private ip for host-to-ve communication only [message #7443] |
Fri, 13 October 2006 12:51 |
nikb
Messages: 4 Registered: October 2006
|
Junior Member |
|
|
When I setup a VE with a private, non-routeable ip number (192.168.xxx.xxx) the ip turns up on my hosts external interface, and is noticed by my provider.
Actually I only need a purely private point-to-pont connection between my host node and the VE, without any arp packets or anything else escapeing to the outside world...
Is this doable? Any comments would be appreciated.
Cheers!
|
|
|
|
Re: private ip for host-to-ve communication only [message #7456 is a reply to message #7454] |
Fri, 13 October 2006 16:31 |
nikb
Messages: 4 Registered: October 2006
|
Junior Member |
|
|
Hi,
thanks for the pointer to the docs, but my problem was not to get NAT
working - in fact it worked excellently with very little effort - but to keep
packets with a private ip as return address from going out into the internet. (or at least from reaching my providers`s router/gateway, which is where they get logged, and then I get a phone call).
In fact I have no idea what exactly my provider notices, but something makes him uneasy. He says that my external IF is configured with a private ip when in fact it isnt. Or shouldnt be. Could that be arp packets?
Seemingly with venet my external interface is somehow showing up configured with the private ip (192.168.XXX.XXX) in my provider`s logs.
Everything looks normal here:
hardwarenode:/home/username# ip a
2: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:e0:83:41:f7:4e brd ff:ff:ff:ff:ff:ff
inet 213.XXX.XXX.hardwarenodeip/24 brd 213.XXX.XXX.255 scope global eth0
1: venet0: <BROADCAST,POINTOPOINT,NOARP,UP> mtu 1500 qdisc noqueue
link/void
and here:
hardwarenode:/home/username# ip r
192.168.0.1 dev venet0 scope link src 213.XXX.XXX.hardwarenodeip
192.168.0.0/24 dev eth0 proto kernel scope link src 213.XXX.XXX.hardwarenodeip
default via 213.XXX.XXX.gateway dev eth0
|
|
|
Re: private ip for host-to-ve communication only [message #7457 is a reply to message #7456] |
Fri, 13 October 2006 16:55 |
John Kelly
Messages: 97 Registered: May 2006 Location: Palmetto State
|
Member |
|
|
nikb wrote on Fri, 13 October 2006 12:31 | He says that my external IF is configured with a private ip when in fact it isnt. Or shouldnt be. Could that be arp packets?
|
Yes, that's what OpenVZ does for you, automatically. Try "arp -an" on the HN node, and you will see that your HN is publishing an arp entry for your private IP address.
Although your provider can easily suppress routing of any private address packets, and prevent them from reaching the Internet, apparently he considers it poor management on your part, and expects you to fix it, in order to be considered a good citizen on his network.
That may seem like needless trouble from your POV, but I am impressed with a provider who is strict about keeping his local network clean. If you will reveal who the provider is, I may consider using them myself!
So it seems the challenge is to find a solution that makes your provider happy. Are you saying that packets from the VE are never routed to the outside Internet? And that *only* the HN needs to talk to the VE? If that is true, what is the purpose of the VE? IOW, what application is running on the VE, and why does the HN need to talk to it? Maybe understanding that can help us recommend a solution.
|
|
|
|
|
|
|
Re: private ip for host-to-ve communication only [message #7508 is a reply to message #7482] |
Mon, 16 October 2006 16:07 |
John Kelly
Messages: 97 Registered: May 2006 Location: Palmetto State
|
Member |
|
|
You said:
Quote: | My HN is also hosting a regular ve with a regular, routeable external ip that, of course, should remain reacheable from outside
|
And:
Quote: | I am in the process of setting up a LAMP-Environment on the ve, and of course it needs contact to the outside world in order to make it easier for me to set it up
|
Then the LAMP VE needs a routeable IP, just like the other VE. Otherwise, how will you login for management purposes, from the outside? If you insist on using a private IP for the LAMP VE, then you must do a two-stage login (which will soon become tiresome and annoying), or set up some kind of tunnel.
If that is the case, consider using a veth device for the private IP, because AFAIK, there is no way to prevent OpenVZ from publishing an ARP entry for the IP address of a venet interface.
I'm not sure how that will work with a veth interface, because I have not tried it. You can read about veth devices in the wiki. Please let us know how it goes.
|
|
|