[Users] why ovirt does not support NAT network
woswas denni
quasides at gmail.com
Mon Dec 30 20:39:58 UTC 2013
>
> Well, there's nothing much beyond the hook's README
>
http://gerrit.ovirt.org/gitweb?p=vdsm.git;a=blob;f=vdsm_hooks/extnet/README;h=0778dbb3ef85c5ae179fb0f6c9ceeabc268abe89;hb=HEAD
> You should start by defining a libvirt network, and then mark a vNIC
> profile with a custom propery so that the network is used by vNICs.
>
> As a very first stage, you may define the libvirt network on top of your
> existing br0 bridge
> (http://libvirt.org/formatnetwork.html#examplesBridge) so oVirt can
> consume your networking setup.
>
Hmm do we really need a libvirt bridge or cant we go simply with a regular
virtual brdige as i already use?
all i want is connect ovirts vlan nic to existing interfaces.
iam aware tat then many configs has to be done manually, but thats fine for
now
> But who creates that VPN connection? Who supplies the credentials?
well this is manually, only once per host no desire for automation here,
ive automated scripts for that but i usually use an offline pc as a signing
device.
>
>
> How does this work, if they are both behind NAT?
Well they are not and they are, its a routed NAT combo :)
Lets say i have 2 server - we would have then 3 internal networks -
1 - VPN conncting and routing between physical hosts
2&3 - Each hosts internal bridge subnet which does routing
NAT comes in when we go outside - usually Portforward - which is handy to
save IPs
So think of every Host not only as an Hypervisor but also as an Network Node
only downside if i move a vm from a to b ife to adjust the ips l, nat and
firewall
upside and reson for this is:
1, i can use one ext ip for several vms if they need different ports. atm i
can save over 3/4 of ext ips.
2, also i do not need to manage the firewall on every vm only on the hosts
3, Additional Security by having all Daemons whatsoever only bound to
internal Interfaces.
all daemons are bound to their internal br0 ip and i can easy access
certain ports like ssh or mysl within the vpn only without exposing
anything outside with a minimum administrative work
Who can access what is currently defined by Firewall Rules within each Host
- Here comes Firewallbuilder Handy BTW :)))
>
> You'd like to automate the creation of NAT rules? VPN creation?
well i would like to automate port based nat and firewallrules thats the
dream. VPN as described i dont really but but hey who knows if someone else
want it.
Actually i think (even im not gonna need it) would be a nice feature for
many - specielly these days
only portforwarding/and or complete nat on the host would make live easier.
however most importingly is that i get the thing running.
even it means manual config on each host
my issues with ovirt where simple that i couldn find a way to assign the
needed interfaces. so if i simply manually specify whats going on it should
be enough
btw i took a look at openqrm and they have alreaey adressed many of those
needs like puppet, dhcp , dns and nat translation over ip pools and stuff.
still my setup seems to strange for them either lol
i think (if understand the readme correctly its exactly whats extnet is
doing) the best way would be simply allow to specify custom interface names.
that way we can build custom configs on our hosts how ever strange we want
em
Since you have todo it only for each physical host its not THAT evil todo
and you can write easy scripts todo that for you.
But what would be Handy in any case - no matter which setup or regular
Ovirt setup and iam really missing is a Firewall config.
Perfect dream would be something Visual with objects like Firewall Builder
(dev stopped sadly) , i think i saw something webbased in some opensource
firewall distros too.
I mean we have to config FIrewalls for the Hosts in anycase - of course i
know this would be a monster to implement fully
just dreaming :))
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20131230/aa054d85/attachment-0001.html>
More information about the Users
mailing list