[HELP NETWORK SETUP]Need Help on seting up home network with OpenSuse 13.1.

Hello everyone.
I had posted similar question some time ago, it got me nowhere so far, so let’s try this again.
just a little heads-up here to prevent the last thread fiasco.
***>>>>I appreciate any comments as long as they are actually have a point.
I do not need people starting a flame war pointing up all the evils of what I try to do with my setup, I understand the dangers and all but still want to do this this way so if you have nothing helpful to say please let’s keep this thread clean and on the topic.
As described below my server runs LXDE desktop GUI. the reason is I prefer GUI to CLI if I can help. the openSuse implementation of LXDE and Yast is what I like about it.
I am coming from windows so if I have the option of a nice GUI I will take it.
I am not shy of using CLI but do prefer GUI. and I will not shy away from adding WebMin/UserMin to the setup if it will give me what I want
. <<<<<

What I have in terms of Hardware and software:***
A SuperMicro Dual Opteron HexCore 2.6Mhz CPU, 56Gb RAM server with 4 gigabit NIC interfaces. 2x onBoard + 2x via DualPort Intel Pro gigabit PCI card.

1x 24 port Netgear gigabit unmanaged switch.
1x Netgear SOHO router from Cablevision
1x Cablevision Modem

3 PC running windows 7 home and Pro editions
home is wired with Cat5e/Cat6 cabling into basement patch-panel and dropped into switch above
as it is now the switch is hooked up to on of the Cablevision router LAN port
Router provides DHCP as needed.

Server is running OpenSuse 13.1 with LXDE desktop(yeah I know server should not have GUI but I like to have an option available) updated and patched.
I am also using full BTRFS setup, as in I am booting into BTRFS “/” partition directly
installed KVM
installed Xen

Firewall is disabled for reason described below(in “What I need/want to do” section), but if some one have a better opinion please elaborate.

***What I need/want to do and what I need the help with:


#1. Setup main server as VM server using KVM / XEN not really sure what to use at the moment as the hardware does not have full IOMMU support, but I need to run several windows VMs so my guess Xen will be the Hypervisor of choice.

#2. Setup file sharing on main host to provide shared storage to all VMs and networked PCs as needed.

#3. Setup Router/firewall VM (pfsense,untangle or clearOs) using 2 or 3 NIC dedicated to that service only. my server has IPMI so I do not need management interface via built-in NIC as I have a dedicated IMPI card with TCP/IP support (this is Kira IPMI card with full support to control the server including booting and other. via it’s own IP address and all.)
this VM will be replacing my SOHO router form cablevision.
so the projected/desired setup would be:

CableVision Modem == CM
CableVision Router (Netgear SOHO router)== NR
Netgear 24 port Switch == SW
NICs:
eth0 == onboard NIC1 (used for server LAN connectionwith Static IP )
eth1== onboard NIC2
eth2 == PCI Intel Pro Port 1 NIC3
eth3 == PCI Intel Pro Port 2 NIC4

Current setup:
CM =pludded into =>NR(WAN port)|provides DHCP and DNS for all network | ==>NR(LAN 1-4)-plugged into-> SW
all PCs are plugged into switch

Planed/Desired setup :
dedicate 2 NICs (eth2 and eth3) to the Router VM(directly or with bridge)
if needed use one of the on-board nics as well.

leave one or both on-board NICs for server LAN connection(s)

CM(WAN) == plugs into eth3(Intel NIC(3)) on the Server == and go into=>pfSenceVM == > outputs all into eth2(Intel NIC(2)) ==> which is plugged into the switch port (1)

use RouterVM to provide all services such as DHCP/DNS routing etc.
removing the SOHO router.

I have a linsys wireless router setup as wireless AccessPoint right now which I think will work as is.

other VMs will be on as needed basis but currently plan to run
Ubuntu server 12.4 VM for transmission+SickBeard+snbz+CauchPotato
MediaHomeServer based on OpenSuse 13.1 server setup.

I want to try to keep the base server setup as clean as possible.

thanks.

Well,
Without getting into specifics (because that leads down a rabbit hole of details that turns a Forum Post into a book) I can recommend some fundamentals for your decisions…

  • Physical and virtual networks and networking should be set up based on similar principles, remembering that virtual networks are built as a layer on top of physical networks. So, for example a fundamental idea is that physical network connections to the Internet should be kept few (if not a single connection) and all LAN virtual networks should be bound to physical NICs/interfaces on LAN NICs.

