1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ESXi and Vyatta

Discussion in 'Virtual Computing' started by HTF, Oct 10, 2010.

  1. HTF

    HTF Byte Poster

    181
    0
    14
    Hi,

    I'm looking for the solution how to set up network on ESXi with Vyatta as a fron firewall/router. Basically I would like to set Vyatta so all traffic for VPS will go through it so I could limit bandwidth null rout IPs ect.
    Please note that I can't use NAT so I will have public IP to access VPSs. At the moment I have two vlans, please see below because I'm not sure if is actually possible with ESXi without any external hardware appliance.

    [​IMG]
     
    Certifications: A+
  2. dales

    dales Gigabyte Poster

    1,997
    46
    97
    for a start you will need another port group that is not connected to any network card (isolated lan), you will need vyatta to have 2 network cards (one attached to vswitch1 and one to the isolated lan), then move the vm's to the isolated network so that they will have to go through the vyatta router in order to get to the live lan. Then its just a case of configuring vyatta appropriately.

    i have a set up quite similar at home to seperate a couple of domains.
     
    Certifications: vExpert 2014+2015+2016,VCP-DT,CCE-V, CCE-AD, CCP-AD, CCEE, CCAA XenApp, CCA Netscaler, XenApp 6.5, XenDesktop 5 & Xenserver 6,VCP3+5,VTSP,MCSA MCDST MCP A+ ITIL F
    WIP: Nothing
  3. HTF

    HTF Byte Poster

    181
    0
    14
    Perfect thx.

    Could you help me with vyatta configuration as I can't get this to work.

    I have block of 192.168.1.0/24 - this IP range it's just an example.
    I assigned 192.168.1.2 to vyatta eth0 and 192.168.1.3 two eth1
    The Windows machine on the isolated zone has vytta eth1 192.168.1.3 address as a gateway.
    Please advice what routes I should create and how to assign gateway to specific interface?
     
    Last edited: Oct 10, 2010
    Certifications: A+
  4. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    You're not thinking about this logically. You want to use the Vyatta VM as a router, right?

    If so, then putting both nics on that VMs in the same subnet isn't going to help. You need to put one of the nics in the same subnet as the one you're putting your VMs in, and the other nic in the subnet you want to route to.
     
    Certifications: A few
    WIP: None - f*** 'em
  5. HTF

    HTF Byte Poster

    181
    0
    14
    Well, the problem is that I will use public IPs and I have only one range /27 so I will have to use the same range for all machines (VWs and Vyatta router). Is this going to work this way?
     
    Certifications: A+
  6. dazza786

    dazza786 Megabyte Poster

    758
    30
    67
    Is this a LAB or is it a production environment? If it's the latter, I'd advise that you bring somebody in to help you set this up, as controlling the traffic of that many servers is going to be dangerous if you don't know exactly what you're doing.
     
    Certifications: MCP (271, 272, 270, 290, 291, 621, 681, 685), MCDST, MCTS, MCITP, MCSA, Security+, CCA(XA6.5)
  7. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Agreed. In any case - lab or not - you don't want to be exposing VMs directly to the outside world with just a router in front of them.
     
    Certifications: A few
    WIP: None - f*** 'em
  8. dales

    dales Gigabyte Poster

    1,997
    46
    97
    are you sure you mean public IP's? what you will need to do on the vyatta is tell it where to put unknown traffic (i.e point it to your internet router if that is appropriate), which from memory is something like "set route 0.0.0.0 next-hop {routeraddress}" Google should tell you.

    You should really though set up a seperate address range for the isolated lan maybe 172.16.x.x or something just to seperate them out or I guess you could chop up the 192 addresses a bit more. If this is production though I would agree that a bit of assistance wouldn't go amiss. you would also need to set up a static route on your internet router to point out how to get to the isolated lan

    inet router vyattaeth0 vyattaeth1
    192.168.1.1 192.168.1.254 172.16.10.254

    so you would tell the inet router to goto 192.168.1.254 to get to the 172 range and you would tell vyatta to goto 1921.168..1.1 for the 0.0.0.0 range (all other ip's).

    :edit damit zeb you've obviously a quicker at typing than me!

    If the vm's have a public address scheme you may want to think about sticking a smoothwall in there as well to help protect the vm's or a hardware appliance on the other end of the esxi's uplink. There are a good few things you need to think about in regards to security of the ESXI and anything else (lans etc) it may be connected to. There's a white paper on the vmware website and DMZ virtualization I would recommend giving it a read.
     
