[ale] Virtual networks

[Dustin Strickland]

Yes, the bridges were created manually. I didn't have much luck either 
with the automagic bridges the first time I tried them out; haven't 
touched them since. The host is running Debian 7.8. I have until this 
point been using ssh from outside my LAN to connect to my host as well 
as the VMs.

In what sense do I not need a VLAN? I realize this sort of setup doesn't 
do much(or anything at all) for security from inside the host, but some 
services I prefer to keep off my LAN as well due to the presence of 
user-possessed Windows machines(conversely, some of the VMs have no 
reason to be on my LAN either). Additionally, some VMs may eventually be 
migrated to hardware or perhaps a VPS service and hosted in a separate 
location, so the VPN may have been a required step in the future to keep 
everything connected(this is all residential stuff behind NAT routers, I 
have no direct connection).

So far as group controls, I have no need for those. At least for the 
moment, anyone who connects will need to access it all(mostly myself, 
but ~2-3 other users). If I need additional controls in the future, the 
existing machines are already in the same block so it wouldn't be too 
much of a headache to implement something like what you suggested for 
grouping... Most are Debian servers running typical things -- LDAP, 
Postfix, Dovecot, Apache, MySQL, NFS, etc. No [important] systems exist 
that run something other than some flavor of Linux. Samba can do its 
thing somewhere else :P

Admittedly, I'm coming to realize I may not know what I am doing in 
regards to this, but wouldn't having this separate network between the 
VMs allow for an easier migration to a multi-site setup like this in the 
future, and doesn't it allow for some degree of separation from my 
LAN/WAN? If not, do you have any suggestions?

On 5/12/2015 1:22 PM, DJ-Pfulio wrote:
> You don't need any VLANs at all.
>
> I've never had luck using the auto-generated bridges from libvirt - I always
> manually create it.
> Different distros do this differently - which disto are you?
>
> Vlans are just tagging - nothing to do with security. Think of it as a "this
> way" sign when there is a fork in a road.  Good, honest people will go the
> suggested way, then there are the rest of us with time to "explore" down the
> other way.
>
> OpenVPN is extremely flexible - that is a plus and a minus. Perhaps if you
> described the environment for it, someone smarter than me could help?  Things
> like how many clients, which mix of OSes, do you need samba to work across it
> (ugly and abusive to the network), how cleanly are the LAN devices to be
> provided with access grouped?  For example, I group servers that other people
> need access over VPN together so only 1 rule is needed for those.  As an admin,
> I wanted access to the entire subnet and a few other networks.  Some people
> needed access to their desktops + a few servers ... you get the idea.
>
> Manually dealing with the certs sucks.  Of course, you can pay the openvpn guys
> to make it easier.
>
> In this case, flexibility = complexity.
>
> Generally, I use ssh for remote access. It is 100x easier, provided the clients
> you need/want to use support it easily. |)
>
>
> On 05/12/2015 12:39 PM, Dustin Strickland wrote:
>> Thanks for the link, however I am already somewhat familiar with bridging
>> outside the context of virtual interfaces. I already have a bridge set up for
>> each of the physical eth controllers. Reading back over my initial post, it
>> looks like I wasn't too clear about what I was asking.
>>
>> So, the VLAN I have set up now was created through virt-manager. I would like to
>> access this from outside the host machine(and away from home), hence a VPN. From
>> what I can tell about OpenVPN, it requires a bridged interface. In order to make
>> one for the VLAN I have, I would need to define the VLAN itself in the
>> interfaces file in order to keep the bridge from trying to come up before the
>> interface it's bridging exists(I assume?) which I do not know how to do. Reading
>> about manually-created VLANs produces curious lines like "iface eth1:200 inet
>> static" which appear to be bound to a physical interface. Is this what is going
>> on, and is that necessary for an isolated network?
>>
>> On 5/12/2015 11:20 AM, DJ-Pfulio wrote:
>>> http://www.tldp.org/HOWTO/BRIDGE-STP-HOWTO/what-is-a-bridge.html
>>>
>>>
>>> On 05/12/2015 09:55 AM, Dustin Strickland wrote:
>>>>       My understanding of networking does not extend past physical interfaces. I
>>>> have a Wheezy VM host that runs many different services for my LAN; OS testing,
>>>> various database, LDAP, web, etc. servers. Currently all running under KVM. All
>>>> of the VMs aside from OS testing are connected to a virtual network I created
>>>> with virt-manager (0.9.1), which I have set as 172.16.0.0/12 (a little
>>>> excessive, maybe? :P). Some don't even have an upstream connection, so can only
>>>> be accessed from the host. This all works great on my LAN, but I am thinking of
>>>> adding OpenVPN on the host so I and other users can more easily access these
>>>> services from mobile devices.
>>>>
>>>>       From what I read about OpenVPN's setup, it's required to bridge an
>>>> interface. I haven't looked too much in to this as it seems a little
>>>> over-my-head and I haven't had sufficient time to dedicate to the task as of
>>>> yet. Would the bridged interface be a bridge of the VLAN interface?
>>>> Additionally, if this is the case, I would need to define this bridge in
>>>> addition to the VLAN in /etc/networking/interfaces (or else the bridge that
>>>> OpenVPN is trying to attach to would be created before the interface that it's
>>>> bridging), correct? Or am I just thinking about this entirely the wrong way? Any
>>>> suggestions/explanations/this-is-an-IT-nightmare-have-you-considered-doing-it-this-way's
>>>>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo