Networking and 1U Colocation
-
@eddiejennings said in Networking and 1U Colocation:
I'm thinking through this topology a bit further:
- Eth0 on host passes traffic via macvtap to FirewallVM (100.100.100.2/30).
- Isolated network connects FirewallVM to the rest of the guest VM.
- Isolated network connects one of the guest VMs to the host VM.
To manage my host over the Internet, I'd have a NAT rule that would direct SSH traffic to VM in item three. Once connected to that VM, then I'd SSH from there to my host -- basically making that guest VM jump box.
VyOS has ssh built in.... just saying.
-
@travisdh1 said in Networking and 1U Colocation:
@eddiejennings said in Networking and 1U Colocation:
I'm thinking through this topology a bit further:
- Eth0 on host passes traffic via macvtap to FirewallVM (100.100.100.2/30).
- Isolated network connects FirewallVM to the rest of the guest VM.
- Isolated network connects one of the guest VMs to the host VM.
To manage my host over the Internet, I'd have a NAT rule that would direct SSH traffic to VM in item three. Once connected to that VM, then I'd SSH from there to my host -- basically making that guest VM jump box.
VyOS has ssh built in.... just saying.
Umm WTF? Open SSH to the world? On your router? Fuck that.
-
@eddiejennings said in Networking and 1U Colocation:
To manage my host over the Internet, I'd have a NAT rule that would direct SSH traffic to VM in item three.
Never.
Use ZeroTier on your host. In the instance that it fails, use the colo's KVM to fix it.
-
@jaredbusch said in Networking and 1U Colocation:
@eddiejennings said in Networking and 1U Colocation:
To manage my host over the Internet, I'd have a NAT rule that would direct SSH traffic to VM in item three.
Never.
Use ZeroTier on your host. In the instance that it fails, use the colo's KVM to fix it.
I’ve heard of ZeroTier. Time to learn something about it.
-
@eddiejennings said in Networking and 1U Colocation:
@jaredbusch said in Networking and 1U Colocation:
@eddiejennings said in Networking and 1U Colocation:
To manage my host over the Internet, I'd have a NAT rule that would direct SSH traffic to VM in item three.
Never.
Use ZeroTier on your host. In the instance that it fails, use the colo's KVM to fix it.
I’ve heard of ZeroTier. Time to learn something about it.
Here you go.
https://www.zerotier.com/https://mangolassi.it/topic/16853/installing-zerotier-on-fedora
-
@eddiejennings said in Networking and 1U Colocation:
@jaredbusch said in Networking and 1U Colocation:
@eddiejennings said in Networking and 1U Colocation:
To manage my host over the Internet, I'd have a NAT rule that would direct SSH traffic to VM in item three.
Never.
Use ZeroTier on your host. In the instance that it fails, use the colo's KVM to fix it.
I’ve heard of ZeroTier. Time to learn something about it.
Very good product.
-
@jaredbusch said in Networking and 1U Colocation:
@travisdh1 said in Networking and 1U Colocation:
@eddiejennings said in Networking and 1U Colocation:
I'm thinking through this topology a bit further:
- Eth0 on host passes traffic via macvtap to FirewallVM (100.100.100.2/30).
- Isolated network connects FirewallVM to the rest of the guest VM.
- Isolated network connects one of the guest VMs to the host VM.
To manage my host over the Internet, I'd have a NAT rule that would direct SSH traffic to VM in item three. Once connected to that VM, then I'd SSH from there to my host -- basically making that guest VM jump box.
VyOS has ssh built in.... just saying.
Umm WTF? Open SSH to the world? On your router? Fuck that.
Your direct, to the point responses, often have me LOLing.
-
Here's an updated diagram.
I'm wondering about how to do updates on the KVM host. Since there will be only one NIC with an connection to the colo's network, and that NIC is attached to the FirewallVM, it seems that the KVM host will have to have a way to send / receive traffic to / from the FirewallVM to have an Internet connection. Perhaps one alternative would be to setup a VM that acts like a repository for the updates I'd get through
dnfand the KVM host would talk to that VM to get its software updates.The other thing I'm thinking about is how I'm going to use Virt-Manager with my KVM host. Methinks this might be where ZeroTier would come in. I could connect to the "VM for managing the host" which would have Virt-Manager installed.
-
@eddiejennings said in Networking and 1U Colocation:
Here's an updated diagram.
I'm wondering about how to do updates on the KVM host. Since there will be only one NIC with an connection to the colo's network, and that NIC is attached to the FirewallVM, it seems that the KVM host will have to have a way to send / receive traffic to / from the FirewallVM to have an Internet connection. Perhaps one alternative would be to setup a VM that acts like a repository for the updates I'd get through
dnfand the KVM host would talk to that VM to get its software updates.The other thing I'm thinking about is how I'm going to use Virt-Manager with my KVM host. Methinks this might be where ZeroTier would come in. I could connect to the "VM for managing the host" which would have Virt-Manager installed.
Just add a NIC on you LAN network. Keep it normally disabled. Enable and run updates.
Or just not be super paranoid and just have it on the LAN always.
-
@jaredbusch said in Networking and 1U Colocation:
Or just not be super paranoid and just have it on the LAN always.
Ha!
-
@eddiejennings said in Networking and 1U Colocation:
@jaredbusch said in Networking and 1U Colocation:
Or just not be super paranoid and just have it on the LAN always.
Ha!
It is no different in that way than one in your office.
In fact you will need a way to the internet for ZeroTier to come online.
