Morris, Yes, you should be able to do this without split management and signaling networks. Bear in mind that you will need some way of reaching all nodes for management access (but this could be because your PC has a connection directly onto their network, or via a "jump box"), and all nodes will need access to the public Internet to download the Clearwater software (possibly via NAT).
I think the configuration you described should work - please can you describe more about what didn't work? BTW, if you want to, you should be able to set the "public_ip" and "public_hostname" on Sprout, Homer and Ralf to match the private IP, rather than being public IPs (since you're never going to route to them from the public Internet). Please let me know. Thanks, Matt From: yan morris [mailto:[email protected]] Sent: 22 July 2016 05:45 To: Matt Williams (projectclearwater.org) <[email protected]> Subject: Re: [Project Clearwater] Configuration about Bono with two network adapters Hi , Matt Thank for your solution first. I have a further question. If I don't separate Claerwater into two network(management and siganling) Is it possible that I use 3 internet-routable IPs (for Ellis , Bono , and Homer )and 6 virtual IP for each node as private IP , and let it be reached by outside network? I had tried before , But it seems not working . I guess whether I configure something incorrecty , I changed the local_config in those 3 components like below: 192.168.44.144~192.168.44.149 are my IPs of 6 components of Clearwater.(order by Ellis , Bono , Sprout ,Homer, Homestead , Ralf ) local_ip=192.168.44.144 public_ip=<my internet_routable IP> public_hostname=<my internet_routable IP> etcd_cluster="192.168.44.144,192.168.44.145,192.168.44.146,192.168.44.147,192.168.44.148,192.168.44.149" If the concept is going to work , could you give me some tips about configuration (somewhere wrong or where need to configure)? Thank you very much! Morris 2016-07-22 0:12 GMT+08:00 Matt Williams (projectclearwater.org<http://projectclearwater.org>) <[email protected]<mailto:[email protected]>>: Morris, Yes, that's all correct - good luck! Matt From: yan morris [mailto:[email protected]<mailto:[email protected]>] Sent: 21 July 2016 17:07 To: Matt Williams (projectclearwater.org<http://projectclearwater.org>) <[email protected]<mailto:[email protected]>> Subject: Re: [Project Clearwater] Configuration about Bono with two network adapters Hi , Matt Thanks for explaining clearly. After reading the explanation , 1. I can use virtual ips(192.168.0.0/24<http://192.168.0.0/24>) in management network for public IPs and private IPs , because the management network doesn't need to be reached outside network. 2.In siganling network , I need the three IPs that can be reached by outside network for public IPs , and the private IPs can use the virtual IP. Therefore , I only need 3 internet-routable IPs , and several virtual IPs to deploy the Clearwater . Do I misunderstand anything ? I am sorry that I forget to tell you the environment. Now , I am deploying on Vmware Workstation12 But in the future , I wish I could deploy Clearwater on Openstack. Thank for your help sincerely. Morris 2016-07-21 23:39 GMT+08:00 Matt Williams (projectclearwater.org<http://projectclearwater.org>) <[email protected]<mailto:[email protected]>>: Morris, I haven't come across the term physical IP before, and I've seen virtual IP used for a number of different purposes, so just to be clear: • private IP addresses are only required to be able to route amongst themselves, not externally - for example, I might use IP addresses in the 192.168.0.0/24<http://192.168.0.0/24> range - obviously, these IP addresses are reused millions of times across the world • public IP addresses are required to be able to route externally (e.g. to/from the public Internet) - I must use IP addresses that have been globally allocated to me. To elaborate slightly further, public IP addresses only need to be routable as far as you want them to be accessible. For signaling, this probably means you need to have Internet-routable IP addresses. However, for management, you probably only want your host to be accessible within your management network, so you might be able to use non-Internet (e.g. 10.0.0.0/8<http://10.0.0.0/8>) IP addresses on these too. This means that you only need Internet-routable public IP addresses for those services that are genuinely public, i.e. Bono (for SIP), Ellis (for web provisioning) and Homer (for call service management) - although you might want to block Homer too. Does that make sense? Note that if you're trying to deploy at the smallest possible scale, we have all-in-one images (http://clearwater.readthedocs.io/en/latest/All_in_one_Images.html) which contain all components on a single VM, and so only need a single IP address. However, this is just intended for demonstration purposes - I wouldn't recommend you deploy this for any serious testing or deployment. If you'd like further advice on this, please can you clarify on which virtualization platform/environment you're trying to deploy - it will be much easier to talk about this in concrete terms, rather than in the abstract! Thanks, Matt From: yan morris [mailto:[email protected]<mailto:[email protected]>] Sent: 21 July 2016 14:46 To: Matt Williams (projectclearwater.org<http://projectclearwater.org>) <[email protected]<mailto:[email protected]>> Subject: Re: [Project Clearwater] Configuration about Bono with two network adapters Hi , Matt Thank for explaining the benefits and solutions. I have some questions about solution. In your instruction , the public IP means physical IP and the private IP means virtual IP , right? If that is , It means I need 9 public IPs and 12 private IPs to build six components ? I don't