Re: [ovirt-users] ovirtmgmt network security
Le 30 oct. 2017 10:26 AM, "Luca 'remix_tj' Lorenzetto" <
lorenzetto.luca(a)gmail.com> a écrit :
On Mon, Oct 30, 2017 at 8:45 AM, Istvan Buki <buki.istvan(a)gmail.com> wrote:
Hello,
thank you for your patience for trying to let me see the light.
Indeed I don't understand what you are explaining. Maybe if I give you
more
concrete details it will help.
My internal network is 192.168.196.0
My DMZ network is 192.168.188.0
ovirt-engine is running on a centos server with IP 192.168.186.3
ovirt host is on a centos server with IP 192.168.186.4
On the host I created a VM that I want to be in the DMZ. When I created
the
VM, nic 1 was automatically added and is linked to the ovirtmgmt
network.
In the VM nic1 becomes eth0 and was assigned an IP address with DHCP
192.168.186.167.
After that I added a host device to that VM using passthrough. This device
is called ens7 in the VM and I gave IP 192.186.188.4.
That device is directly connected to my physical DMZ switch and from there
to the firewall.
This part is OK.
My problem is that through eth0 my VM has access to my internal network.
Removing the device seems impossible because this is ovirtmgmt network.
I can not change or remove the IP of my host because it would not be
reachable anymore on my internal network.
Maybe the solution is obvious but I can't see it. I'm running in circle
with
this problem and it makes me crazy.
Hi Istvan,
why are you using device passthrough?
Anyway. If you don't need the VM to access to ovirtmgmt, remove nic1.
As far as i can understand, you're directly communicating through DMZ.
Hi Luca,
As I have only one VM in the DMZ currently I assigned the NIC directly to
the VM instead of creating a logical network to get maximum performance and
better security because only the VM can access that network interface. If
one day I have to create another VM inside DMZ I'll create a logical
network and bind the NIC to that network instead of the VM.
OK, I removed nic1 and it looks good. The only interface left is the DMZ
network and I can reach it through the firewall. :-)
Thanks you so much for your help and patience.
Istvan
Attachments:
- attachment.html (text/html — 3.2 KB)