-
@scottalanmiller said in Networking and 1U Colocation:
@eddiejennings said in Networking and 1U Colocation:
@scottalanmiller said in Networking and 1U Colocation:
@eddiejennings said in Networking and 1U Colocation:
@aaronstuder said in Networking and 1U Colocation:
What are the specs of the server?
Intel Xeon CPU Quad Core X3430 2.4GHz
32 GB RAM
Two 2 TB SATA drives in RAID 1Could be worth calling xByte and getting something a little beefier.
I'll give it some thought. I need to think through how I intend to use it beyond just building and destroying VMs just to tinker. Might start a "spec my server" thread.
Your CPU is fine, but 64GB of RAM might be worthwhile.
That CPU dates back to when I began my IT career. I'm fairly certain Intel hasn't released Meltdown/Spectre Microcode patches for it.
-
@storageninja said in Networking and 1U Colocation:
@scottalanmiller said in Networking and 1U Colocation:
@eddiejennings said in Networking and 1U Colocation:
@scottalanmiller said in Networking and 1U Colocation:
@eddiejennings said in Networking and 1U Colocation:
@aaronstuder said in Networking and 1U Colocation:
What are the specs of the server?
Intel Xeon CPU Quad Core X3430 2.4GHz
32 GB RAM
Two 2 TB SATA drives in RAID 1Could be worth calling xByte and getting something a little beefier.
I'll give it some thought. I need to think through how I intend to use it beyond just building and destroying VMs just to tinker. Might start a "spec my server" thread.
Your CPU is fine, but 64GB of RAM might be worthwhile.
That CPU dates back to when I began my IT career. I'm fairly certain Intel hasn't released Meltdown/Spectre Microcode patches for it.
Dell says a BIOS update for that stuff is in progress, other x10's have been patched:
-
Experimented with this tonight, so I figured share what I did. I was curious to see if I could access the iDRAC web interface without exposing iDRAC to the Internet.
The solution I used seemed simple enough. I created another NIC in a VM, and set it to be bridged to the 2nd NIC on the host via macvtap. I gave the NIC a static IP. On the host, I connected the iDRAC port to the 2nd NIC using a crossover cable, and added an appropriate static IP in the DRAC settings. I connected to my VM via ScreenConnect (which for now is how I'll be connecting remotely to my management VM), and was able to browse to the iDRAC web page.
I don't plan on doing this when I ship my server off, but I was curious to see if I could do it and make it work.
-
@eddiejennings said in Networking and 1U Colocation:
Experimented with this tonight, so I figured share what I did. I was curious to see if I could access the iDRAC web interface without exposing iDRAC to the Internet.
The solution I used seemed simple enough. I created another NIC in a VM, and set it to be bridged to the 2nd NIC on the host via macvtap. I gave the NIC a static IP. On the host, I connected the iDRAC port to the 2nd NIC using a crossover cable, and added an appropriate static IP in the DRAC settings. I connected to my VM via ScreenConnect (which for now is how I'll be connecting remotely to my management VM), and was able to browse to the iDRAC web page.
I don't plan on doing this when I ship my server off, but I was curious to see if I could do it and make it work.
What about setting up ZeroTier bridge VM?
-
@black3dynamite said in Networking and 1U Colocation:
@eddiejennings said in Networking and 1U Colocation:
Experimented with this tonight, so I figured share what I did. I was curious to see if I could access the iDRAC web interface without exposing iDRAC to the Internet.
The solution I used seemed simple enough. I created another NIC in a VM, and set it to be bridged to the 2nd NIC on the host via macvtap. I gave the NIC a static IP. On the host, I connected the iDRAC port to the 2nd NIC using a crossover cable, and added an appropriate static IP in the DRAC settings. I connected to my VM via ScreenConnect (which for now is how I'll be connecting remotely to my management VM), and was able to browse to the iDRAC web page.
I don't plan on doing this when I ship my server off, but I was curious to see if I could do it and make it work.
What about setting up ZeroTier bridge VM?
ZeroTier is my next thing to try. I wanted to do my little iDrac experiment, and I had screenconnect handy. Connecting to my management VM via ZeroTier is probably the best way to go.
-
@eddiejennings ZT is some slick stuff. You'll like it a lot. @adam-ierymenko
-
@reid-cooper said in Networking and 1U Colocation:
@eddiejennings ZT is some slick stuff. You'll like it a lot. @adam-ierymenko
Yep. When a VPN is needed, it's the easiest/quickest solution I've found.
-
@travisdh1 said in Networking and 1U Colocation:
@reid-cooper said in Networking and 1U Colocation:
@eddiejennings ZT is some slick stuff. You'll like it a lot. @adam-ierymenko
Yep. When a VPN is needed, it's the easiest/quickest solution I've found.
One use I'm considering is installing it on my KVM host so I can manage it from home via SSH without having to do additional firewall configuration.
-
@eddiejennings said in Networking and 1U Colocation:
@travisdh1 said in Networking and 1U Colocation:
@reid-cooper said in Networking and 1U Colocation:
@eddiejennings ZT is some slick stuff. You'll like it a lot. @adam-ierymenko
Yep. When a VPN is needed, it's the easiest/quickest solution I've found.
One use I'm considering is installing it on my KVM host so I can manage it from home via SSH without having to do additional firewall configuration.
FreePBX is what I use it for currently. Just makes so I don't have to arse with setting up dynamic DNS services from the 5 different places I typically work from, let alone all the other random places I end up.
