Shorewall users - Jun 2013 - layer2 isolation

Hello all,

I''m using a Debian based system with Shorewall 4.5.5.3 and am trying to
configure a setup with multiple public KVM-VMs; currently they are
"brouted".

I''m using the two-interface example config with the routeback option
set in:

/etc/shorewall/interfaces

and

/etc/shorewall/routestopped

on the host.

My host "/etc/network/interfaces" is as follows:

auto eth0
iface eth0 inet static
   address (Main-Public-IP)
   netmask 255.255.255.255
   pointopoint (Gateway-IP)
   gateway (Gateway-IP)

auto vbr0
iface vbr0 inet static
        address (Main-Public-IP)
        netmask 255.255.255.255

        pre-up ovs-vsctl add-br vbr0
        pre-up ip link set up vbr0
        pre-up ovs-vsctl set-controller vbr0 ptcp:
        pre-up ovs-vsctl set bridge vbr0 stp_enable=false

        up ip route add (Another-Public-IP)/32 dev vbr0
        down ip route del (Another-Public-IP)/32 dev vbr0

        up ip route add (Yet-Another-Public-IP)/32 dev vbr0
        down ip route del (Yet-Another-Public-IP)/32 dev vbr0



The guests are using their own Shorewall instance with the
one-interface example without routestopped.

The guests "/etc/network/interfaces" are configured as follows:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address (Another-Public-IP)
        netmask 255.255.255.224
        gateway (Main-Public-IP)

Ok, this seems to be working (I haven''t checked into ipsec,
world-zones or bport-types...),
but what I really need, is layer2 isolation, so that all my VMs (they
don''t need to "see" one another) can have the same
mac-address.

This can be done using QEMU/KVMs user mode networking (slirp) but the
performance is poor.

Now to my question, can someone on this list give me a real world
working example, or at least more information, then
"this should be doable with ovs-flows or vlans"; not that I am not
willing to try using ovs-flows, or vlans, but without an explicit
example, I''m bound to fail with my limited knowledge.

I''ve tried using ovs-vlans, but couldn''t get dhcp working with
dnsmasq.

I am well aware, that this is not the ovs-list, but I''m not
necessarily looking for an ovs solution; maybe GRE-tunnels,
point-to-point, etc.

Any experts willing to help?


Thanks and Regards,

TF


------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev