Networking and 1U Colocation
-
@romo He does not even need a bridge. Simply no IP on his eth0.
He will have a java based KVM available for console from his colo if shit really breaks.
Here in my example I have an IP on eno1 just because it is local to me and i am lazy. He should have no IP here.
I have a team, he will not with only a single port from the colo. He could have a team still with one memeber not plugged in, but meh.
When he makes the pfSense VM, he should assign it to his eth0 (team0 in my example) as macvtap.
In bridged mode. As the note states, there will not be any guest communication to the host on this network, which is just fine for security of the router VMs public IP network.
By default the LVM setup create this private network. I suggest he use this on his host and a single guest VM (not his pfSense VM) to manage the host.
I suggested he make another private network that he will assign to the LAN port of the pfSense VM and then as the only network port for all of the guest VMs.
-
@jaredbusch I am so used to creating my bridges manually I keep forgetting macvtap creates them for you.
-
I had to do something a little different as I rent a server that I'll never have physical access to. So this is on an Ubuntu Server base (that always leaves a bad taste in my mouth, sorry.)
eth0 is all I had to work with:
So I also made a virtual interface:
Virtual Interface that is the public facing side:
Finally, the private side:
Now, if you ask me (you didn't, I'll tell you anyway), this way of configuring things kinda sucks. I'm limited to 100mb/s throughput by something along the line that I haven't figured out yet.... I've got stories about these already, I don't need more!
-
@jaredbusch said in Networking and 1U Colocation:
I want to make sure my understanding of your suggestion is correct.
The FirewallVM will have one NIC connected to eth0 via macvtap, which would be assigned 100.100.100.2/30. The FirewallVM will have a second NIC attached to what you called the priv0 virtual network, which serves as the interface to the rest of the VMs in the LAN. For managing the host itself, I'll have another VM attached to the default virtual network.
-
I'm thinking through this topology a bit further:
- Eth0 on host passes traffic via macvtap to FirewallVM (100.100.100.2/30).
- Isolated network connects FirewallVM to the rest of the guest VM.
- Isolated network connects one of the guest VMs to the host VM.
To manage my host over the Internet, I'd have a NAT rule that would direct SSH traffic to VM in item three. Once connected to that VM, then I'd SSH from there to my host -- basically making that guest VM jump box.
-
@eddiejennings said in Networking and 1U Colocation:
I'm thinking through this topology a bit further:
- Eth0 on host passes traffic via macvtap to FirewallVM (100.100.100.2/30).
- Isolated network connects FirewallVM to the rest of the guest VM.
- Isolated network connects one of the guest VMs to the host VM.
To manage my host over the Internet, I'd have a NAT rule that would direct SSH traffic to VM in item three. Once connected to that VM, then I'd SSH from there to my host -- basically making that guest VM jump box.
VyOS has ssh built in.... just saying.
-
@travisdh1 said in Networking and 1U Colocation:
@eddiejennings said in Networking and 1U Colocation:
I'm thinking through this topology a bit further:
- Eth0 on host passes traffic via macvtap to FirewallVM (100.100.100.2/30).
- Isolated network connects FirewallVM to the rest of the guest VM.
- Isolated network connects one of the guest VMs to the host VM.
To manage my host over the Internet, I'd have a NAT rule that would direct SSH traffic to VM in item three. Once connected to that VM, then I'd SSH from there to my host -- basically making that guest VM jump box.
VyOS has ssh built in.... just saying.
Umm WTF? Open SSH to the world? On your router? Fuck that.
-
@eddiejennings said in Networking and 1U Colocation:
To manage my host over the Internet, I'd have a NAT rule that would direct SSH traffic to VM in item three.
Never.
Use ZeroTier on your host. In the instance that it fails, use the colo's KVM to fix it.
-
@jaredbusch said in Networking and 1U Colocation:
@eddiejennings said in Networking and 1U Colocation:
To manage my host over the Internet, I'd have a NAT rule that would direct SSH traffic to VM in item three.
Never.
Use ZeroTier on your host. In the instance that it fails, use the colo's KVM to fix it.
I’ve heard of ZeroTier. Time to learn something about it.
-
@eddiejennings said in Networking and 1U Colocation:
@jaredbusch said in Networking and 1U Colocation:
@eddiejennings said in Networking and 1U Colocation:
To manage my host over the Internet, I'd have a NAT rule that would direct SSH traffic to VM in item three.
Never.
Use ZeroTier on your host. In the instance that it fails, use the colo's KVM to fix it.
I’ve heard of ZeroTier. Time to learn something about it.
Here you go.
https://www.zerotier.com/https://mangolassi.it/topic/16853/installing-zerotier-on-fedora
-
@eddiejennings said in Networking and 1U Colocation:
@jaredbusch said in Networking and 1U Colocation:
@eddiejennings said in Networking and 1U Colocation:
To manage my host over the Internet, I'd have a NAT rule that would direct SSH traffic to VM in item three.
Never.
Use ZeroTier on your host. In the instance that it fails, use the colo's KVM to fix it.
I’ve heard of ZeroTier. Time to learn something about it.
Very good product.
-
@jaredbusch said in Networking and 1U Colocation:
@travisdh1 said in Networking and 1U Colocation:
@eddiejennings said in Networking and 1U Colocation:
I'm thinking through this topology a bit further:
- Eth0 on host passes traffic via macvtap to FirewallVM (100.100.100.2/30).
- Isolated network connects FirewallVM to the rest of the guest VM.
