<div dir="ltr"><div dir="auto"><div>Le 30 oct. 2017 10:26 AM, "Luca 'remix_tj' Lorenzetto" <<a href="mailto:lorenzetto.luca@gmail.com" target="_blank">lorenzetto.luca@gmail.com</a>> a écrit :<br type="attribution"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="m_1560924602851901131quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="m_1560924602851901131quoted-text">On Mon, Oct 30, 2017 at 8:45 AM, Istvan Buki <<a href="mailto:buki.istvan@gmail.com" target="_blank">buki.istvan@gmail.com</a>> wrote:<br>
> Hello,<br>
><br>
> thank you for your patience for trying to let me see the light.<br>
><br>
> Indeed I don't understand what you are explaining. Maybe if I give you more<br>
> concrete details it will help.<br>
><br>
> My internal network is 192.168.196.0<br>
> My DMZ network is 192.168.188.0<br>
><br>
> ovirt-engine is running on a centos server with IP 192.168.186.3<br>
> ovirt host is on a centos server with IP 192.168.186.4<br>
><br>
> On the host I created a VM that I want to be in the DMZ. When I created the<br>
> VM, nic 1 was automatically added and is linked to the ovirtmgmt network.<br>
> In the VM nic1 becomes eth0 and was assigned an IP address with DHCP<br>
> 192.168.186.167.<br>
><br>
> After that I added a host device to that VM using passthrough. This device<br>
> is called ens7 in the VM and I gave IP 192.186.188.4.<br>
> That device is directly connected to my physical DMZ switch and from there<br>
> to the firewall.<br>
> This part is OK.<br>
><br>
> My problem is that through eth0 my VM has access to my internal network.<br>
> Removing the device seems impossible because this is ovirtmgmt network.<br>
> I can not change or remove the IP of my host because it would not be<br>
> reachable anymore on my internal network.<br>
><br>
> Maybe the solution is obvious but I can't see it. I'm running in circle with<br>
> this problem and it makes me crazy.<br>
><br>
<br>
<br>
<br>
</div>Hi Istvan,<br>
<br>
why are you using device passthrough?<br>
<br>
Anyway. If you don't need the VM to access to ovirtmgmt, remove nic1.<br>
As far as i can understand, you're directly communicating through DMZ.<br>
<br></blockquote></div><div class="gmail_quote"><br></div><div class="gmail_quote">Hi Luca,</div><div class="gmail_quote"><br></div><div class="gmail_quote">As I have only one VM in the DMZ currently I assigned the NIC directly to the VM instead of creating a logical network to get maximum performance and better security because only the VM can access that network interface. If one day I have to create another VM inside DMZ I'll create a logical network and bind the NIC to that network instead of the VM.</div><div class="gmail_quote"><br></div><div class="gmail_quote">OK, I removed nic1 and it looks good. The only interface left is the DMZ network and I can reach it through the firewall. :-)</div><div class="gmail_quote"><br></div><div class="gmail_quote">Thanks you so much for your help and patience.</div><div class="gmail_quote"><br></div><div class="gmail_quote">Istvan<br></div></div></div></div>
</div>