have so many physical IPs . Even I deploy Clearwater like this structure , when I want to insert new node into Clearwater , I still need a public IP and two private IPs(one for management network , the other for siganling network ) to deploy it? All I want to is that using 2 or 3 physical IPs to deploy Clearwater and let it could be reached by outside network , does it could happen ? I am little confused with the solution , if I misunderstand anything , please give me some ideas . Thank you very much for your time . Morris 2016-07-21 3:44 GMT+08:00 Matt Williams (projectclearwater.org<http://projectclearwater.org>) <[email protected]<mailto:[email protected]>>: Morris, There are two main benefits of separating management and signaling (and these are often required in production networks). • It improves security. Obviously all nodes need to be on the signaling network, but not all need to be on the (same) management network... or at least it's not necessary for traffic to be routable between two nodes on the management network. This means that if one node's security was compromised, it couldn't be used to escalate to accessing other nodes. • It prevents an overload of traffic on the signaling network from overloading the management network (meaning that an administrator can still get in to manage the system). On which virtualization platform are you installing Project Clearwater? For example, on OpenStack, we have HEAT templates (https://github.com/Metaswitch/clearwater-heat) that • install all the Project Clearwater components on separate VMs • use separate management and signaling networks • use 6 public and 6 private IPs (one per node) on the management network • use just 3 public IPs (for Bono, Ellis and Homer) and 6 private IPs on the signaling network. I hope that helps - please let me know how you get on. Thanks, Matt From: yan morris [mailto:[email protected]<mailto:[email protected]>] Sent: 20 July 2016 15:44 To: Matt Williams (projectclearwater.org<http://projectclearwater.org>) <[email protected]<mailto:[email protected]>> Subject: Re: [Project Clearwater] Configuration about Bono with two network adapters Hi , Matt Thanks for your answers. Now, I understand the "network namespace" after reading the documents . However , There are two questions I want to ask . First is what is benefits allow separation of management from signaling ? The second is , How sould I do if I install all of Clearwater components in VMs , which have Virtual IPs , and I want to let the users of outside network can access my clearwater ? I tried to use six physical IPs , but there are't more IPs for the second sprout or bono . Are there solutions can help me use only two physical IPs (for Bono and Ellis) to built the Clearwater ? Thank you very much. Morris 2016-07-20 21:14 GMT+08:00 Matt Williams (projectclearwater.org<http://projectclearwater.org>) <[email protected]<mailto:[email protected]>>: Morris, Thanks for your email! If I understand correctly, you're looking to use eth0 for management and core signaling, and eth1 for access signaling - is that right? Unfortunately, the multiple network support in Clearwater only allows separation of management from signaling, not access signaling from core signaling. Metaswitch produces a combined P-CSCF/SBC called Perimeta (http://www.metaswitch.com/perimeta-session-border-controller-sbc) that can be dropped in to replace Bono and supports this function. Regarding where eth1 has gone on your existing Bono node, Clearwater's multiple network support uses "network namespaces" - you should still be able to see eth1 if you run "ip netns exec signaling ifconfig". You can read more about these at http://www.projectclearwater.org/multiple-networks-support-part-1/, http://www.projectclearwater.org/multiple-networks-support-part-2/ and http://www.projectclearwater.org/multiple-networks-support-part-3/. I hope that helps - please let me know if you have any questions. Thanks, Matt From: Clearwater [mailto:[email protected]<mailto:[email protected]>] On Behalf Of yan morris Sent: 18 July 2016 15:02 To: [email protected]<mailto:[email protected]> Subject: [Project Clearwater] Configuration about Bono with two network adapters Hi , I am trying to use two network adapters in my Bono. One is virtual ip address (eth0), and it is used for inter-communication of Clearwater-infrastructure. The other is physical address (eth1), and it is used for getting SIP request from Internet. I configured according this document , http://clearwater.readthedocs.io/en/stable/Multiple_Network_Support.html However,when I run service clearwater-infrastructure restart , eth1 disappeared while I type ifconfig . In addition , when i tried to ping google.com<http://google.com> or any other domain name , it give a error message "network is unreachable." As expected , I cannot sign in my Clearwater.(Get message 590 port is not reachable) The command and configuration is under below Local_config: local_ip=my virtual ip public_ip=my physical ip public_hostname= my clearwater zone etcd_cluster = six components virtual ips signaling_namespace=signaling signaling_dns_server=my dns server ip management_local_ip=my virtual ip Network namespace command : ip netns add signaling ip link set eth1 netns signaling ip netns exec signaling ifconfig lo up ip netns exec signaling ifconfig eth1 <my physical ip/16> up ip netns exec signaling route add default gateway <my physical ip's gateway> dev eth1 Are there anything I forgot to configure? Or something that I did wrong. Could you give me some ideas about this situation. Thank you. Morris Yan.
_______________________________________________ Clearwater mailing list [email protected] http://lists.projectclearwater.org/mailman/listinfo/clearwater_lists.projectclearwater.org
