libvirt users - Oct 2019 - Re: Confused setting up a "Virtual Server Hosting" config

Hi list,

Can anyone advise me on the correct/best set up for Virtual Server Hosting?

I have a guest in my server room wish to migrate to dedicated server I 
rented in an offsite in a data centre.  I rented a box with one NIC and 
one public IP.  I installed KVM on it and a guest. (both Ubuntu 18.04 
LTS server edition).  I am struggling to get the networking right.

Essentially I want the "Virtual Server Hosting" config mentioned here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html-single/virtualization_administration_guide/index#sub-sect-routed-mode
<https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html-single/virtualization_administration_guide/index#sect-attch-nic-physdev>

I have not had any luck setting that up.  It is listed in the "Routed"
section but the graphic says the virtual switch should be in bridged mode.

I also tried using macvtap, and since I have only one guest was 
expecting to be able to just use the host IP but it looks like the data 
centre have restricted packets to the MAC address of the host NIC.  When 
set up I can ping the public IP (it is both eh host and the guest?) but 
not their gateway.  Should a macvtap not be presenting the MAC address 
of the host NIC to the router and thus allowing packets from the guest?

I clearly have a lack of understanding of how this is working and how it 
is meant to work.  When I tried the same thing on mt hardware/network I 
can create myltiple guests that all use the macvtap interface and I have 
no problems getting connectivity to the outside world.

Before I approach the data centre about this I want to be sure I 
understand what I am doing.   I ultimately want to host a mail server 
and several different web servers as guests all behind this one host.  I 
would alias their public IPs to the host NIC and use IPtables to route 
traffic based on destination IP.

Does that make sense? Can anyone suggest the right way to achieve this?

Please and thanks.

*Paul O'Rorke*
*Tracker Software Products (Canada) Limited *
www.tracker-software.com <http://www.tracker-software.com/>
Tel: +1 (250) 324 1621
Fax: +1 (250) 324 1623

<http://www.tracker-software.com/>

Support:
http://www.tracker-software.com/support
Download latest Releases
http://www.tracker-software.com/downloads/


--------------65291CF0C3B4F66AA350A7A0
Content-Type: text/html; charset="windows-1252"
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html;
      charset=windows-1252">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p>Hi list,</p>
    <p>Can anyone advise me on the correct/best set up for Virtual
      Server Hosting?</p>
    <p>I have a guest in my server room wish to migrate to dedicated
      server I rented in an offsite in a data centre.  I rented a box
      with one NIC and one public IP.  I installed KVM on it and a
      guest. (both Ubuntu 18.04 LTS server edition).  I am struggling to
      get the networking right.</p>
    <p>Essentially I want the "Virtual Server Hosting" config
mentioned
      here: <br>
      <a moz-do-not-send="true"
href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html-single/virtualization_administration_guide/index#sect-attch-nic-physdev">https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html-single/virtualization_administration_guide/index#sub-sect-routed-mode</a></p>
    <p>I have not had any luck setting that up.  It is listed in the
      "Routed" section but the graphic says the virtual switch should
be
      in bridged mode.  <br>
    </p>
    <p>I also tried using macvtap, and since I have only one guest was
      expecting to be able to just use the host IP but it looks like the
      data centre have restricted packets to the MAC address of the host
      NIC.  When set up I can ping the public IP (it is both eh host and
      the guest?) but not their gateway.  Should a macvtap not be
      presenting the MAC address of the host NIC to the router and thus
      allowing packets from the guest?</p>
    <p>I clearly have a lack of understanding of how this is working and
      how it is meant to work.  When I tried the same thing on mt
      hardware/network I can create myltiple guests that all use the
      macvtap interface and I have no problems getting connectivity to
      the outside world.</p>
    <p>Before I approach the data centre about this I want to be sure I
      understand what I am doing.   I ultimately want to host a mail
      server and several different web servers as guests all behind this
      one host.  I would alias their public IPs to the host NIC and use
      IPtables to route traffic based on destination IP.<br>
    </p>
    <p>Does that make sense? Can anyone suggest the right way to achieve
      this?<br>
    </p>
    <p>Please and thanks.</p>
    <div class="moz-signature">
      <title></title>
      <p><b>Paul O'Rorke</b><br>
        <b>Tracker Software Products (Canada) Limited </b><br>
        <a
href="http://www.tracker-software.com/">www.tracker-software.com</a><br>
        Tel: +1 (250) 324 1621<br>
        Fax: +1 (250) 324 1623<br>
        <br>
        <a href="http://www.tracker-software.com/"> <img
src="https://www.tracker-software.com/fckfiles/image/images/resellers/logo/TrackerSofwareProducts_Logo_330x100.png"
            name="image.png" width="198"
height="60" border="0"
            align="bottom"> </a> <br>
        <br>
        Support: <br>
        <a
href="http://www.tracker-software.com/support">http://www.tracker-software.com/support
        </a><br>
        Download latest Releases <br>
        <a
href="http://www.tracker-software.com/downloads/">http://www.tracker-software.com/downloads/</a></p>
    </div>
  </body>
</html>

