Just one more thought about your requirement to
have the VM with the firewall on a specific host,
I am not quite sure you need this requirement at all.
What you could do instead, is create an OVN network
that would contain only one vNIC on this VM, and
add your NIC (the one going out to the external servers)
manually to the appropriate OVN LogicalSwitch (the one
matching the OVN network).
This way the OVN network would bridge the externally
facing NIC to your VM vNIC. OVN would take care of
making sure the traffic gets to the appropriate host.



On Wed, Aug 23, 2017 at 5:46 PM, Mitchell Smith <mitchinseattle2014@gmail.com> wrote:
Thanks very much for that, the youtube video was very helpful, I was basically working from the RedHat documentation at https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/html/administration_guide/sect-adding_external_providers which wasn’t very in-depth.

The video did a much better job explaining how OVN works which was very useful.

I appreciate the info, thanks.

On Aug 23, 2017, at 7:35 AM, Marcin Mirecki <mmirecki@redhat.com> wrote:

Hi,

Please check out this deep dive to see how the OVN provider is set up:
https://www.youtube.com/watch?v=vGeouWfKJwA&t=10s

By adding a subnet to the external network you will get a dhcp server
on this network that will use the defined subnet.

Try using affinity groups to make our VM come up on a specific groups.

To allow to connect your nic with the public IP you can connect it
to the vm as a passtrough device. Adding one more NIC connected
to an OVN network would give you a VM connected to both.

Another (not so clean) possiblity is to create an ovirt network, add
it to the host, and connect the VM to it. On the host you will see
that a bridge will be created for the network. You could then add
your NIC that goes to the remote networks to the bridge created for
the network on your host (manual action).
This would also be possible using an OVN network with just the
single NIC from that VM connected, and the external NIC plugged
into the OVS bridge used for OVN (with manual OVN configuration).








On Wed, Aug 23, 2017 at 11:32 AM, Mitch <mitchinseattle2014@gmail.com> wrote:
Hi,

I am trying to understand the best way to structure our network with oVirt.

We have a number of servers hosted in a remote datacenter, all with a
single NIC with a single public IP.

One server also has a /26 subnet mapped to it which we have to present
on a specific MAC address.

What I am trying to do is have all our VMs on a private subnet
10.2.3.0/24 for example, and use OVN to make that subnet available
across all oVirt hosts, (PeerVPN and Tinc are also options I’m looking
at).

On the single host with the /26 on it, I plan to run an instance of
Opnsense or similar as a VM, with two NICs, one bridged to eth0 with
the specific MAC required for the public subnet, and one that will
connect to the private virtual network, I could then do 1-to-1 NAT for
those hosts on the private network that need to be publically
accessible.

I know this isn’t the ideal setup, but we have to work with in the
constraints required by the datacenter we are using.

Unfortunately I can’t work out how to configure this in oVirt, I
assume I need to set up a logical network for the private subnet,
using OVN as an external provider, and set up another logical subnet
for the public address space and attach that to a specific host in the
cluster?

For the public address space, how do I bridge that to eth0 and give it
a specific MAC address? Also how can I ensure my Opnsense VM comes up
on a specific host?

For the private network, is OVN the best approach, or am I better off
looking at other mesh VPN solutions to build an internal network
across our oVirt hosts?

Any comments or suggestions will be greatly appreciated.

Thanks :)
_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users