    Last edited: Oct 11, 2010
    Certifications: vExpert 2014+2015+2016,VCP-DT,CCE-V, CCE-AD, CCP-AD, CCEE, CCAA XenApp, CCA Netscaler, XenApp 6.5, XenDesktop 5 & Xenserver 6,VCP3+5,VTSP,MCSA MCDST MCP A+ ITIL F
    WIP: Nothing
  9. HTF

    HTF Byte Poster

    181
    0
    14
    Thx for explanation. Yes I have public IP the 192. is just for example.

    I understand routing but could you confirm that it's possible to set this up on a single IP range?

    I have windows box with IP of vyatta eth1 (lets say 192.168.1.6) as a gateway the route is set to push all the traffic through this IP:
    - 0.0.0.0 255.255.255.0 => 192.168.1.6
    The second vyatta NIC, eth0 (IP 192.168.1.5) is on the vswitch with internet connection via internet router (it sees the outside world) and the route for unknown traffic is set to internet router:
    0.0.0.0 via x.x.x.x - IP of external router, on eth0 but I'm not even able to ping the vyatta eth1 which is on the same vswitch, with isolated LAN as all VMs :rolleyes:

    I would expect the traffic goes through:
    Windows Box IP 192.168.1.9 => Gateway (vyatta eth1) 192.168.1.6 => vyatta route then via eth0 IP 192.168.1.5 via route 0.0.0.0/0 => internet router) to external network - but it's not.

    I think I will really need some external IP on different range, a I right?

    Thank all for help once again;)
     
    Certifications: A+
  10. dales

    dales Gigabyte Poster

    1,997
    46
    97
    Could you stick up another picture of your current vswitch config, might be easier to look at. by the sounds of it the windows gway box only has 1 nic is that right?
     
    Certifications: vExpert 2014+2015+2016,VCP-DT,CCE-V, CCE-AD, CCP-AD, CCEE, CCAA XenApp, CCA Netscaler, XenApp 6.5, XenDesktop 5 & Xenserver 6,VCP3+5,VTSP,MCSA MCDST MCP A+ ITIL F
    WIP: Nothing
  11. HTF

    HTF Byte Poster

    181
    0
    14
    Yes, the Windows it's just VM with vyatta eth1 as a gateway and it has only one NIC. I moved just this Windows box to isolated vswitch for now (VPS4).

    [​IMG]
     
    Certifications: A+
  12. dazza786

    dazza786 Megabyte Poster

    758
    30
    67
    With the name of the servers I'd assume they're selling hosting (VPS)and each of the servers has a dedicated IP. The firewall he's planning on implementing is the Vyatta and is trying to route the traffic to each VM.

    Is this right?

    ..I'd hope that each VPS isn't a separate client as there'd be major security issues.

    Edit: Also, Zeb pointed out earlier about your NIC addressing issue, yet you haven't changed it?
     
    Last edited: Oct 11, 2010
    Certifications: MCP (271, 272, 270, 290, 291, 621, 681, 685), MCDST, MCTS, MCITP, MCSA, Security+, CCA(XA6.5)
  13. HTF

    HTF Byte Poster

    181
    0
    14
    Yes that's right regarding the configuration.



    Could you elaborate more on this as I created few VPSs to test it and as far as I know they are separated. I also consider to use Proxmox for this purpose.

    The configuration of Vyatta is fine, eth0 is on the vswitch with internet connection, eth1 is on the isolated LAN-vswitch but as a mentioned few times before I have only few public IP from the same range.
    The traffic should go through but it's not. I just start to use vyatta so it's probably something wrong with configuration but as the all machines have IPs from the same subnet no additional routes should be necessary, is it?


    EDIT:
    I moved another machine to the isolated vswitch and they can ping each other but not vyatta. This confirms that I need to configure vyatta properly;)

    EDIT:
    Now I re-assigned IPs to the interfaces on vyatta and I can ping all three VMs (Windows Box, Vyatta, and the third one) but I can't ping from vyatta to the outside world
     
    Last edited: Oct 11, 2010
    Certifications: A+
  14. dales

    dales Gigabyte Poster

    1,997
    46
    97
    have you added the 0.0.0.0 route to vyatta?
     
    Certifications: vExpert 2014+2015+2016,VCP-DT,CCE-V, CCE-AD, CCP-AD, CCEE, CCAA XenApp, CCA Netscaler, XenApp 6.5, XenDesktop 5 & Xenserver 6,VCP3+5,VTSP,MCSA MCDST MCP A+ ITIL F
    WIP: Nothing
  15. HTF

    HTF Byte Poster

    181
    0
    14
    Apparently the way that network was design caused the problem. I set/test everything on the Proxmox now and works so far.

    Thx for help anyway ;)
     
    Certifications: A+

Share This Page

Loading...