OpenVZ Forum: Support » Setup for private subnets/internal LANs

Home » General » Support » Setup for private subnets/internal LANs (Request to verify that setup for private subnets is sane, secure and will perform adequately)

Show: Today's Messages :: Show Polls :: Message Navigator
E-mail to friend

Re: Setup for private subnets/internal LANs [message #51418 is a reply to message #51415]

Fri, 23 May 2014 09:51

jetlee
Messages: 1
Registered: May 2014
Location: South Africa

Junior Member

Id like to piggy back on this question, as I am currently trying to do exactly the same thing, and I think a thread (that is actually resolved) might be a good place to keep a simple discussion on the matter.

Some of my machines on the same network are windows based, and will access the containers, and here is a summary of what I tried / investigated, and some of the things I discovered.

Physical network isolation is very difficult / not very well documented in Openvz
In other virtual machine / hyperviser or similar software has a mechanism for virtual switches or similar allowing your network to behave as if it physically connected to a different switch. I cannot find a way to reliably do this in openvz. My next attempt at this will be to create multiple bridges, and try to use iptables to deny traffic across bridges, and am not sure how this may work, as I dont fully understand the v-nic traversal path with veth networking.

Broadcast protocols require Veth
There are some things than can be used, but most documentation seems to ignore veth (by other vendors) when searching on OpenVZ topics. When using something like samba or dhcp, veth is required.

VLANs dont solve all problems
I tried implementing VLANs, which worked brilliantly in Linux, but some of the network cards / drivers in windows did not support VLAN's, so the traffic from those machines could not see VLAN machines.

IP Subnets dont solve all isolation problems
IP Subnets were my last attempt at this separation. As per the previous diagram, IP subnet separation only works, if a host inside your network is not compromised. Having 2 ranges (192.168.0.0 and 192.168.1.0) does not preotect against an intruder gaining access to one network, and changing the mask to 255.255.0.0) and immediately allowing access to both subnets.

I hope that there is something obvious I have missed, and I hope my previous attempts, will assist somene else in making decisions around structures / designs similar to the one posted.

Justin

Report message to a moderator

[Message index]

		Setup for private subnets/internal LANs By: jstuyts on Wed, 21 May 2014 11:20
		Re: Setup for private subnets/internal LANs By: jetlee on Fri, 23 May 2014 09:51
		Re: Setup for private subnets/internal LANs By: jstuyts on Fri, 23 May 2014 16:45

Previous Topic:	Ubuntu 12.04 with NON VZ Kernel?
Next Topic:	vzctl created a bunch of snapshots by itself

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

] [

]

Current Time: Sat Aug 16 16:19:30 GMT 2025

Total time taken to generate the page: 0.25608 seconds