Nullworks is the project site for Koaps code.
Thanks for the post on Open vSwitch. I am havnig a problem that I think Open vSwitch can solve.
I need to setup a testing an development server network for some application developers I work with. Basically they need many (several VMs) to test software code in a server env. The VMs need to be able to access the internet (receive traffic from external devices). However the server also needs to be able to be accessed from our internal build in development servers. So the servers sit in a DMZ as per our network requirements. On the physical switch I have three ports with open access to the internet, and of course the entire DMZ is visible from inside.
Problem is: I only have 3 externally routable ip addresses. I anticipate I will have at least 30 to 40 VMs at any given time. I tried doing a NAT behind the virbr(192.168.), but of course there is no way for clients on our internal network to reach the VMs. I can not modify the networking infrastructure (not my territory). We don’t have a F5 load balancer. So I thought I would build one as a vm, then use a bridge on one of the physical interfaces, but that did not work either. Now I am thinking use Open vSwitch. Any ideas?
What I would probably do, and have done in the past, would be to create a VM that runs Pfsense.
You can then assign the 3 public IP’s to interfaces on the Pfsense machine, and have the private connections on another interface also.
This way you can tightly control the NAT and setup firewall rules.
Plus Pfsense has HAproxy and a few other modules that might be useful, maybe even use OpenVPN to allow your internal clients to connect to the VM net.
I have deployed many development environments where all the VM’s lived behind a Pfsense VM in their own private network and it worked pretty well.
OpenVSwitch is pretty nice, but I did run into a few issues using it, especially when I wanted multiple public IP’s on the host servers.
I switched my testing infrastructure (and VM testing on my laptop and my home server) to use OpenVZ.
I freggin love it.
Super fast to spin up instances, unlike KVM or Xen, you can just copy files into the different containers from the host.
The bridge is simpler and for our application which is very java/jboss heavy it works like a charm, I even have oracle running under it.
In short I would check out Pfsense, but if you aren’t heavy vested into your current VM technology, I would definitely checkout OpenVZ.
I wish I could give you more advice on the OpenVSwitch since I did like it, but since I don’t really have it in my environment anymore it’s hard to test what you might need.
If you do plan to stick to it, I would jump on the IRC channel on freenode. I have asked questions there before and usually get help. I know sometimes IRC is a ghost town, but just got to be persistent. 🙂
Thanks for the response. Yeah I be reading and I think I need all traffic to go to a router (VM) that has interfaces on a vlan or something.
I’ve heard of OpenVZ, but I have never used it. I thought it was paravirt, and would have problems with my applications. I also work with heavy Jboss/Postgres implementations as well. Have you noticed and performance degradation? Currently I scrapped the CentOS base KVM install, and am using Proxmox (KVM). I saw that ProxMox also has support for Containers. I think thats what openvz uses. I’m just not too familiar.
Here is my plan going forward:
Create a router VM
Add three ips to it. (say:
eth1 – 192.168.1.2 (phsysical)
eth1:1 – 192.168.1.11)
Add a bridge vbr0 (192.168.100.1) [Will act as default router for the VM subnet]
The VM guests will then be tied into the bridge.
Some Iptables magic:
iptables -t nat -I PREROUTING -d 192.168.1.10 -j DNAT –to-destination 192.168.10.10
iptables -t nat -I POSTROUTING -s 192.168.100.10 -j SNAT –to-source 192.168.1.10
And some routes:
sudo iptables -I FORWARD -p tcp -d 192.168.100.10 –dport 80 -j ACCEPT
sudo iptables -I FORWARD -p tcp -d 192.168.100.10 –dport 443 -j ACCEPT
I will then create a pound revProxy on the 192.168.100.10
That server will pass the traffic to each web host.
Now that I am looking at it I might be able to run pound on the router machine itself.
Didn’t work 😦
I need the servers behind the firewall to have routable addresses inside my DMZ (172)
I am thinking there really is no way to do this without a F5 or some other piece of hardware.
Fill in your details below or click an icon to log in:
You are commenting using your WordPress.com account. ( Log Out / Change )
You are commenting using your Twitter account. ( Log Out / Change )
You are commenting using your Facebook account. ( Log Out / Change )
You are commenting using your Google+ account. ( Log Out / Change )
Connecting to %s
Notify me of new comments via email.
Blog at WordPress.com.