--------------65291CF0C3B4F66AA350A7A0--

On 10/23/19 12:43 AM, Paul O'Rorke wrote:
> Hi list,
> 
> Can anyone advise me on the correct/best set up for Virtual Server Hosting?
> 
> I have a guest in my server room wish to migrate to dedicated server I 
> rented in an offsite in a data centre.  I rented a box with one NIC and 
> one public IP.  I installed KVM on it and a guest. (both Ubuntu 18.04 
> LTS server edition).  I am struggling to get the networking right.
> 
> Essentially I want the "Virtual Server Hosting" config mentioned
here:
>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html-single/virtualization_administration_guide/index#sub-sect-routed-mode
>
<https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html-single/virtualization_administration_guide/index#sect-attch-nic-physdev>
> 
> I have not had any luck setting that up.  It is listed in the
"Routed"
> section but the graphic says the virtual switch should be in bridged mode.
> 
> I also tried using macvtap, and since I have only one guest was 
> expecting to be able to just use the host IP 
No, you will need one IP for the host, and one IP for the guest in 
either bridged mode or for macvtap.
> but it looks like the data 
> centre have restricted packets to the MAC address of the host NIC.
Yes, there is that restriction too. Usually hosting providers will lock 
down the MAC addresses they allow through ports, in order to prevent 
hostile clients from doing MAC spoofing to capture other clients' traffice.

   When
> set up I can ping the public IP (it is both eh host and the guest?)
No. An IP address refers to one entity. It can be the host or the guest, 
but not both.

but
> not their gateway.  Should a macvtap not be presenting the MAC address 
> of the host NIC to the router and thus allowing packets from the guest?
No, that is not what macvtap does. It creates a virtual NIC (macvtap 
device) that is connected directly to the physical NIC, and traffic from 
that device is injected directly into the output queue of the physical 
device, MAC address and all.
> 
> I clearly have a lack of understanding of how this is working and how it 
> is meant to work.  When I tried the same thing on mt hardware/network I 
> can create myltiple guests that all use the macvtap interface and I have 
> no problems getting connectivity to the outside world.
Because on your own network you have no MAC address locking on your 
switch port, and have multiple IP addresses available (one for each 
guest) from the local DHCP server.
> 
> Before I approach the data centre about this I want to be sure I 
> understand what I am doing.   I ultimately want to host a mail server 
> and several different web servers as guests all behind this one host.  I 
> would alias their public IPs to the host NIC and use IPtables to route 
> traffic based on destination IP.
The only reason you would want iptables to be involved is if you were 
limited to only 1 IP address for the host + all the guests. In that case 
you could use *port* forwarding to cause incoming traffic to the host on 
particular TCP ports to be forwarded to different guests:

https://wiki.libvirt.org/page/Networking#Forwarding_Incoming_Connections

> 
> Does that make sense? Can anyone suggest the right way to achieve this?
No, not really :-)

If you can only get a single IP address, then you'll need to look at the 
above link. If you can get the hosting provider to sell you extra IP 
addresses / MAC addresses (usually extra IPs cost money but MAC 
addresses are free, they just want to know what they are - you will need 
one *of each* for each guest), then you should put a bridge on your 
host's ethernet, and connect all the guests to that bridge, configuring 
each with its unique IP address / MAC address / default route info given 
to you by the hosting provider. You can use this as a reference to 
configure the host and guests:

https://wiki.libvirt.org/page/Networking#Debian.2FUbuntu_Bridging

(you could also avoid setting up the bridge and just use macvtap bridge 
mode as you say you've done on your own network. The only limitation of 
that is that it doesn't permit direct communication between the host and 
the guests. If that limitation is okay with you, then that's fine.)

