Networking¶
Sistemo uses a Linux bridge to connect all machines. Each machine gets a unique IP and can communicate with other machines and the internet.
Bridge architecture¶
Host machine
│
├── sistemo0 bridge (10.200.0.1/16)
│ ├── Machine 1 (10.200.0.2)
│ ├── Machine 2 (10.200.0.3)
│ └── Machine 3 (10.200.0.4)
│
├── nftables MASQUERADE → internet
└── nftables DNAT → port expose
When the daemon starts, it creates a bridge called sistemo0 with IP 10.200.0.1/16. Each machine gets the next available IP starting from 10.200.0.2.
Machine-to-machine connectivity¶
Machines can communicate with each other directly via the bridge:
sistemo machine deploy debian --name vm1
# or: sistemo vm deploy debian --name vm1
sistemo machine deploy debian --name vm2
# From vm1, ping vm2
sistemo machine exec vm1 "ping -c 1 10.200.0.3"
# From vm2, ping vm1
sistemo machine exec vm2 "ping -c 1 10.200.0.2"
Info
Machine IPs are shown in sistemo machine status <name> and sistemo machine list.
Internet access¶
All machines have outbound internet access via nftables MASQUERADE on the host. DNS is configured to 8.8.8.8 and 1.1.1.1.
IP allocation¶
IPs are allocated sequentially from 10.200.0.2 through 10.200.255.254 (65,533 machines). Allocation is tracked in SQLite.
- Deploy — allocates the next free IP
- Stop — IP stays allocated (machine gets the same IP on restart)
- Delete — IP is released back to the pool
- Reuse — deleted machine's IP is available for the next deploy
Custom subnet¶
The default subnet 10.200.0.0/16 works for most setups. If it conflicts with your network, change it in ~/.sistemo/config.yml:
The gateway, machine IPs, and boot args all derive automatically from the configured subnet. See Configuration for details.
Named networks¶
By default, all machines share the sistemo0 bridge and can reach each other. Named networks let you create isolated groups of machines.
# Create networks for different environments
sistemo network create production
sistemo network create staging
# App + database on the same network (they need to talk)
sistemo machine deploy debian --name app --network production
sistemo machine deploy debian --name postgres --network production
# app can reach postgres (same network)
sistemo machine exec app "ping -c 1 10.201.0.3" # success
# Staging is completely isolated from production
sistemo machine deploy debian --name staging-app --network staging
sistemo machine exec staging-app "ping -c 1 -W 2 10.201.0.2" # 100% packet loss
# All machines can still reach the internet
sistemo machine exec app "ping -c 1 8.8.8.8" # success
How it works¶
Each named network gets its own Linux bridge (br-<name>), its own subnet (auto-assigned /24 from 10.201-254.0.0), and its own NAT rules. An nftables isolation chain (SISTEMO-ISOLATION) blocks traffic between bridges.
Host
├── sistemo0 (10.200.0.0/16) ← default network
├── br-backend (10.201.0.0/24) ← "backend" network
├── br-frontend (10.202.0.0/24) ← "frontend" network
└── SISTEMO-ISOLATION chain: DROP between all bridges
Custom subnets¶
Auto-assigned subnets are /24 from the 10.201-254 range. For a custom range:
Managing networks¶
sistemo network list # show all networks and machine counts
sistemo network delete backend # remove (must have no machines)
Machines without --network join the default bridge. You don't need to create named networks for simple setups.
Namespace isolation¶
Each machine runs inside a Linux network namespace. This provides:
- Process isolation — machine processes can't see or interact with the host
- Clean teardown — deleting a namespace removes all network devices automatically
- SMTP blocking — ports 25, 465, 587 are blocked per-namespace to prevent spam
The namespace contains a small bridge connecting a veth pair (tunnel to the host bridge) with a TAP device (Firecracker's virtual NIC).
Port expose¶
See Port expose for forwarding host ports to machines.