chain is managed automatically:
- On startup: Creates the chain and inserts default DROP
- On deploy/scale: Adds ACCEPT rules for same-app VM pairs
- On destroy: Removes rules for destroyed VMs
- On shutdown: Cleans up NAT rules and the firewall chain