Brilliant!  Thanks Laine.

I really appreciate the help.
> you could also avoid setting up the bridge and just use macvtap bridge 
> mode as you say you've done on your own network. The only limitation 
> of that is that it doesn't permit direct communication between the 
> host and the guests. If that limitation is okay with you, then that's 
> fine.
How does the performance of a bridge on the host (Ubuntu bridge-utils) 
typically compare to a macvtap bridge?  Is there an expected performance 
advantage of one over the other?  I was hoping for better performance 
out of the macvtap bridge.

Time to buy some extra IPs it seems...

Most appreciated Laine.

*Paul O'Rorke*
*Tracker Software Products (Canada) Limited *
www.tracker-software.com <http://www.tracker-software.com/>
Tel: +1 (250) 324 1621
Fax: +1 (250) 324 1623

<http://www.tracker-software.com/>

Support:
http://www.tracker-software.com/support
Download latest Releases
http://www.tracker-software.com/downloads/




On 2019-10-23 9:44 a.m., Laine Stump wrote:
> On 10/23/19 12:43 AM, Paul O'Rorke wrote:
>> Hi list,
>>
>> Can anyone advise me on the correct/best set up for Virtual Server 
>> Hosting?
>>
>> I have a guest in my server room wish to migrate to dedicated server 
>> I rented in an offsite in a data centre.  I rented a box with one NIC 
>> and one public IP.  I installed KVM on it and a guest. (both Ubuntu 
>> 18.04 LTS server edition).  I am struggling to get the networking
right.
>>
>> Essentially I want the "Virtual Server Hosting" config
mentioned here:
>>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html-single/virtualization_administration_guide/index#sub-sect-routed-mode
>>
<https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html-single/virtualization_administration_guide/index#sect-attch-nic-physdev>
>>
>>
>> I have not had any luck setting that up.  It is listed in the 
>> "Routed" section but the graphic says the virtual switch
should be in
>> bridged mode.
>>
>> I also tried using macvtap, and since I have only one guest was 
>> expecting to be able to just use the host IP 
>
> No, you will need one IP for the host, and one IP for the guest in 
> either bridged mode or for macvtap.
>
>> but it looks like the data centre have restricted packets to the MAC 
>> address of the host NIC.
>
> Yes, there is that restriction too. Usually hosting providers will 
> lock down the MAC addresses they allow through ports, in order to 
> prevent hostile clients from doing MAC spoofing to capture other 
> clients' traffice.
>
>   When
>> set up I can ping the public IP (it is both eh host and the guest?)
>
> No. An IP address refers to one entity. It can be the host or the 
> guest, but not both.
>
> but
>> not their gateway.  Should a macvtap not be presenting the MAC 
>> address of the host NIC to the router and thus allowing packets from 
>> the guest?
>
> No, that is not what macvtap does. It creates a virtual NIC (macvtap 
> device) that is connected directly to the physical NIC, and traffic 
> from that device is injected directly into the output queue of the 
> physical device, MAC address and all.
>
>>
>> I clearly have a lack of understanding of how this is working and how 
>> it is meant to work.  When I tried the same thing on mt 
>> hardware/network I can create myltiple guests that all use the 
>> macvtap interface and I have no problems getting connectivity to the 
>> outside world.
>
> Because on your own network you have no MAC address locking on your 
> switch port, and have multiple IP addresses available (one for each 
> guest) from the local DHCP server.
>
>>
>> Before I approach the data centre about this I want to be sure I 
>> understand what I am doing.   I ultimately want to host a mail server 
>> and several different web servers as guests all behind this one 
>> host.  I would alias their public IPs to the host NIC and use 
>> IPtables to route traffic based on destination IP.
>
> The only reason you would want iptables to be involved is if you were 
> limited to only 1 IP address for the host + all the guests. In that 
> case you could use *port* forwarding to cause incoming traffic to the 
> host on particular TCP ports to be forwarded to different guests:
>
> https://wiki.libvirt.org/page/Networking#Forwarding_Incoming_Connections
>
>
>>
>> Does that make sense? Can anyone suggest the right way to achieve this?
>
> No, not really :-)
>
> If you can only get a single IP address, then you'll need to look at 
> the above link. If you can get the hosting provider to sell you extra 
> IP addresses / MAC addresses (usually extra IPs cost money but MAC 
> addresses are free, they just want to know what they are - you will 
> need one *of each* for each guest), then you should put a bridge on 
> your host's ethernet, and connect all the guests to that bridge, 
> configuring each with its unique IP address / MAC address / default 
> route info given to you by the hosting provider. You can use this as a 
> reference to configure the host and guests:
>
> https://wiki.libvirt.org/page/Networking#Debian.2FUbuntu_Bridging
>
> (you could also avoid setting up the bridge and just use macvtap 
> bridge mode as you say you've done on your own network. The only 
> limitation of that is that it doesn't permit direct communication 
> between the host and the guests. If that limitation is okay with you, 
> then that's fine.)
>
--------------FE2AE9AD23C54D9286EA47A5
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p>Brilliant!  Thanks Laine.</p>
    <p>I really appreciate the help.<br>
      <blockquote type="cite">you could also avoid setting up
the bridge
        and just use macvtap bridge mode as you say you've done on your
        own network. The only limitation of that is that it doesn't
        permit direct communication between the host and the guests. If
        that limitation is okay with you, then that's
fine.</blockquote>
    </p>
    <p>How does the performance of a bridge on the host (Ubuntu
      bridge-utils) typically compare to a macvtap bridge?  Is there an
      expected performance advantage of one over the other?  I was
      hoping for better performance out of the macvtap bridge.</p>
    <p>Time to buy some extra IPs it seems...</p>
    <p>Most appreciated Laine.<br>
    </p>
    <div class="moz-signature">
      <meta http-equiv="content-type" content="text/html;
charset=UTF-8">
      <title></title>
      <p><b>Paul O'Rorke</b><br>
        <b>Tracker Software Products (Canada) Limited </b><br>
        <a
href="http://www.tracker-software.com/">www.tracker-software.com</a><br>
        Tel:
        +1 (250) 324 1621<br>
        Fax: +1 (250) 324 1623<br>
        <br>
        <a href="http://www.tracker-software.com/"> <img
src="https://www.tracker-software.com/fckfiles/image/images/resellers/logo/TrackerSofwareProducts_Logo_330x100.png"
            name="image.png" width="198"
height="60" border="0"
            align="bottom">
        </a>
        <br>
        <br>
        Support:
        <br>
        <a
href="http://www.tracker-software.com/support">http://www.tracker-software.com/support
        </a><br>
        Download latest Releases
        <br>
        <a
href="http://www.tracker-software.com/downloads/">http://www.tracker-software.com/downloads/</a></p>
      <p><br>
        <br>
      </p>
      <p style="margin-bottom: 0cm; line-height:
100%"><br>
      </p>
    </div>
    <div class="moz-cite-prefix">On 2019-10-23 9:44 a.m., Laine
Stump
      wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:ab94799d-c95e-049f-db41-f2c6bc0312e9@redhat.com">On
      10/23/19 12:43 AM, Paul O'Rorke wrote:
      <br>
      <blockquote type="cite">Hi list,
        <br>
        <br>
        Can anyone advise me on the correct/best set up for Virtual
        Server Hosting?
        <br>
        <br>
        I have a guest in my server room wish to migrate to dedicated
        server I rented in an offsite in a data centre.  I rented a box
        with one NIC and one public IP.  I installed KVM on it and a
        guest. (both Ubuntu 18.04 LTS server edition).  I am struggling
        to get the networking right.
        <br>
        <br>
        Essentially I want the "Virtual Server Hosting" config
mentioned
        here:
        <br>
<a class="moz-txt-link-freetext"
href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html-single/virtualization_administration_guide/index#sub-sect-routed-mode">https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html-single/virtualization_administration_guide/index#sub-sect-routed-mode</a>
<a class="moz-txt-link-rfc2396E"
href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html-single/virtualization_administration_guide/index#sect-attch-nic-physdev">&lt;https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html-single/virtualization_administration_guide/index#sect-attch-nic-physdev&gt;</a>
        <br>
        <br>
        I have not had any luck setting that up.  It is listed in the
        "Routed" section but the graphic says the virtual switch
should
        be in bridged mode.
        <br>
        <br>
        I also tried using macvtap, and since I have only one guest was
