I really do not want to put the firewall in front of anything. I just want to have my management server protected by the firewall (only allow incoming traffic from specific static IPs to the management server). Otherwise I want Cloudstack to handle all of the networking.
My ISP has provided a cross connect with a /30 for me. 65.1.1.2 is the IP I have assigned to my external firewall and 65.1.1.1 is the Gateway IP I have configured for that specific external interface. He is advertising 216.1.1.1/27 and 217.1.1.1/29 for me through that gateway/cross connect. Do I just need to configure static routes on the Firewall to allow this traffic to pass through directly to Cloudstack? All of the network diagrams that I see for the advanced networking configuration have a firewall between the internal switches and the internet. So something I am missing is needing to be configured to allow the IPs through the firewall. I have a firewall and two layer 3 switches. Do I need to configure one of the layer 3 switches in front of the firewall and pass the management network through the firewall, configure the public IP ranges on the layer 3 switch and pass that directly to Cloudstack on a separate network interface? Thanks, Fred On Thu, Apr 3, 2014 at 4:09 PM, Xerex Bueno <xbu...@lpsintegration.com>wrote: > So you will not be able to NAT the public IPs to the vRouter. If you do > NAT them it will become a mess for management, not to mention you reduce > the effectiveness of Cloudstack as a cloud management tool. You need to > expose that block to your WAN switch of which the public interface will > need to connect to. If you really wanted to put a firewall in front you > would need to place it in transparent mode which would allow you to create > policies to control traffic. > > On 4/3/14, 1:59 PM, "Fred Newtz" <fbne...@gmail.com> wrote: > > >Public IP addresses confuse me the most in a Cloudstack install. I have a > >Firewall that is hosting all of my public IP addresses now. The > >management > >server is supposed to sit behind a NAT device to protect it from attack. > >How am I supposed to assign public IP addresses to virtual machines > >(virtual routers) inside of the NAT device? I have not seen any clear > >documentation on how this is supposed to be configured to make everything > >work correctly. Where do I assign my IP addresses and how do I get them > >through the firewall correctly? > > > >I just purchased a Juniper SRX100 device (will be a small deployment). > >Will installing this help manage the Public IP situation easier (and even > >automatic)? If anyone has any suggestions on what I should search for to > >solve this issue that would be great. Explaining would be even better. > > > >Thanks, > > > >Fred > > > ________________________________ > > This document is PROPRIETARY and CONFIDENTIAL and may not be duplicated, > redistributed, or displayed to any other party without the expressed > written permission of LPS Integration, Inc. If you are not the intended > recipient and have received this email in error, please destroy the email > and contact the LPS Integration Security Officer at 866-577-2902 (Phone), > 615-349-9009 (Fax) or 230 Great Circle Rd. Suite 218 Nashville, TN 37228 > (US Mail) > > -- Zobotek, LLC 7941 Katy Freeway #256 Houston, TX 77024 281-216-0488 - Main Number http://www.zobotek.com http://www.stonemountainhosting.com
