Le 30 oct. 2017 10:26 AM, "Luca 'remix_tj' Lorenzetto" < lorenzetto.l...@gmail.com> a écrit :
On Mon, Oct 30, 2017 at 8:45 AM, Istvan Buki <buki.ist...@gmail.com> wrote: > Hello, > > thank you for your patience for trying to let me see the light. > > Indeed I don't understand what you are explaining. Maybe if I give you more > concrete details it will help. > > My internal network is 192.168.196.0 > My DMZ network is 192.168.188.0 > > ovirt-engine is running on a centos server with IP 192.168.186.3 > ovirt host is on a centos server with IP 192.168.186.4 > > On the host I created a VM that I want to be in the DMZ. When I created the > VM, nic 1 was automatically added and is linked to the ovirtmgmt network. > In the VM nic1 becomes eth0 and was assigned an IP address with DHCP > 192.168.186.167. > > After that I added a host device to that VM using passthrough. This device > is called ens7 in the VM and I gave IP 192.186.188.4. > That device is directly connected to my physical DMZ switch and from there > to the firewall. > This part is OK. > > My problem is that through eth0 my VM has access to my internal network. > Removing the device seems impossible because this is ovirtmgmt network. > I can not change or remove the IP of my host because it would not be > reachable anymore on my internal network. > > Maybe the solution is obvious but I can't see it. I'm running in circle with > this problem and it makes me crazy. > Hi Istvan, why are you using device passthrough? Anyway. If you don't need the VM to access to ovirtmgmt, remove nic1. As far as i can understand, you're directly communicating through DMZ. Hi Luca, As I have only one VM in the DMZ currently I assigned the NIC directly to the VM instead of creating a logical network to get maximum performance and better security because only the VM can access that network interface. If one day I have to create another VM inside DMZ I'll create a logical network and bind the NIC to that network instead of the VM. OK, I removed nic1 and it looks good. The only interface left is the DMZ network and I can reach it through the firewall. :-) Thanks you so much for your help and patience. Istvan
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users