Christ Schlacta
2011-Dec-26 08:44 UTC
Virtual Router, Commentary/Suggestions/Peer Review/Advice?
So, I''m looking to set up a virtual router on my vlan enabled network. I''ve got the modem on vlan 5, the LAN on vlan 10, and a guest vlan on vlan 20. I''m sufficiently certain that, barring the addition of the necessary shorewall rules to accomidate a virtual router, my vm host is sufficiently secure for hosting the border router as a virtual machine. My basic plan is to connect the VM host such that the single ethernet port is connected to a switched port with tagged vlans 5, 10, and 20, just exactly like the router is now, and creating two additional bridges, bridging vlans 5 and 20 exclusively to the router, and vlan 10 will remain connected as is (right now the vm host and all VMs are simply bridged / connected directly to vlan 10). the virtual router will of course contain an interface on the main lan (vlan10). Are there any major security implications, iptables, shorewall or Linux networking limitations, or any other issues I may have overlooked that you''re aware of, either in practice or theory? I''m using ubuntu''s kvm-qemu to run most of my machines, including the virtual router. ------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev
Simon Hobson
2011-Dec-26 09:37 UTC
Re: Virtual Router, Commentary/Suggestions/Peer Review/Advice?
Christ Schlacta wrote:>So, I''m looking to set up a virtual router on my vlan enabled network. >I''ve got the modem on vlan 5, the LAN on vlan 10, and a guest vlan on >vlan 20. I''m sufficiently certain that, barring the addition of the >necessary shorewall rules to accomidate a virtual router, my vm host is >sufficiently secure for hosting the border router as a virtual machine.Done something similar myself. Obviously there is no guarantee that someone won''t find a hole (bug) somewhere and exploit it. But then that also applies to dedicated hardware routers as well. Other than that, it''s a case of making sure that your policies and rules adequately lock down the network (particularly guest). I did set one up with 32 "client" VLANs for a business centre. The list of rules and policies grew quite quickly as I wanted to hide the other guests completely - so you have to block access from client networks to the router addresses on other networks, while still allowing access to the clients interface. Eg, a client on VLAN 20 needs to be able to connect to the router port on VLAN 20 for ping, DNS, DHCP, and so on, but shouldn''t be able to see that there''s anything on VLANs 21, 22, and so on. It''s not hard, make the policy drop, and allow the access you want, it just makes for a long and repetitive rule list. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev