Actually I do a similar thing. I use a VM as my home/office firewall. It works quite well and I would argue it is as secure as your standard firewall based on something like openWRT running on dedicated hardware. I also run a wireless AP in bridged mode to allow local network access on an appliance. There should be no reason that you could not put both on the same physical hardware. As for the openvswitch original question. Openvswitch has an API that you can access to manage your traffic along with supporting Openflow. If you can get events from your wireless interface then you could write some programs to connect to the switch API. I am not sure the overall result is worth the effort but it will teach you lots about your wifi interface and Openvswitch. On 09/24/2015 06:59 AM, Dmitry E. Mikhailov wrote:> On 09/24/2015 03:21 PM, C. L. Martinez wrote: >> Thanks Dimitry, but I use wlan0 or eth0 to connect my laptop to >> different networks. I use a vm as fw and I would like to have all vms >> and laptop behind this fw vm guest. >> >> Another option is to assign an IP to these interfaces and natting all >> to this fw vm ... but I don't like this option > > It isn't going to be safe, simple and reliable. You won't have > anything like 'NetworkManager' on the laptop host OS. It either should > be heavily scripted or not done at all. > > You could write some fancy ebtables rules to do one-to-one MAC mapping > between the fw VM interface and host interface and run DHCP client on > the fw VM. > > On the host you'd have static route to another fw VM interface. > > But I can't imagine all the hotplug event scripting. How could fw VM > find out if it's time to (re-)run DHCP client? How would you configure > WPA keys on the host. How would find out if WiFi is disconnected, > cable is connected and it's time to redo MAC mapping with another MAC > address? > > Without some real effort it's going to be fully(partly?) manual config > with wpa_supplicant, ebtables and ssh'ing to fw VM involved. I doubt I > would like to change from NetworkManager to this stuff instead. > > That's why they do https://www.anonabox.com/ > Otherwise you can get some OpenWRT on a commodity router to run some > VPN or T#r or some other funny stuff > > _______________________________________________ > CentOS-virt mailing list > CentOS-virt at centos.org > https://lists.centos.org/mailman/listinfo/centos-virt-- Alvin Starr || voice: (905)513-7688 Netvel Inc. || Cell: (416)806-0133 alvin at netvel.net ||
Dmitry E. Mikhailov
2015-Sep-24  12:08 UTC
[CentOS-virt] OT: adding a wifi adapter to openvswitch
On 09/24/2015 04:47 PM, Alvin Starr wrote:> Actually I do a similar thing.Do you?> I use a VM as my home/office firewall.If your laptop/server/smth is permanently wired to the internet, there's no problem to bridge this interface to the VM. But the topic starter wants to connect to the cable or wifi and still have a firewall VM. WiFi client connection with WPA(2) PSK encryption does allow only the station's MAC in the air. Thus topic starter needs some hotplug event scripting, wpa_supplicant being started manually, fancy ebtables rules to make it work, some way to notice the fw WM that network config changed so it would rerun dhclient. Yea, and he should have some GUI/TUI to have it managed. No NetworkManager GUI here.> > It works quite well and I would argue it is as secure as your standard > firewall based on something like openWRT running on dedicated hardware.As aforementioned, it's a bit complicated setup. And if you're thinking security-wise, imagine you need T#r or some fancy VPN to get your job done AND due to some miniscule scripting glitch a SINGLE packet would fly out of your real IP address - you're busted. To be self-assured during such an intimate workout, you'd want to have a physical cable to the physical router that's perforing the encryption job. No VPN/T#r/smth - no juice. Simple, bulletproof.> I also run a wireless AP in bridged mode to allow local network access > on an appliance.Do you connect to the AP wirelessly as the client to have a firewall VM running over that WiFi? Or have you connected the AP via cable to the server/router with fw VM to provide connectivity to other clients?> There should be no reason that you could not put both on the same > physical hardware.You could. But it's hard to use in everyday life of typical usage. If the user is a sysadm/hacker who doesn't mind issuing several commands from the console upon every succesful wifi/wired connection - then welcome!> As for the openvswitch original question. > Openvswitch has an API that you can access to manage your traffic along > with supporting Openflow. > If you can get events from your wireless interface then you could write > some programs to connect to the switch API.I do want to see a neat solution please. May be I'm just too lazy.
C. L. Martinez
2015-Sep-24  13:52 UTC
[CentOS-virt] OT: adding a wifi adapter to openvswitch
On Thu, Sep 24, 2015 at 2:08 PM, Dmitry E. Mikhailov <d.mikhailov at infocommunications.ru> wrote:> On 09/24/2015 04:47 PM, Alvin Starr wrote: >> >> Actually I do a similar thing. > > Do you? > >> I use a VM as my home/office firewall. > > If your laptop/server/smth is permanently wired to the internet, there's no > problem to bridge this interface to the VM. > > But the topic starter wants to connect to the cable or wifi and still have a > firewall VM. WiFi client connection with WPA(2) PSK encryption does allow > only the station's MAC in the air. > > Thus topic starter needs some hotplug event scripting, wpa_supplicant being > started manually, fancy ebtables rules to make it work, some way to notice > the fw WM that network config changed so it would rerun dhclient. Yea, and > he should have some GUI/TUI to have it managed. No NetworkManager GUI here. > >> >> It works quite well and I would argue it is as secure as your standard >> firewall based on something like openWRT running on dedicated hardware. > > As aforementioned, it's a bit complicated setup. And if you're thinking > security-wise, imagine you need T#r or some fancy VPN to get your job done > AND due to some miniscule scripting glitch a SINGLE packet would fly out of > your real IP address - you're busted. > > To be self-assured during such an intimate workout, you'd want to have a > physical cable to the physical router that's perforing the encryption job. > No VPN/T#r/smth - no juice. Simple, bulletproof. > >> I also run a wireless AP in bridged mode to allow local network access >> on an appliance. > > Do you connect to the AP wirelessly as the client to have a firewall VM > running over that WiFi? > > Or have you connected the AP via cable to the server/router with fw VM to > provide connectivity to other clients? > >> There should be no reason that you could not put both on the same >> physical hardware. > > You could. But it's hard to use in everyday life of typical usage. If the > user is a sysadm/hacker who doesn't mind issuing several commands from the > console upon every succesful wifi/wired connection - then welcome! > >> As for the openvswitch original question. >> Openvswitch has an API that you can access to manage your traffic along >> with supporting Openflow. >> If you can get events from your wireless interface then you could write >> some programs to connect to the switch API. > > I do want to see a neat solution please. May be I'm just too lazy. >Thank you both for your help, I have done another test. I have setup another laptop with windows 2012 R2 Hyper-V and I have bridged wireless interface and assigned this bridge to a vm guest, and voila!! works without problem. Using some powershell scripts, I can change between SSID's without problems. Easy, really easy. And I don't need to use WDS features, I don't understand why it doesn't works with CentOS using the same approach. I am trying using brctl commands, but it doesn't works also because wlan0 can't authenticate with AP ...
Dmitry E. Mikhailov
2015-Sep-24  15:46 UTC
[CentOS-virt] OT: adding a wifi adapter to openvswitch
On 09/24/2015 08:31 PM, C. L. Martinez wrote:> Simple, Windows 2012 creates a virtual bridge with the same MAC > address as wlan has.Ok. Windows does just the same. Thanks for the ARP table. [For ML readers - it was sent directly]. Now we know what the money are paid for :)> But, I think it could not be possible to bridge > wlan interfaces with brctl or openvswitch according what I am. seeing > and readingQuite possible with the invalulable help of Nux: Parprouted + NetworkManager scripting should do the trick.> Ok, I will try a different approach. I can see two possible solutions: > > a) Pass wlan via PCI-Passthrough to fw vmWould work even better but I don't think the laptop would suspend.> b) Using iptables+iproute2 rules in laptop and redirect/nat all > traffic from/to fw vm. > > > I will try b) option first. I know what type of iptables I need to use > and what type of config I need to do to iproute2 works as I need. > > But I see one problem: I need to redirect ALL traffic from outside to > inside: ip, ipv6, tcp, tcp6, igmp, etc ... and I don't know what type > of iptables I need to configure. > > Any tip??Try the aforementioned unnumbered option first. Can't say anything about IPv6 - sadly not proficient. For IPv4 you won't need iptables, only iproute: 1)save and delete the current wireless default gateway IP 2)create a source-based policy routing rule so traffic from the fw VM IP address would have the earlier saved IP as a gateway IP 3)set the default gateway IP to the another interface's (it's a requirement) IP address of a fw VM.