0

Environment:

  • CentOS 7 + libvirt (with virt-manager)
  • 6 NIC
  • Multiple internal private networks

Task:

  • Create a virtual firewall and assign all NIC to it

Problem:

  • How can I connect the host system to one of the private networks so if I SSH into the firewall, I can SSH onward to the host system?
Bert
  • 1,028
  • 1
  • 16
  • 33

2 Answers2

0

Yes, you can! :)

Your host should have the first ip on this networks.

screenshot

pbacterio@hplaptop ~> ip address show dev virbr0
7: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 52:54:00:32:a3:75 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
pbacterio
  • 276
  • 2
  • 6
  • 1
    There is no DHCP server on the private networks, I'll have to set them up manually. So I'm not really understanding the way I have to do it. So what interface on the Guest (FW) do I have to connect with what on the Host? – Bert Mar 17 '17 at 13:49
0

So what interface on the Guest (FW) do I have to connect with what on the Host?

I think the solution depends on your network design.

It sort of sounds like you may want to consider setting some kind of management network, put the firewall as the gateway node into that network, and then create rules to allow SSH into the management addresses of nodes, from (hopefully) only authorised locations (and/or, a jumphost).

You don't really give enough details of your setup to provide a more specific suggestion.

However, I suspect the basic answer to your question is that the NICs are not necessarily so relevant, what is more relevant is that traffic between networks must be routed via the firewall.

How exactly you do that really depends on how things are set up - I would tend to assume 6 NICs = 6 networks, so I would give your firewall an IP on each network, and make all other nodes on that network use the firewall as default gateway.

iwaseatenbyagrue
  • 3,688
  • 15
  • 24
  • The whole network topology is not really public, but I can tell you, that I'll run about 10 virtual machines on the server with 3 main LAN private networks. I want the actual host machine be accessable from one of these LAN networks via SSH, but only if I SSH into the firewall and then I can go to the host. So the 6 NIC won't be used, only 3 of them will be. 1 connecting external users to one of the private LAN and 2 is for a redundant internet connection. I hope this helps understanding my issue. – Bert Mar 17 '17 at 14:46
  • So you basically want your firewall to double as some kind of jumphost? I am not sure that is necessarily the best approach, but essentially, as long as your firewall can route to/from your hypervisor, then you just need to create the appropriate rules (on both the firewall, and the hypervisor) - basically, ignore the virtual/physical distinction, and treat both as hosts with IP addresses, and build your firewall rules according. Or am I missing something? – iwaseatenbyagrue Mar 17 '17 at 14:50