Results 1 to 4 of 4
Thread: Routing understanding problem
Enjoy an ad free experience by logging in. Not a member yet? Register.
- Join Date
- Apr 2011
Routing understanding problem
Since some days I am trying to get my problem to work, but I am near to give up.
Situation: I have got a dedicated server in a datacenter with a WAN-IP and an additional WAN-subnet. (I call them "main IP" and "VM-subnet")
The server is virtualized and the additional subnet is for the virtualized machines (VMs).
Easy configuration: Connect all VMs to the host's eth0 and add all IPs manually - works.
Now I want to install IDS or just logging for all VMs in a single VM (lets call it vmGW). So I have to route all traffic for the other VMs through this VM.
If the other VMs will get an internal subnet (192.168.*) I could NAT and all will work.
But my problem is: I want to give all VMs their WAN-IP (from the VM-subnet).
So the situation is: In vmGW there are two ifaces - one for WAN and one for the internal LAN. And I have NO IDEA, how to route this.
The fact that is driving me crazy is, that the WAN-iface (eth0) should get all the IPs by "ip addr add xxxx dev eth0" and the LAN-iface (eth1) does have an IP in this subnet.
I dont know, how to route packets from an ifaceA to an ifaceB, when they are in the same subnet.
Last edited by thewulf00; 04-12-2011 at 01:16 PM.
- Join Date
- Sep 2006
- Norfolk Island
It does help if you say what type of VM, eg VM(ware), XEN, etc as each has a slightly different way of dealing with networks.
That said, if your WAN-IP and WAN-Subnet are different then set up one VM as your IDS on eth0 with a virtualised LAN for it's 2nd IF. Ask the datacentre to route your WAN-Subnet via your WAN IP.
Then set up all your other VMs on the Virtual LAN in that subnet. As long as your GW is set to forward traffic then it will handle the routing.
No different than doing it with physical hardware. Just because it's virtual doesn't mean it isn't real
If the WAN-IP is in the WAN-Subnet, then that changes things.
Last edited by ni_boy; 04-12-2011 at 11:25 PM. Reason: typos
I believe another thing to consider is Xen and VMWare vswitches both broadcast all traffic to all egress "ports." In other words, they act more like a hub than a switch. To test this, you could create another vnic on any of the connected hosts in the WAN vswitch, set it in promiscuous mode, and see if you can see all packets to and from all vnics connected to the same vswitch. If so, just setup an IDS to log all traffic off of a similar vnic on the same vswitch in promiscuous mode.
However, if your service provider is not offering you any firewall services, I would suggest you definitely setup one of your guests as a bastion host firewall. If, as ni_boy mentioned, your WAN-IP is in a different subnet, then you can simply place it in front of your other guests and route traffic to your WAN-Subnet through it. Another alternative would be to place all of your other guests behind it in a separate, privately addressed subnet, and let it do the NATing, firewall, IDS, and VPN. That way, you are not NATing to your guests with the VM host, but with another guest acting as a firewall.
- Join Date
- Apr 2011
Thanks for your answers.
I did not believe in answers, thats why I missed some details.
I am using virtualbox. But ni_boy is right, my problem isnt a virtualized problem, it is real - no matter if in VM or on host.
I have 2 WAN-IPs in there own subnet - lets assume these:
WAN-IP #1: 18.104.22.168/26
WAN-IP #2: 22.214.171.124/26
(The GW for both is in the datacenter.)
And I have an additional subnet, lets assume 126.96.36.199/27.
First configuration was: All IPs (WAN+subnet) are added to host::eth0, and all VM-eth0s are bridged to that. (bridging in virtualbox means, that a kernel-modul takes all packets and doubles them to every bridged VM) This is working.
I tried your solution @ni_boy. At the beginning of my tests, i wanted only to get the VMs to the WAN, but the datacenter's switch will drop all packets, that are not sent from my MAC, so I had to route all traffic from eth0 to tap0, and all VMs where bridged to tap0, that worked fine. Eth0 did not have any IPs added from the subnet, but he still did route them! Now the VM should do the same, but there it does not work. (I think, the ARP-answer for these IPs includes the hosts MAC )