On 08/12/14 11:26, J. Roeleveld wrote: > On Sunday, December 07, 2014 11:43:38 PM lee wrote: >> "J. Roeleveld" <jo...@antarean.org> writes: >>> On Thursday, December 04, 2014 07:11:12 PM lee wrote: >>>>> Why is the networking complicated? Do you use bridging? >>>> Yes --- and it was terrible to begin with and still is very complicated. >>>> One of the VMs has a network card passed through to do pppoe for the >>>> internet connection, and it also does routing and firewalling. The >>>> Gentoo VM is supposed to have another network card passed through >>>> because I want a separate network for miscellaneous devices like IP >>>> phones and printers. Asterisk is going to run on the Gentoo VM. >>> This sounds convoluted. Why add to the complexity by adding multiple >>> network cards into the machine and pass the physical cards? >> How else do you do pppoe and keep the different networks physically >> seperated? > Networks that need to be physically seperated, require either of: > 1) seperate NICs > 2) VLANs > > My comment about the complexity, however, was related to passing physical > cards to the VMs instead of adding the cards to seperate bridges inside the > host and using virtual NICs. > >>>> Besides devices, there's the usual net, dmz and loc zones. To top it >>>> off, sooner or later I want to pass another network card to the >>>> firewall/router because I have an internet connection which is currently >>>> not in use and should be employed as an automatic fallback. >>> How many cards are you planning on having in the machine? >>> Are all these connected to the same switch? >> It has currently four network ports. Only one of them is connected to >> the switch. Another one is connected to the pppoe line, and the other >> two (on a dual card) aren't connected yet. >> >> I plan to use one for the devices network and the other one for the >> second internet connection. None of them needs to/should be connected >> to the switch. The VM running asterisk will need a second interface >> that connects to a bridge so it can reach the router/firewall. The >> interface for the second internet connection needs to be passed to the >> router/firewall. >> >> Can you think of an easier setup? > create 1 bridge per physical network port > add the physical ports to the respective bridges > > pass virtual NICs to the VMs which are part of the bridges. > > But it's your server, you decide on the complexity. > > I stopped passing physical NICs when I was encountering issues with newer > cards. > They are now resolved, but passing virtual interfaces is simpler and more > reliable.
+1 for this i'm sure that one of the reasons that software defined networking is suddenly the next big buzzword is because a) the commodity hardware is now good enough to be comparable to custom asic switches and b) the amazing flexibility you have. ignoring the security issues of vlans, for a pure partitioning of the network it's very hard to beat linux+vlan switch, as you can have a virtual host have just a single network card which itself has ten vlans connected. with a vlan capable switch you can have those vlans not just be lan/dmz/wan but can section off departments too. you can then incredibly easily stand up a new server for just that department. without having to be too concerned about downing the whole server to fit a new NIC into it > > -- > Joost > > -- > Joost >
