[ale] Virtual networks

[DJ-Pfulio]

Network separation is smart. That may or may not use VLANs.

Most cheap home networking gear doesn't support VLANs anyway.  A $20 GigE switch
on a different network provides better network segmentation than VLANs can. Just
need more cables and NIC ports, then setup the router with different subnets on
each port. Easy-peesy.

If you have a $100+ managed switch and want to run with VLANs, fine. They are
NOT necessary, however.

That is all I'm saying.

Most end-users just want files accessible when remote. sftp handles that. Show
them WinSCP if they use _that other OS_.


On 05/12/2015 02:34 PM, Dustin Strickland wrote:
> Yes, the bridges were created manually. I didn't have much luck either with the
> automagic bridges the first time I tried them out; haven't touched them since.
> The host is running Debian 7.8. I have until this point been using ssh from
> outside my LAN to connect to my host as well as the VMs.
> 
> In what sense do I not need a VLAN? I realize this sort of setup doesn't do
> much(or anything at all) for security from inside the host, but some services I
> prefer to keep off my LAN as well due to the presence of user-possessed Windows
> machines(conversely, some of the VMs have no reason to be on my LAN either).
> Additionally, some VMs may eventually be migrated to hardware or perhaps a VPS
> service and hosted in a separate location, so the VPN may have been a required
> step in the future to keep everything connected(this is all residential stuff
> behind NAT routers, I have no direct connection).
> 
> So far as group controls, I have no need for those. At least for the moment,
> anyone who connects will need to access it all(mostly myself, but ~2-3 other
> users). If I need additional controls in the future, the existing machines are
> already in the same block so it wouldn't be too much of a headache to implement
> something like what you suggested for grouping... Most are Debian servers
> running typical things -- LDAP, Postfix, Dovecot, Apache, MySQL, NFS, etc. No
> [important] systems exist that run something other than some flavor of Linux.
> Samba can do its thing somewhere else :P
> 
> Admittedly, I'm coming to realize I may not know what I am doing in regards to
> this, but wouldn't having this separate network between the VMs allow for an
> easier migration to a multi-site setup like this in the future, and doesn't it
> allow for some degree of separation from my LAN/WAN? If not, do you have any
> suggestions?
> 
> On 5/12/2015 1:22 PM, DJ-Pfulio wrote:
>> You don't need any VLANs at all.
>>
>> I've never had luck using the auto-generated bridges from libvirt - I always
>> manually create it.
>> Different distros do this differently - which disto are you?
>>
>> Vlans are just tagging - nothing to do with security. Think of it as a "this
>> way" sign when there is a fork in a road.  Good, honest people will go the
>> suggested way, then there are the rest of us with time to "explore" down the
>> other way.
>>
>> OpenVPN is extremely flexible - that is a plus and a minus. Perhaps if you
>> described the environment for it, someone smarter than me could help?  Things
>> like how many clients, which mix of OSes, do you need samba to work across it
>> (ugly and abusive to the network), how cleanly are the LAN devices to be
>> provided with access grouped?  For example, I group servers that other people
>> need access over VPN together so only 1 rule is needed for those.  As an admin,
>> I wanted access to the entire subnet and a few other networks.  Some people
>> needed access to their desktops + a few servers ... you get the idea.
>>
>> Manually dealing with the certs sucks.  Of course, you can pay the openvpn guys
>> to make it easier.
>>
>> In this case, flexibility = complexity.
>>
>> Generally, I use ssh for remote access. It is 100x easier, provided the clients
>> you need/want to use support it easily. |)
>>
>>
>> On 05/12/2015 12:39 PM, Dustin Strickland wrote:
>>> Thanks for the link, however I am already somewhat familiar with bridging
>>> outside the context of virtual interfaces. I already have a bridge set up for
>>> each of the physical eth controllers. Reading back over my initial post, it
>>> looks like I wasn't too clear about what I was asking.
>>>
>>> So, the VLAN I have set up now was created through virt-manager. I would like to
>>> access this from outside the host machine(and away from home), hence a VPN. From
>>> what I can tell about OpenVPN, it requires a bridged interface. In order to make
>>> one for the VLAN I have, I would need to define the VLAN itself in the
>>> interfaces file in order to keep the bridge from trying to come up before the
>>> interface it's bridging exists(I assume?) which I do not know how to do. Reading
>>> about manually-created VLANs produces curious lines like "iface eth1:200 inet
>>> static" which appear to be bound to a physical interface. Is this what is going
>>> on, and is that necessary for an isolated network?
>>>
>>> On 5/12/2015 11:20 AM, DJ-Pfulio wrote:
>>>> http://www.tldp.org/HOWTO/BRIDGE-STP-HOWTO/what-is-a-bridge.html
>>>>
>>>>
>>>> On 05/12/2015 09:55 AM, Dustin Strickland wrote:
>>>>>       My understanding of networking does not extend past physical
>>>>> interfaces. I
>>>>> have a Wheezy VM host that runs many different services for my LAN; OS
>>>>> testing,
>>>>> various database, LDAP, web, etc. servers. Currently all running under KVM.
>>>>> All
>>>>> of the VMs aside from OS testing are connected to a virtual network I created
>>>>> with virt-manager (0.9.1), which I have set as 172.16.0.0/12 (a little
>>>>> excessive, maybe? :P). Some don't even have an upstream connection, so can
>>>>> only
>>>>> be accessed from the host. This all works great on my LAN, but I am
>>>>> thinking of
>>>>> adding OpenVPN on the host so I and other users can more easily access these
>>>>> services from mobile devices.
>>>>>
>>>>>       From what I read about OpenVPN's setup, it's required to bridge an
>>>>> interface. I haven't looked too much in to this as it seems a little
>>>>> over-my-head and I haven't had sufficient time to dedicate to the task as of
>>>>> yet. Would the bridged interface be a bridge of the VLAN interface?
>>>>> Additionally, if this is the case, I would need to define this bridge in
>>>>> addition to the VLAN in /etc/networking/interfaces (or else the bridge that
>>>>> OpenVPN is trying to attach to would be created before the interface that it's
>>>>> bridging), correct? Or am I just thinking about this entirely the wrong
>>>>> way? Any
>>>>> suggestions/explanations/this-is-an-IT-nightmare-have-you-considered-doing-it-this-way's
>>>>>
>>>>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo


-- 
Got Linux? Used on smartphones, tablets, desktop computers, media centers, and
servers by kids, Moms, Dads, grandparents and IT professionals.