Setup WAN/LAN for home network using virtualized servers.

English Network/Internet
1

Hi, need some pointers on how to setup and configure networking in my house.
I know the theory in general networking stuff, but this is a full blown network config and I seam to be lost.

what I have now:
(all this is setup @point of origin , in the basement )

  1. CableVision High Speed line coming into the house using CV modem.
  2. CV modem is connected to CV provided NetGear router, provides DHCP and access to outside.
  3. Router is hooked up into 8-port Gigabit Hub that splits all through the house.(4 connection total.)
  4. a small file server (UnRaid) connected to the same Hub in the basement accessible by all PC in the house
  5. a lincsys wireless router running in AP mode(static IP) connected to the hub from the second floor to provide wider wireless access though the house.
    all wireless clients have 2 points of access the LincSys AP or NetGear Router (2 SSIDS)

what I want to do:

I am building out a main VM server using OpenSuse 12.3 as Host OS.
this host have 4 Gigabit NICs. interfaces (2 MB built-in + 2 via Intel Pro dual port card )

I want to :

  1. setup OpenSuse 12.3 as VM host system using Xen.
  2. install pfSence VM.
    use Intel NIC card to bridge/rout WAN to LAN via pfSence VM as a router. and remove the NetGear router out of the setup.

like Connect CV modem ot NIC-1 as WAN
do all the network router stuff in pfSence as in firewall, routing etc. and output all to NIC2 that will be connected to the switch (NetGear 16 port unmanaged gigabit )

  1. create a bunch of VMs for web server, file server etc. what ever needs are.

my problems so far:

  1. the networking is not working properly unless I use Network manager. but I want to use manual config.

  2. Xen bridging does not work as I can not see the bridge from anywhere at all and not sure where/how to configure it.
    the last time I worked with it was on Ubuntu and just edited the network file , but I seam to unable to find similar file in OS.

  3. I am not sure how to properly configure the nics to do what I want, as described above.
    Do I try to pass through the Intel nic into pfsense VM directly or is there away to attacher them virtually?
    Do I need 4 nics at all? if not maybe I can team the on-board Nics to increase speed on local network.
    Do I need to setup vSwitch?

what is the proper way of setting up this kind of network so I can access it form outside.
I have a DynDns service, so pfSense will update it for proper IP resolution as CV is a DHCP service, no static IPs.

Is there a good guides exist to help.

also very important thing is could I should I setup some of the services on Host system
or should I do them all in VM using SME in addition to pfSense.
I know that any Linux distro is capable of DHCP, DNS, routing, firewall etc. but can it run it all and still be stable enough?

the wanted services form outside would be VPN and FTP, maybe some kind of file share services.

thanks.

2

The main decision to make before architecting what you describe is what level of security you want/need.

For many, simply configuring multiple virtual networks on top of a single physical network is sufficient. This would generally be the case if you can trust your internal Hosts not to hack your virtual networking so would be OK for your home network but wouldn’t be recommended for a real business network. This concept allows you to run external, DMZ and internal zones on the same physical network if desired.

You also need to define your physical “edge” machines which would have direct physical contact with untrusted networks like the Internet (and sometimes wireless). Those need to be where you deploy your firewall (like pfsense) or in a DMZ managed by your firewall.

Aside from the principle your “edge” virtual machines must be in direct contact with the Internet, if your edge physical machine is multi-homed, you can bind your “edge” vms to your external NIC and your “lan” vms to your internal NIC. As long as your Host machine isn’t compromised, it can generally provide sufficient isolation for your networks.

So,
For a small or personal network I would configure the following using the above principles, am not delving into underlying reasons <why> because including that could turn this post into a book…

A highly capable “large” physical multi-homed (2 NICs, possibly a third to separate WiFi) machine.
Configure SUSE FW for the standard 3 zones (external, DMZ, internal), binding external to the external NIC, internal to the internal NIC and the DMZ to either depending on how I might want to configure the DMZ.
Pfsense in the DMZ zone (maybe external if there are special needs)
Servers in the DMZ
LAN servers in the internal
Configure internal NAS and LAN hosts using the same network as configured in the Internal zone.