- Isolated network connects one of the guest VMs to the host VM.
To manage my host over the Internet, I'd have a NAT rule that would direct SSH traffic to VM in item three. Once connected to that VM, then I'd SSH from there to my host -- basically making that guest VM jump box.
VyOS has ssh built in.... just saying.
Umm WTF? Open SSH to the world? On your router? Fuck that.
Your direct, to the point responses, often have me LOLing.
-
Here's an updated diagram.
I'm wondering about how to do updates on the KVM host. Since there will be only one NIC with an connection to the colo's network, and that NIC is attached to the FirewallVM, it seems that the KVM host will have to have a way to send / receive traffic to / from the FirewallVM to have an Internet connection. Perhaps one alternative would be to setup a VM that acts like a repository for the updates I'd get through
dnf
and the KVM host would talk to that VM to get its software updates.The other thing I'm thinking about is how I'm going to use Virt-Manager with my KVM host. Methinks this might be where ZeroTier would come in. I could connect to the "VM for managing the host" which would have Virt-Manager installed.
-
@eddiejennings said in Networking and 1U Colocation:
Here's an updated diagram.
I'm wondering about how to do updates on the KVM host. Since there will be only one NIC with an connection to the colo's network, and that NIC is attached to the FirewallVM, it seems that the KVM host will have to have a way to send / receive traffic to / from the FirewallVM to have an Internet connection. Perhaps one alternative would be to setup a VM that acts like a repository for the updates I'd get through
dnf
and the KVM host would talk to that VM to get its software updates.The other thing I'm thinking about is how I'm going to use Virt-Manager with my KVM host. Methinks this might be where ZeroTier would come in. I could connect to the "VM for managing the host" which would have Virt-Manager installed.
Just add a NIC on you LAN network. Keep it normally disabled. Enable and run updates.
Or just not be super paranoid and just have it on the LAN always.
-
@jaredbusch said in Networking and 1U Colocation:
Or just not be super paranoid and just have it on the LAN always.
Ha!
-
@eddiejennings said in Networking and 1U Colocation:
@jaredbusch said in Networking and 1U Colocation:
Or just not be super paranoid and just have it on the LAN always.
Ha!
It is no different in that way than one in your office.
In fact you will need a way to the internet for ZeroTier to come online.
-
@scottalanmiller said in Networking and 1U Colocation:
@eddiejennings said in Networking and 1U Colocation:
@scottalanmiller said in Networking and 1U Colocation:
@eddiejennings said in Networking and 1U Colocation:
@aaronstuder said in Networking and 1U Colocation:
What are the specs of the server?
Intel Xeon CPU Quad Core X3430 2.4GHz
32 GB RAM
Two 2 TB SATA drives in RAID 1Could be worth calling xByte and getting something a little beefier.
I'll give it some thought. I need to think through how I intend to use it beyond just building and destroying VMs just to tinker. Might start a "spec my server" thread.
Your CPU is fine, but 64GB of RAM might be worthwhile.
That CPU dates back to when I began my IT career. I'm fairly certain Intel hasn't released Meltdown/Spectre Microcode patches for it.
-
@storageninja said in Networking and 1U Colocation:
@scottalanmiller said in Networking and 1U Colocation:
@eddiejennings said in Networking and 1U Colocation:
@scottalanmiller said in Networking and 1U Colocation:
@eddiejennings said in Networking and 1U Colocation:
@aaronstuder said in Networking and 1U Colocation:
What are the specs of the server?
Intel Xeon CPU Quad Core X3430 2.4GHz
32 GB RAM
Two 2 TB SATA drives in RAID 1Could be worth calling xByte and getting something a little beefier.
I'll give it some thought. I need to think through how I intend to use it beyond just building and destroying VMs just to tinker. Might start a "spec my server" thread.
Your CPU is fine, but 64GB of RAM might be worthwhile.
That CPU dates back to when I began my IT career. I'm fairly certain Intel hasn't released Meltdown/Spectre Microcode patches for it.
Dell says a BIOS update for that stuff is in progress, other x10's have been patched:
-
Experimented with this tonight, so I figured share what I did. I was curious to see if I could access the iDRAC web interface without exposing iDRAC to the Internet.
The solution I used seemed simple enough. I created another NIC in a VM, and set it to be bridged to the 2nd NIC on the host via macvtap. I gave the NIC a static IP. On the host, I connected the iDRAC port to the 2nd NIC using a crossover cable, and added an appropriate static IP in the DRAC settings. I connected to my VM via ScreenConnect (which for now is how I'll be connecting remotely to my management VM), and was able to browse to the iDRAC web page.
I don't plan on doing this when I ship my server off, but I was curious to see if I could do it and make it work.
-
@eddiejennings said in Networking and 1U Colocation:
Experimented with this tonight, so I figured share what I did. I was curious to see if I could access the iDRAC web interface without exposing iDRAC to the Internet.
The solution I used seemed simple enough. I created another NIC in a VM, and set it to be bridged to the 2nd NIC on the host via macvtap. I gave the NIC a static IP. On the host, I connected the iDRAC port to the 2nd NIC using a crossover cable, and added an appropriate static IP in the DRAC settings. I connected to my VM via ScreenConnect (which for now is how I'll be connecting remotely to my management VM), and was able to browse to the iDRAC web page.
I don't plan on doing this when I ship my server off, but I was curious to see if I could do it and make it work.
What about setting up ZeroTier bridge VM?