On host:
$ ip a|grep wl
3: wlp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.100/24 ...
Using:
virt-manager > Edit > Connection Details > Virtual Networks > Add network
Mode: Routed
Network: 192.168.200.0/24
Accept default DHCP range
Forward to: physical device
Device: wlp1s0 [this is my physical wifi card]
Then:
$ sudo sysctl -w net.ipv4.ip_forward=1
Then check:
$ ip link
<snip>
6: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 52:54:00:54:ed:48 brd ff:ff:ff:ff:ff:ff
7: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master virbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether fe:54:00:9b:a7:8e brd ff:ff:ff:ff:ff:ff
Start VM, check DHCP address assigned
On VM guest:
$ ip a|grep enp
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
inet 192.168.200.151/24 ...
At this point (with firewalls temporarily off) I was able to ssh to and from host and VM guest using their respective IP addresses.
After adding a static route on my wireless router:
192.168.200.0/24 via 192.168.1.100 (to paraphrase the web form)
I installed apache2 on the VM guest and was able to access
http://192.168.200.151
from my phone over wifi, and websites on the host from the VM guest.
Firewalld actived on host with ssh and https services allowed - ssh and web browsing worked as before.
No nf/iptables jiggery-pokery, but static route on router required.
Perhaps not the most efficient solution, but I try to avoid too many firewall rules because they make my head spin :)
Don't think I've omitted any steps.
Does that help?
Best wishes,
Gareth