  • Running a firewall in a VM can work well (I’ve done this). Just be sure you get your routing correct. And, with some virtualization technologies you can bind the virtual NICs to specifc virtual networks which are assigned to physical NICs. Make sure it’s all mapped out correctly and <verify> that multi-homed VMs launch correctly. It can be embarrassing if your internal and external zones are reversed for example.

  • Running multiple virtual networks on the same physical network links provide some good isolation in a practical sense but of course cannot be recommended if security is an issue, eg a hacker who has access to one network and knows the existence of a second virtual network only has to add an IP address to function on the second network. If Broadcasts are extensively used, then that also would be a possible vector.

  • You can configure any number of virtual networks and machines to any specific physical NIC. If you understand how Ethernet works, you’d know why this is the case… that no matter how many hosts are communicating on a physical network link, only one is communicating at a time. So, many people get caught up in the idea to increase network capacity by bonding NICs or adding new virtual NICs or virtual networks to the same physical NIC… If the bottleneck is the machine, YMMV but it won’t increase the capacity of the network itself.

  • I’d recommend you decide on just KVM or Xen on any physical machine because kernel support for each is exclusive (switching from one to the other requires a reboot). But, if you do support varied virtualization technologies (as I do) it helps to create Guest virtual disks with cross-platform support (eg QCOW often, RAW almost always). Maybe even consider LXC if you’re running “all Linux” and don’t need Desktops and would like to optimize for performance. I usually build machines the first time in a VM with a Desktop, then when I’ve got the bugs worked out migrate them to LXC.

-Whatever virtualization you select (maybe even multiple physical machines each running different virtualization), you should always keep the Host as minimal as possible. <Anything> beyond minimal enlarges attack surface (possible vulnerabilities) and a vector possibly compromising Guests.

HTH,
TSU

thanks tsu, nice write up, but I actually need a specific help not a general overview.
no offense please, I ment it as an FYI nothing more.
I already read and research all the options and general hot it should be done.
my issue is that I bit a little more than I could chew but have no way out but forward.

I got the hardware for a good price and even though I did researched it as much as I could for IOMMU support, it still not 100% compatible, hence my indecision of which hypervisor to use. (BTW I am sure I will use Xen as KVM really needs the iommu support more than Xen)

I can not get new MB as I am heavily invested in my current one (make one stupid mistake and other will follow.) as I got a second CPU and more RAM for this one before I could test the compatibility.

but regardless, my question is:
if I use Xen on OpenSuse 13.1 , How do I configure my NICs Interfaces so I can use it for pfSense or ClearOs?
what would be the best network configuration for relatively secure setup accessible from outside and inside?
Do I need VLAN and how would I go about it with what I have?

I have read a lot about virtual switch to use for all VMs but can not find any good ho-to on how do you set it up in Xen/openSuse.
if I need to change the base Os to Ubuntu for example I would consider it but I need a strong reason for that.

thanks.

First re: IOMMU,
I haven’t read up much on it, but from what I’ve read it’s probably not an issue for anyone unless you want to or need to configure direct hardware access, eg the virtual technology may just not support certain I/O devices or the normal, default access is not preferred. But, these kinds of issues are likely more relevant to heavily loaded systems. If you don’t mind waiting a few milliseconds here or there (hopefully not more) then I don’t know that default I/O configurations aren’t sufficient. IMO this is probably more a colo/provider consideration and not likely a SOHO issue.

I haven’t studied the differences between paravirtualized I/O in Xen vs KVM (or any other technology for that matter). Again, I think for most people they’ll find both are roughly equivalent choices and might choose based on other criteria.

The info I gave you probably should be reliable enough to configure a firewall running in a VM… configure the external zone to be bound to an interface connected to an external NIC. Configure an internal zone to be bound to an interface connected to an internal NIC. Your Q has some similarity to what I just posted elsewhere re how to configure Virtualbox networking in that way
http://forums.opensuse.org/showthread.php/478063-Unable-to-connect-to-internet-in-openSUSE-12-2-in-VirtualBox?p=2618142#post2618142

Summarizing my recommendation in that post another way, there are plenty of old guides which describe creating Linux Bridge Devices and virtual switches (often in the Guests) which today is really unnecessary. You can avoid a lot of headaches by keeping your networking simple, ie. The Guests should be configured with plain “wired” network connections with no Linux Bridge Devices. Configure all your network complexity on the Host instead, and for 99% of people who do not need VLANS and other tunnels, very basic configuration is all that is needed(only virtual networks and Linux Bridge Devices, no virtual switches).

TSU

nice, thanks.
somehow I though that virtual network = VLAN or at least VSWITCH
and I am not sure how to configure this.
I will definitely read the post linked and be back with status.