On 12/14/14 13:04 , G B via smartos-discuss wrote:
> "nics": [ { "index": 0, "nic_tag": "admin", "model": "virtio",
> "allow_ip_spoofing": "1", "primary": "1" }, { "index": 1, "nic_tag":
> "wan", "model": "virtio", "allow_ip_spoofing": "1" }, { "index": 2,
> "nic_tag": "dmz", "model": "virtio", "allow_ip_spoofing": "1" } ]}
>
> I have a few questions about using a KVM Zone for a firewall with either
> OpenBSD or NetBSD to replace my physical firewall.
There's also the option of using a host based firewall for what it's
worth. ipf can firewall both KVM and native zones.
> 1) If I use the three nic tags above, do I need to list a netmask, gateway,
> and ip for each tag or leave it like above?
nic tags don't have anything like a network, gateway, or ip. They just
define a network over an interface identified by its mac address.
Information like what you described is required if you want to create
VNICs on a nic tag. For easy management of nic tags, use nictagadm(1M).
> 2) I need 3 interfaces for WAN, LAN, and DMZ. If I have the above, could I
> just use the admin for the LAN?
There's nothing intrinsic to the admin network that says you can or
cannot. That depends on how you're using the networks.
> 3) What is the difference between the e1000 and virtio model for a nic?
They are different forms of virtualizing a device driver. The e1000
option does full virtualization and emulation of a stock instance of an
Intel e1000g card. The virtio model is a paravirtualized interface. It
requires a specific driver for it, as opposed to e1000 which does not
and uses the same driver as a normal Intel card. However,
paravirtualized drives generally will lead to enhanced performance
because they take advantage of knowing that they're in a VM and the
effects that certain I/O operations need to be supplied.
> 4) I'd need to assign a specific nic (e.g., external WAN) for the firewall,
> so do I add that to the /usbkey/config file with a tag like WAN (i.e., index
> 1 above) along with the MAC of the device?
Why do you need to specify a specific nic? You just specify a nic tag
that indicates over which physical device the vnic should be created. If
you need to specify a mac address for that vnic, you can declare it in
the VM's json file.
Robert
-------------------------------------------
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription:
https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com
