Posts made by VoodooRabbit87

if you're lazy and have 11$ to spare this is really good https://partedmagic.com/

@travisdh1 ahhh, i had a feeling that was going to be the answer :persevering_face:. Thanks tho, i'll definitely check this out!

So to get this to work i needed to use this firewalld line:

firewall-cmd --permanent --direct --passthrough ipv4 -I FORWARD -i eth1 -j ACCEPT

eth1 is the external interface on the vm router.

does this effectively render the firewall pointless though?

@kelly said in Route SSH to internal virtual network via centos7 vm router:

@kelly said in Route SSH to internal virtual network via centos7 vm router:

@voodoorabbit87 said in Route SSH to internal virtual network via centos7 vm router:

@black3dynamite so my config box looks exactly like what i posted in the OP, idk if its the cause of diff ddwrt builds but any extra settings i put in there caused the vpn service to fail to start so i left it minimal as it just worked.

firewall looks like this

iptables -I INPUT 1 -p tcp –dport 443 -j ACCEPT
iptables -I FORWARD 1 –source 10.0.1.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -j MASQUERADE

obvs 443 to bypass work fw.

You don't have an outbound rule. I'm not an iptables guru, but from what I've read it sounds like you need an explicit rule.

Reference: https://unix.stackexchange.com/questions/136190/iptables-rule-to-allow-incoming-ssh-connections.

so i shutdown the firewall on the centos vm router and i was able to connect to the internal server.

definitely need to look into firewalld

@kelly yes i can ssh from the vm router (10.0.10.2) to the server (10.0.10.10), basically same as another machine. i can ssh from my kvm host (10.0.0.10) to the server (10.0.10.10)

@black3dynamite so my config box looks exactly like what i posted in the OP, idk if its the cause of diff ddwrt builds but any extra settings i put in there caused the vpn service to fail to start so i left it minimal as it just worked.

firewall looks like this

iptables -I INPUT 1 -p tcp –dport 443 -j ACCEPT
iptables -I FORWARD 1 –source 10.0.1.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -j MASQUERADE

obvs 443 to bypass work fw.

@black3dynamite aye, with certs and the client on my work laptop.

@scottalanmiller the image up top is the physical router which has the vpn service running on it (DDWRT), that's the route table with NAT to 10.0.10.0 via the virtual external nic 10.0.0.20, ipv4 forwarding is enabled, nics have zones assigned (int/ext).

i can ssh to the internal nic on the vm router 10.0.10.2, however i cannot ssh to the server 10.0.10.10 which sits behind this vm router, i just thought a rule needed adding to firewalld to allow ssh traffic through too, as pings already are.

@black3dynamite if that was the case then ping wouldn't work though, no?

trace from 10.0.1.2
Tracing route to 10.0.10.10 over a maximum of 30 hops

1 11 ms 15 ms 30 ms 10.0.1.1
2 16 ms 11 ms 11 ms 10.0.0.20
3 12 ms 12 ms 13 ms 10.0.10.10

Trace complete.

i will try it out now

[edit]
this didn't help.

@scottalanmiller i suppose what i don't understand here is why i can ping 10.0.10.10 from 10.0.1.2, get a reply and vice versa, but why is ssh being blocked?

is there not a cmd i can pass to firewalld to allow ssh?

@scottalanmiller would it not depend on what you want to gain from using kvm on a certain dist? say, wanting to gain experience in the most widely used distribution in linux shops? i assumed that would be centos.

Hello, posted this on server fault but not much interest over there.

I'm trying to route ssh traffic to vm servers in isolated network on a centos7 KVM host. Can ping from either side but ssh times out.

I'm connected to my home router from work via vpn.

i have a static route to the external interface on centos7 vm router (functioning correctly with ip forwarding etc).

Internal vm, anohter centos7 server can update from internet and ping lan clients and vice versa

When i try to ssh to the internal vm from work pc it times out. firewalld on both vm router(internal and external interfaces) and internal server has ssh enabled in services

Setup:

10.0.1.2 - vpn client (win7)
10.0.0.20 - ext if vm router
10.0.10.2 - int if vm router
10.0.10.10 - internal centos7 server

VPN Config:
push "route 10.0.1.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
push "redirect-gateway def1"

i will be adding more servers to this internal network so i don't want to just forward port 22 to 10.0.10.10 i need it forwarded to 10.0.10.* while also still retaining the ability to manage the vm router via ssh on the external ip.

I can ssh to the server (10.0.10.10) from 10.0.0.0 and 10.0.10.0 networks

This is part of a test lab

Cheers, thanks for the responses guys

So i have a hp z420 workstation i want to use as a KVM home lab setup, so far i have everything setup bar storage and networking.

I want to replicate as much as possible what a linux shop would do (without necessarily having the hadware). I have an lsi raid card in there with 4 x 500gb drives in raid 10. This will be used as vm storage, is currently GPT, formatted as EXT4

What storage type should i be using - i've seen people using volume groups for thin provisioning (LVM?), i know ovirt uses nfs.

would it be wise to use nfs, sharing and mounting the shares locally? Basically looking for exposure to as much as possible, i know i could just leave it as is.

FYI

Added MACADDR to both interfaces and set up configs before installing ovirt engine (again) - management network assigned to correct IF after installing host in web console, all sorted.

Configs:

This was the initial result after the first install which is currently where i'm at now.

TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=eno1
UUID=734cb027-edd6-4020-b4e9-d4f993c4b106
DEVICE=eno1
ONBOOT=yes
IPADDR=10.0.0.10
NETMASK=255.255.255.0
GATEWAY=10.0.0.1
DNS1=10.0.0.1
DNS2=8.8.8.8
ZONE=public

# Generated by VDSM version 4.20.17-1.el7.centos
DEVICE=enp9s0f0
BRIDGE=ovirtmgmt
ONBOOT=yes
MTU=1500
DEFROUTE=no
NM_CONTROLLED=no
IPV6INIT=no

# Generated by VDSM version 4.20.17-1.el7.centos
DEVICE=ovirtmgmt
TYPE=Bridge
DELAY=0
STP=off
ONBOOT=yes
MTU=1500
DEFROUTE=no
NM_CONTROLLED=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
DNS1=10.0.0.1
DNS2=8.8.8.8

Hi, wondering if anyone can shed some light on following,

setting up oVirt on a fresh centos7 install, so far i've reached being able to login into the web portal and add my host in. After the initial host install, the status goes from up to non-operational after a couple secs - error on the i icon in the hosts view says no default route.

In network setup, the management network "ovirtmgmt" keeps assigning itself to the next unused, disconnected interface on the pcie nic. Initially i only enabled the motherboard interface, then i enabled a single port on the pcie nic (the one it assigned itself initially), after second install it assigned itself to interface 2 on the nic which is disconnected and disabled.

In web portal I've tried detaching ovirtmgmt and dragging it to the default interface but i lose connection to server when resyncing, also tried this with IF 1 on nic. I started over fresh about 4 times already while playing with the IF config files but no look so far.

I'll post up IF configs later when i'm home, just after any pointers if anyone has come across this before?

cheers.

Appears to be a Linux RDP gateway, see below:

http://guacamole.incubator.apache.org/

Hi All thanks for the welcome, SysAdmin here, roughly 4 years under my belt, started as helpdesk in a medium sized factory.

Made my way over from spiceworks on good advice from Scott. Looking forward to getting involved in some discussions, broadening my knowledge and maybe even asking for some help!

Cheers,
Luke