        expecting to be able to just use the host IP </blockquote>
      <br>
      No, you will need one IP for the host, and one IP for the guest in
      either bridged mode or for macvtap.
      <br>
      <br>
      <blockquote type="cite">but it looks like the data centre
have
        restricted packets to the MAC address of the host NIC.
        <br>
      </blockquote>
      <br>
      Yes, there is that restriction too. Usually hosting providers will
      lock down the MAC addresses they allow through ports, in order to
      prevent hostile clients from doing MAC spoofing to capture other
      clients' traffice.
      <br>
      <br>
        When
      <br>
      <blockquote type="cite">set up I can ping the public IP
(it is
        both eh host and the guest?)
        <br>
      </blockquote>
      <br>
      No. An IP address refers to one entity. It can be the host or the
      guest, but not both.
      <br>
      <br>
      but
      <br>
      <blockquote type="cite">not their gateway.  Should a
macvtap not
        be presenting the MAC address of the host NIC to the router and
        thus allowing packets from the guest?
        <br>
      </blockquote>
      <br>
      No, that is not what macvtap does. It creates a virtual NIC
      (macvtap device) that is connected directly to the physical NIC,
      and traffic from that device is injected directly into the output
      queue of the physical device, MAC address and all.
      <br>
      <br>
      <blockquote type="cite">
        <br>
        I clearly have a lack of understanding of how this is working
        and how it is meant to work.  When I tried the same thing on mt
        hardware/network I can create myltiple guests that all use the
        macvtap interface and I have no problems getting connectivity to
        the outside world.
        <br>
      </blockquote>
      <br>
      Because on your own network you have no MAC address locking on
      your switch port, and have multiple IP addresses available (one
      for each guest) from the local DHCP server.
      <br>
      <br>
      <blockquote type="cite">
        <br>
        Before I approach the data centre about this I want to be sure I
        understand what I am doing.   I ultimately want to host a mail
        server and several different web servers as guests all behind
        this one host.  I would alias their public IPs to the host NIC
        and use IPtables to route traffic based on destination IP.
        <br>
      </blockquote>
      <br>
      The only reason you would want iptables to be involved is if you
      were limited to only 1 IP address for the host + all the guests.
      In that case you could use *port* forwarding to cause incoming
      traffic to the host on particular TCP ports to be forwarded to
      different guests:
      <br>
      <br>
<a class="moz-txt-link-freetext"
href="https://wiki.libvirt.org/page/Networking#Forwarding_Incoming_Connections">https://wiki.libvirt.org/page/Networking#Forwarding_Incoming_Connections</a>
      <br>
      <br>
      <br>
      <blockquote type="cite">
        <br>
        Does that make sense? Can anyone suggest the right way to
        achieve this?
        <br>
      </blockquote>
      <br>
      No, not really :-)
      <br>
      <br>
      If you can only get a single IP address, then you'll need to look
      at the above link. If you can get the hosting provider to sell you
      extra IP addresses / MAC addresses (usually extra IPs cost money
      but MAC addresses are free, they just want to know what they are -
      you will need one *of each* for each guest), then you should put a
      bridge on your host's ethernet, and connect all the guests to that
      bridge, configuring each with its unique IP address / MAC address
      / default route info given to you by the hosting provider. You can
      use this as a reference to configure the host and guests:
      <br>
      <br>
      <a class="moz-txt-link-freetext"
href="https://wiki.libvirt.org/page/Networking#Debian.2FUbuntu_Bridging">https://wiki.libvirt.org/page/Networking#Debian.2FUbuntu_Bridging</a>
      <br>
      <br>
      (you could also avoid setting up the bridge and just use macvtap
      bridge mode as you say you've done on your own network. The only
      limitation of that is that it doesn't permit direct communication
      between the host and the guests. If that limitation is okay with
      you, then that's fine.)
      <br>
      <br>
    </blockquote>
  </body>
</html>

--------------FE2AE9AD23C54D9286EA47A5--