VMWare & IP Network Routing externally from VM

[networkengineer1970]

Hi all,

Sorry, I am bit new to VMWare, so please bear with me. I am just starting to install it, but not sure if what I am trying to do is even possible in a virtual environment.

ISSUE 1: Here's my example along with example IP numbering:

MACHINE 1 (PHYSICAL MACHINE 1)
1. VM DHCP + DNS
192.168.1.2
2. VM FW
192.168.1.1,
192.168.2.1,
192.168.3.1,
192.168.4.1,

MACHINE 2 (PHYSICAL MACHINE 2)

3. VM VPN Server
192.168.2.2
4. VM LDAP
192.168.3.1
5. VM FileServer
192.168.3.2

I have added multiport cards to facilitate the network.

My question:
Can I even get the packets to traverse OUT of the [physical] box? E.g. there will be specific rules that define access between the VPN Server and the LDAP?

In other words, an authorisation request from the VPN Server should actually go through the firewall on Machine 1. I fear that since the IP addresses are locally known to the underlying OS, i.e. the IP stack on Machine 2 knows that both 192.168.2.2 and 192.168.3.2 are on the local machine, so the packets might never traverse the network at all.

Am I right? If I can force the issue, how do I do it?




ISSUE 2:
How can I assign specific network interfaces to specific machines? E.g. if I do not want eth0 to be available at all to VM4. But eth0 to be available ONLY to VM5?
Is this possible?



Any responses would be greatly appreciated.

Kind regards.

 

[unclerico]

I fear that since the IP addresses are locally known to the underlying OS, i.e. the IP stack on Machine 2 knows that both 192.168.2.2 and 192.168.3.2 are on the local machine, so the packets might never traverse the network at all.

Switching and routing concepts don't change when you are in a virtual world. When a machine on one subnet needs to communicate with a machine on a different subnet the machine will forward the traffic to its gateway and the gateway will route the packets as per usual. Most times your VM hosts will forward the packets onto your physical network to be routed.

If you have multiple machine's that need to be on different subnets then you have two choices: 1) use VLANs and create multiple port groups, or 2) dedicate a physical interface to each virtual machine. If you have even a modest number of VM's then option 2 will not work for you as the number of physical interfaces to VM's will be 1:1. Using option 2 is what you'd use in your Issue 2 in regards to assigning a specific interface to a specific VM. Option 1 is what you'll use most any other time.

How can I assign specific network interfaces to specific machines? E.g. if I do not want eth0 to be available at all to VM4. But eth0 to be available ONLY to VM5?
Is this possible?

Yes. Create a second vSwitch and assign this interface to the vSwitch. Then create a new Port Group. When you go into your VM settings you will be able to choose the port group that you just created. My question is, do you need to physically segment this particular host, say in a DMZ or something??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[networkengineer1970]

Hello!

Thanks for the reply, I just tried it on my XP workstation. I don't see any traffic on my firewall, but the ping works successfully.

Am I missing something? I have configured the network in routing mode and not bridged.

Kind regards.

 

[networkengineer1970]

Sorry, I forgot to answer the question, yes, I need to put some hosts in the DMZ, e.g. the web server and also planning to put the VPN Server there. However, I will be using a RADIUS server with LDAP for the database for authentication which will be in a secure network.

I am just re-installing my machine again, but cannot get over what you said. Did you mean VLANs in the VM Host? Or where? I have usually created VLANs only in switches or routers, but that brings me back to the question: Will the packet even traverse out of the host machine into the VLAN. If I can get it to go that, I am done!

 

[unclerico]

When you create a Port Group you can give it a VLAN ID. Then on the physical switch be sure taht the switchport(s) is configured as a trunk. I should have asked, what version of VMWare are you running??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[networkengineer1970]

Hello!

Thanks a lot, I'll try that. I was running VMWare Server 1.08 am currently re-doing my system to upgrade to 2.0.1.

Thanks again.

Kind regards.

 

[Roadki11]

You should get the free copy of ESXi, not sure I would waste a lot of time with the VMWare Server version. ESXi is much much much better.

http://www.vmware.com/products/esxi/

RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen