Quoting Galimba ([email protected]): > Hello everyone. > My name is Sebastian. I'm new to this list and tho I've been a sysadmin for > several years now, I've only recently dived into Cloud Computing. > I have successfully installed OpenNebula 4.4 on a local computer behind a > firewall at my university. I set up two nodes and another dedicated > computer as a NFS datastore. > The plan is to provide my research group with the IAAS that OpenNebula > brings to the table. > At the moment, I'm dealing with an issue I haven't been able to solve, and > perhaps some of you could throw me a hint. > My university assigned me over 100 public ip addresses to provide each VM. > If I were to plug the cable directly to the OpenNebula box, then I know I > could create my templates with public ip addresses and then everything > should be fine. The problem is that I have a firewall in the middle, > managing all the public ips, and my OpenNebula box is on a LAN behind that > firewall.
Question: Do you want to filter the traffic for your vm's on the "firewall in the middle"? If the answer is yes than you might want to use the vm-hook like Valentin suggested. If not then a vlan with public IP's is probably the easiest way to go. Another possibility is to use the "Public Cloud" interface from ONE, specifically: EC2 [1]. It makes use of Elastic IPs. It uses scripting to handle the mapping of public to private ips. Especially the scripts that interact with the OpenFlow seem promising [2]. Yet another way of doing this is to route the block of 100 ip's to a router/firewall (possible running on ONE) (through a little ip interconnection block). In that case you don't have to filter on the "firewall in the middle" and or do NAT (which I think is very ugly). So like this: public ip -> interconnect-ip - router/firwall - router-ip-routed-ips -> vm's with public ip. This will also work for IPv6. Natting IPv6 is possible, but even more ugly ;). You still have the possibility to do some filtering on the firewall while leaving the rest of the ports open. If you like GUI's, pfSense is a very nice and capable firewall (based on OpenBSD's pf) [3]. If you would like to use pfSense on KVM -> don't use virtio network drivers, broken on KVM (at least that is our experience, intel e1000 works fine). Good luck, and have a fun and bright cloudy day ;), Gr. Stefan [1]: http://docs.opennebula.org/4.6/advanced_administration/public_cloud/ec2qug.html [2]: http://community.opennebula.org/ecosystem:onenox [3]: https://www.pfsense.org/ -- | BIT BV http://www.bit.nl/ Kamer van Koophandel 09090351 | GPG: 0xD14839C6 +31 318 648 688 / [email protected]
signature.asc
Description: Digital signature
_______________________________________________ Users mailing list [email protected] http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
