Network setup with VLANs

[skurg]

Hi,
my actual network setup is as follows:

                      eth0 (wan)
                         |
                    Debian Box
                         |
                      eth1
                         |
          ---------------------------------
         |                                |
iface eth1.10              iface eth1.20
vlan-raw-device eth1   vlan-raw-device eth1

         |                                |
          ---------------------------------
                         |
                    VLAN SWITCH
                     |      |
------------------          ---------------
vlan20 sbs2003 server network                vlan10

I want to install sbs2003 server and debian router/firewall on proxmox.
I know that bridges are like physical network switches and are attached to physical network cards and all VMs can share one bridge. But can you give me an idea how to setup this becouse it is hard to me to imagine this in virtual environment on one phisical proxmox host.

Please tell me if this is correct?
- 2 phisical interfaces
- eth0 - wan
VirtualMachine1:
- eth1 - bridege to Debian Box VM
- on debian box two virtual interfaces, one (eth0) is wan bridged to phisical eth1 and second (eth1) is vlan1 eth1.10 (vlan-raw-device eth1) and vlan2 eth1.20 (vlan-raw-device eth1)

and now I'm confused what to do with sbs2003 server VM

 

[udo]

Hi,
my actual network setup is as follows:

                      eth0 (wan)
                         |
                    Debian Box
                         |
                      eth1
                         |
          ---------------------------------
         |                                |
iface eth1.10              iface eth1.20
vlan-raw-device eth1   vlan-raw-device eth1

         |                                |
          ---------------------------------
                         |
                    VLAN SWITCH
                     |      |
------------------          ---------------
vlan20 sbs2003 server network                vlan10

I want to install sbs2003 server and debian router/firewall on proxmox.
I know that bridges are like physical network switches and are attached to physical network cards and all VMs can share one bridge. But can you give me an idea how to setup this becouse it is hard to me to imagine this in virtual environment on one phisical proxmox host.

Please tell me if this is correct?
- 2 phisical interfaces
- eth0 - wan
VirtualMachine1:
- eth1 - bridege to Debian Box VM
- on debian box two virtual interfaces, one (eth0) is wan bridged to phisical eth1 and second (eth1) is vlan1 eth1.10 (vlan-raw-device eth1) and vlan2 eth1.20 (vlan-raw-device eth1)

and now I'm confused what to do with sbs2003 server VM

Hi,
simply create for each network an own bridge - you can also use an vlan for your wan and then you can use a single NIC on the proxmox-host for all networks.
And, if you use an cluster with shared storage, you can also live-migrate your VMs (even the Firewall) without trouble. I'm not sure, if this work with an dedicated NIC.

Like
vmbr0 -> vlan10 (vmbr10 for vlan10 fits better, but the pve-communication must do on vmbr0 (or eth0)).
vmbr20 -> vlan 20
vmbr999 -> vlan999 (wan)?

Then you can use all networks you like inside the VMs....

Udo

 

[skurg]

Thanks fot a reply.
I found this

Proxmox VE host needs firewall protection. Currently the default installation does not have any firewall installed/activated. The most secure way is using a external hardware firewall.

So my setup with debian as a virtual machine firewall for my internal LAN have no sense?! I need another firewall to protect proxmox host and its vms. Or I have to make proxmox host a dedicated firewall for WMs??

 

[udo]

Thanks fot a reply.
I found this

So my setup with debian as a virtual machine firewall for my internal LAN have no sense?! I need another firewall to protect proxmox host and its vms. Or I have to make proxmox host a dedicated firewall for WMs??

Hi,
depends how defined security - In your setup it's posible to reach the host without the firewall with an exploit of the network-driver... not impossible, but who said, that an hardware-firewall (which also run software) has not similiar problems?
Of course, with an external firewall the issue is not on the pve-side - so it's easy for the pve-team to give this recommondation (I would do the same).

I have on one server an comparable setup and it's run fine since years (yes, i have also dedicated firewall).
Edit: the software-firewall is an hardened linux (devil-linux) but this don't help against network-stack issues on the host.

Udo

 

[skurg]

Thanks again.

Well I can't even start becouse I can't ping my gateway 192.168.1.1.

I commented out everyting in /etc/network/interfaces except

iface eth0 inet static
address 192.168.1.6
netmask 255.255.255.0
gateway 192.168.1.1
broadcast 255.255.255.255
network 192.168.1.0

ip route show
192.168.1.0/24 dev eth0 src 192.168.1.6

And I can't ping 192.168.1.1 I get Destination host unreachable!

The same problem is here I think http://forum.proxmox.com/threads/11...e-in-proxmox-doesn-t-works-in-virtual-machine

 

[udo]

Thanks again.

Well I can't even start becouse I can't ping my gateway 192.168.1.1.

gateway from which? Your WAN, or VLAN10?

I commented out everyting in /etc/network/interfaces except

which /etc/network/interfaces? from the host, or from the firewall (debian-box)?

Udo

 

[skurg]

All on the host. I can not ping my gateway (modem) from the proxmox host.

 

[udo]

All on the host. I can not ping my gateway (modem) from the proxmox host.

Hi,
to use eth0 instead of an bridge is not the best idea. Is the bridge yet active?
What is the output of

ifconfig -a
brctl show

On your first network-diagram it's looks that you don't access the pve-host from the WAN-Network (e.g. 192.168.1.0/24)?!

