[ovirt-users] ovirtmgmt network security
Istvan Buki
buki.istvan at gmail.com
Mon Oct 30 20:03:18 UTC 2017
Le 30 oct. 2017 10:26 AM, "Luca 'remix_tj' Lorenzetto" <
lorenzetto.luca at gmail.com> a écrit :
On Mon, Oct 30, 2017 at 8:45 AM, Istvan Buki <buki.istvan at gmail.com> wrote:
> Hello,
>
> thank you for your patience for trying to let me see the light.
>
> Indeed I don't understand what you are explaining. Maybe if I give you
more
> concrete details it will help.
>
> My internal network is 192.168.196.0
> My DMZ network is 192.168.188.0
>
> ovirt-engine is running on a centos server with IP 192.168.186.3
> ovirt host is on a centos server with IP 192.168.186.4
>
> On the host I created a VM that I want to be in the DMZ. When I created
the
> VM, nic 1 was automatically added and is linked to the ovirtmgmt network.
> In the VM nic1 becomes eth0 and was assigned an IP address with DHCP
> 192.168.186.167.
>
> After that I added a host device to that VM using passthrough. This device
> is called ens7 in the VM and I gave IP 192.186.188.4.
> That device is directly connected to my physical DMZ switch and from there
> to the firewall.
> This part is OK.
>
> My problem is that through eth0 my VM has access to my internal network.
> Removing the device seems impossible because this is ovirtmgmt network.
> I can not change or remove the IP of my host because it would not be
> reachable anymore on my internal network.
>
> Maybe the solution is obvious but I can't see it. I'm running in circle
with
> this problem and it makes me crazy.
>
Hi Istvan,
why are you using device passthrough?
Anyway. If you don't need the VM to access to ovirtmgmt, remove nic1.
As far as i can understand, you're directly communicating through DMZ.
Hi Luca,
As I have only one VM in the DMZ currently I assigned the NIC directly to
the VM instead of creating a logical network to get maximum performance and
better security because only the VM can access that network interface. If
one day I have to create another VM inside DMZ I'll create a logical
network and bind the NIC to that network instead of the VM.
OK, I removed nic1 and it looks good. The only interface left is the DMZ
network and I can reach it through the firewall. :-)
Thanks you so much for your help and patience.
Istvan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20171030/1cc90d3e/attachment.html>
More information about the Users
mailing list