As to your specific issues

  • NM (set to system start) using static or reserved leases should work fine but if you want to use YAST “classic” addressing instead and are having problems you’ll have to describe your problems in detail. Simply saying “doesn’t work” won’t be enough for any help.
  • The description I gave uses your openSUSE box as the router, without some description how you’re using your Netgear router I can’t speculate on whether it still is needed.
  • Like above, I can’t speculate on why your Xen bridge isn’t working or available without a better description how it was created, configured and managed. eg. Are you using libvirt or command line or something else? Are you usiing Linux bridge devices only, at all or have openVswitch installed? A simple start might be to list your Linux bridge devices
brctl show

Although it’s possible to bind vms directly to physical NICs, you should have vastly more flexibility if you attach virtually using Linux bridge devices. This would enable you to quickly and easily configure multiple physical and virtual machines to connect to the same virtual network.

OpenVswitch is optional, supposedly allows additional capabilities but AFAIK recent new features to the Linux kernel make it possible to use just Linux bridge devices.

When you properly setup VMs, they are accessible like any other virtual or physical Host on a network, they look no different and no special configuration s needed.

Basic network services like DNS, DHCP, file and authentication services are all possible from VMs, but in these situations it can be critical to control the startup order (some services will rely on others before they can even start).

A lot of what you describe depends on your personal expertise to configure on physical machines first. Only after you really understand the inter-relationships and how specific services and firewalls are configured and function can you successfully deploy in a virtual environment which adds an additional layer of complexity (but can be a minor step only after you truly understand how everything else functions). If you’re first startng out, <start small>. Break your “Big Solution” down into individual little pieces, and the order you attack each piece again depends on your personal expertise and understanding.

Good Luck,
TSU

3

Sorry it was an extensive post and I kind of glanced over the details :open_mouth:
What I mean does not work is, when I have NM on all is peachy I have internet connection and all.
When I run the Xen config and it ask to setup a bridge I say ok than I can see an extra network connection in NM with a yellow icon on it limited connectivity and all. Also NM puts all on DHCP, if I try going static connection is going down.

Now when I try to configure NICs manually, I set the Static IP, a host name for each connection(NIC)
Currently using my NetGear router as gateway and DNS, it all appears to work but I have no internet connectivity at all.
I can ping the nics from local network, I see it in network scanner tool (my windows PC)
I can even SSH into it using one of the connections, but n internet, also no name resolution at all. I have to use IP.

I have a typical home setup.
I do not remember changing the router config much except adjusting the DHCP range to start from .50+ addresses not from .3
Everything else is pretty standard whatever came preset from optimum.
Until now I did not have the need to do anything elaborate, but now since I have a nice server at hand I want to actually use it.

Also I am not sure if I want to use the Main Host as a router. I want it to be stable and slim.
That is where pfSense comes in. I simply want to build out a pfSense VM.
Connect 1 NIC to it as WAN 1 NIC as LAN and use that instead of the NetGear as in take the drop from the CV modem that currently plugged into NetGear WAN port and plug it into NIC1 let the pfSense do whatever it needs and output through NIC2 into my switch

From there all other PC and the Host system with all the VMs will get the internet access,
I am not sure if I want pfSense to handle DHCP services as well or I just run the DHCP on the main host, don’t see much of a difference as pfS VM should be starting first on reboots anyway and the host will have static IP.

I am currently looking into OpenSwitch but it a little over my head at the moment,
Thus I am thinking to just setup everything else first using my router and when I am satisfied that all else works internally attack the pfSense config.

I have already break all of it into small pieces and trying to get it to work one piece at a time.
I gave the whole write up because I want people to see what the whole plan is as I might have something there that would require
Attention first, in different order than I might have planned and thus someone might point that out to me.

Also I do realize that I am trying to byte more than I can chew, but I don’t really have a lot of free time on my hands so I try to accomplish as much as I can at a time to utilize the time I have better.

thanks

4

Have you diagramed your physical hosts, virtual hosts and the virtual networks on each physical network link?

I seem to understand that you have a “Home Internet Router” that is providing your DG, DNS and DHCP.
Almost certainly it will also be doing NAT, so have you considered what configurations are required for inbound access(eg IP and port forwarding, possible FW zones, more)?
And, remember that TCP/IP is a 2-way protocol, you almost certainly need to ensure network routing in both directions as well as possible name resolution issues.

  1. Diagram your basic working network without complications.
  2. As I described earlier, break down your entire solution into bite-sized pieces.
  3. Prioritize each piece in the order which needs to exist and be configured before another.
  4. Work on only one piece at a time (or at most what you can handle successfully).

Virtualization is an added complication but usually not too difficult.
If you have enough physical machines, set up without virtualization so you understand the issues. Or, if you don’t have enough physical machines for your lab, configure and setup each piece using physical machines. Then you are more likely to understand why and what is required for that piece so that it can be re-deployed virtually.

TSU