Udo

 

[skurg]

Well the first diagram is my future idea.

My current problem is the connectivity with my wan (modem).

After proxymox installation I can connect with proxmox host via web interfejs through vmbr0 (10.0.0.2).

/etc/network/interfaces:

iface eth0 inet manual

auto eth1
iface eth1 inet static
address 192.168.1.5
netmask 255.255.255.0
gateway 192.168.1.1

auto vmbr0
iface vmbr0 inet static
address 10.0.0.2
netmask 255.255.255.0
bridge_ports eth0
bridge_stp off
bridge_fd 0

Why I can't ping my gateway (192.168.1.1) from proxmox host? This is sick!

I changed /etc/network/interfaces like this:

iface eth0 inet manual
iface eth1 inet manual

auto vmbr0
iface vmbr0 inet static
address 10.0.0.2
netmask 255.255.255.0
bridge_ports eth0
bridge_stp off
bridge_fd 0

auto vmbr1
iface vmbr1 inet static
address 192.168.1.5
netmask 255.255.255.0
bridge_ports eth1
bridge_stp off
bridge_fd 0

And it works. I can now ping my modem from proxmox host. WHY? It is becouse Promoxmox Host is configured to have only a limited access to internet, for exsmple just for bridging?

So back to firewall. Tell me if this setup is correct and secure?

Internet <-> proxmox eth0 and vmbr0 without IP address <-> Debian Firewall with VM NAT <-> LAN

Or it should look like this:

Internet <-> proxmox host firewall eth0 and NAT <-> vmbr0 <-> Debian Firewall VM with NAT <-> LAN. But two firewalls??

 

[udo]

...
And it works. I can now ping my modem form proxmox host. WHY?

Hi,
do you rebootet the host after changing the interfaces-file?

BTW. You don't need an IP on vmbr1 (for secururity reasons) if the traffic are routet through your firewall-VM. Simply use "inet manual".

Udo

 

[skurg]

do you rebootet the host after changing the interfaces-file?

Many times. Can you look at my edited previous post?

 

[udo]

So back to firewall. Tell me if this setup is correct and secure?

Internet <-> proxmox eth0 and vmbr0 without IP address <-> Debian Firewall with VM NAT <-> LAN

Or it should look like this:

Internet <-> proxmox host firewall eth0 and NAT <-> vmbr0 <-> Debian Firewall VM with NAT <-> LAN. But two firewalls??

Hi,
I would use vmbr1 instead of vmbr0 (or vmbr99...) because vmbr0 is used for cluster-communication - and if you expand your pve-system you don't want the communication on the wan-side.
Mean
Internet -> eth1 -> vmbr1 (without IP on the host) -> Firewall-VM -> vmbr0 (or another vmbr because of vlan-tagging).

Udo

 

[skurg]

You are helping me a lot with this idea. Thank you!

I drew this topology.


Can you tell me if everything is correct?

I think I will have a problem with VLANS in the future...

 

[udo]

You are helping me a lot with this idea. Thank you!

I drew this topology.

View attachment 1866
Can you tell me if everything is correct?

I think I will have a problem with VLANS in the future...

Hi,
two problems in your drawing:
1. you need an IP on vmbr0 (this IP which you have choosen during installation).
2. Each network need an own bridge

You can reach your goal with something like this:

auto eth0
iface eth0 inet manual

auto eth0.10
iface eth0.10 inet manual

auto eth0.20
iface eth0.20 inet manual

auto eth1
iface eth1 inet manual

auto vmbr0
iface vmbr0 inet static
        address  192.168.10.11
        netmask  255.255.255.0
        bridge_ports eth0.10
        gateway 192.168.10.1
        bridge_stp off
        bridge_fd 0

iface vmbr1 inet manual
        bridge_ports eth1
        bridge_stp off
        bridge_fd 0

iface vmbr20 inet manual
        bridge_ports eth0.20
        bridge_stp off
        bridge_fd 0

your sbs2003 has one nic on vmbr20, the firewall on vmbr1, vmbr0 and vmbr20.
On your switch you must vlan-tagging for vlan10 + 20 on the port which go to eth0 on your host.

How do you route between vlan10 and vlan20 yet?

Udo

 

[skurg]

Thanks again. The drawning is ok now right?

How do you route between vlan10 and vlan20 yet?

Via iptables.

 

[udo]

Thanks again. The drawning is ok now right?

Hi,
you draw the bridged interfaces directly on the firewall. The scenario is more like this:

      /--> eth0.10 -> vmbr0  --> \
eth0 -                             Firewall <-- vmbr1 <-- eth1
      \--> eth0.20 -> vmbr20 --> /

Via iptables.

My question is more, is the router the debian-box, which you like to virtualize, or do you have two routers??

Udo

 

[skurg]

My question is more, is the router the debian-box, which you like to virtualize

Yes. I want to virtualize debian as a firewall/router.

you draw the bridged interfaces directly on the firewall. The scenario is more like this:

The eth1.10 and eth1.20 are subinterfaces on debian eth0 interface to operate vlans. This is my actual configuration on debian physical firewall/router. I think the sam situation has to be done on virtualized debian or I'm wrong?