Hi Hector, MY ISP requires to keep DMZ on one NIC physically separated from the other trafffc
Thanks Steven On 25 October 2016 at 08:14, Hector Suarez Planas < [email protected]> wrote: > Greetings, Steven. > > > Hi, >> >> I have been perusing various articles ( including WIKI) with no luck so I >> am hoping Proxmox friendly community will be able to shed some light >> >> I am sure other people ran into this issue as it is the best way to >> accomplish a secure implementation >> >> The gist of the issue is how to deploy many VMs with Internet access on a >> cluster in a secure manner when you have only x public IPs ? >> >> The answer is to use a private lan and internal virtual firewall ( like >> Vyatta) >> How exactly can this be done in proxmox ( I did it using VMWare) >> >> details >> >> 4 servers, 2 NICs each >> >> eth0 physically connected to DMZ ( no IP allocated as we do not want >> anyone >> to access our hosts) >> >> eth1 - bridge (vmbr0) configured , private IP allocated and used for host >> and storage management ( 192.168.192.0/24) >> >> Goal >> >> configure a private lan for the VMs on vmbr0 (172.31.255.0/24) >> I am assuming this can be accomplished by using a vlan and adding >> something like this in /etc/network/interfaces and adding the vlan to the >> physical switch >> >> auto vlan53 >> iface vlan53 inet manual >> vlan_raw_device eth1 >> >> configure/add a bridge (vmbr1) on eth0 that will allow external access >> all VMs that need external access will have their interface using vmbr1 >> and >> a "public" IP >> > > If your internal ethernet/bond have a good bandwith to support both > subnets, you can do it. Two VLANs, one pointing to storage area, the other > pointing to private LAN. > > Your VM that allocate Vyatta/VyOS must have one vNIC per VLAN: DMZ, > storage and private LAN. > > -- > ===================================== > Lic. Hector Suarez Planas > Administrador Nodo CODESA > Santiago de Cuba > ------------------------------------- > Blog: http://nihilanthlnxc.cubava.cu/ > ICQ ID: 681729738 > Conferendo ID: hspcuba > ===================================== > > _______________________________________________ > pve-user mailing list > [email protected] > http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user > _______________________________________________ pve-user mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
