[Shorewall-users] layer2 isolation

Sun, 16 Jun 2013 04:22:33 -0700 

Hello all,

I'm using a Debian based system with Shorewall 4.5.5.3 and am trying to
configure a setup with multiple public KVM-VMs; currently they are
"brouted".

I'm using the two-interface example config with the routeback option set in:

/etc/shorewall/interfaces

and

/etc/shorewall/routestopped

on the host.

My host "/etc/network/interfaces" is as follows:

auto eth0
iface eth0 inet static
   address (Main-Public-IP)
   netmask 255.255.255.255
   pointopoint (Gateway-IP)
   gateway (Gateway-IP)

auto vbr0
iface vbr0 inet static
        address (Main-Public-IP)
        netmask 255.255.255.255

        pre-up ovs-vsctl add-br vbr0
        pre-up ip link set up vbr0
        pre-up ovs-vsctl set-controller vbr0 ptcp:
        pre-up ovs-vsctl set bridge vbr0 stp_enable=false

        up ip route add (Another-Public-IP)/32 dev vbr0
        down ip route del (Another-Public-IP)/32 dev vbr0

        up ip route add (Yet-Another-Public-IP)/32 dev vbr0
        down ip route del (Yet-Another-Public-IP)/32 dev vbr0



The guests are using their own Shorewall instance with the
one-interface example without routestopped.

The guests "/etc/network/interfaces" are configured as follows:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address (Another-Public-IP)
        netmask 255.255.255.224
        gateway (Main-Public-IP)

Ok, this seems to be working (I haven't checked into ipsec,
world-zones or bport-types...),
but what I really need, is layer2 isolation, so that all my VMs (they
don't need to "see" one another) can have the same mac-address.

This can be done using QEMU/KVMs user mode networking (slirp) but the
performance is poor.

Now to my question, can someone on this list give me a real world
working example, or at least more information, then
"this should be doable with ovs-flows or vlans"; not that I am not
willing to try using ovs-flows, or vlans, but without an explicit
example, I'm bound to fail with my limited knowledge.

I've tried using ovs-vlans, but couldn't get dhcp working with dnsmasq.

I am well aware, that this is not the ovs-list, but I'm not
necessarily looking for an ovs solution; maybe GRE-tunnels,
point-to-point, etc.

Any experts willing to help?


Thanks and Regards,

TF

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to