VMware Cloud Community
o_controller
Contributor
Contributor
Jump to solution

Hairpinning possible in vSphere? starting points ?

Hi,

As part of a research projeract I have a scenario that I need to route all VMs traffic through a particular dedicated vm.

Say I have 3 Vms  VM1, VM2, VM3.  And I have a fourth VM   VM_GATE_WAY all connected to the standard vswitch on a esxi host.  What I need is that if there is a way to configure the VMs in such a way that all the traffic from  VM1, VM2, VM3 is first routed to VM_GATE_WAY, and the VM_GATE_WAY then forwards it to the physical link adapter that the vswitch is connected to.

Same is required when the opposite happens that all traffic directed to VM1, VM2, VM3 from the outside first goes through VM_GATE_WAY and then to the respective VMs. I have been searching for this but to no avail yet.

If anyone has an idea how to do this or if someone can give some pointers to get me started, it shall be highly appreciated.

Thanks.

Tags (2)
Reply
0 Kudos
1 Solution

Accepted Solutions
mcowger
Immortal
Immortal
Jump to solution

Once the port group is created, just remove the uplinks from that port group:

http://i.imgur.com/AL0Tx.png

--Matt VCDX #52 blog.cowger.us

View solution in original post

Reply
0 Kudos
7 Replies
iw123
Commander
Commander
Jump to solution

You could set up a virtual machine as a router, using something like vyatta, http://www.vyatta.com/

You then configure this virtual router as the default gateway for those virtual machines. As far as vsphere network config goes, you could put those machines in an isolated portgroup/vswitch, with the virtual router having 2 vnics, one in the isolated portgroup and one in a portgroup from which the rest of your network is available.

*Please, don't forget the awarding points for "helpful" and/or "correct" answers
o_controller
Contributor
Contributor
Jump to solution

Hi iw123,

Thanks for the pointer.

For vSphere network config, what you are suggesting is that I create two port groups, one should be isolated from the external network and I should put the Vms in there. Then there should be another port group which is connected to the uplink adapter and I add the VM_GATE_WAY in there and add two vnics, One vnic should be connected to the isolated port group and the other to the port group connected to the uplink adapter (external network).

Please correct me if I am wrong. If we only assign the ip of the VM_GATE_WAY as the default gateway for the VMS in the isolated port group, then VM_GATE_WAY should be able to receive all the outbound traffic from the VMs and we can do the vyatta stuff.

But If i werent to use any other third party software, can the same thing be achieved by usin VLAN Ids ? I mean if we set a VLAN id to every VM in the isolated port group and configure the port connecting the VM_GATE_WAY to the isolated port group to virtual guest tagging. Then VM_GATE_WAY should receive all the packets vlan tagged.

Is this worth a try ?

Reply
0 Kudos
mcowger
Immortal
Immortal
Jump to solution

For vSphere network config, what you are suggesting is that I create two port groups, one should be isolated from the external network and I should put the Vms in there. Then there should be another port group which is connected to the uplink adapter and I add the VM_GATE_WAY in there and add two vnics, One vnic should be connected to the isolated port group and the other to the port group connected to the uplink adapter (external network).

Yes - this is correct and the most common way.

But If i werent to use any other third party software, can the same thing be achieved by usin VLAN Ids ? I mean if we set a VLAN id to every VM in the isolated port group and configure the port connecting the VM_GATE_WAY to the isolated port group to virtual guest tagging. Then VM_GATE_WAY should receive all the packets vlan tagged.

Is this worth a try ?

It could receive the packets, yes.  But then what would it do with them?  You need some kind of software (whether pfSense, Vyatta, Linux routing, etc) to do the right thing and route the packets.

--Matt VCDX #52 blog.cowger.us
o_controller
Contributor
Contributor
Jump to solution

Thanks matt,

Atleast I am thinking in the right direction i guesss Smiley Happy. I shall try all this and follow up If I have any more questions.

Thanks for all the help.

Cheers Smiley Happy

Reply
0 Kudos
o_controller
Contributor
Contributor
Jump to solution

Hi,

I am a bit stuck at the moment. My actual problem has changed a bit now. Turns out that my VMs in the isolated port group needs to be in separate broadcast domain. I mean VM1, VM2, VM3 should not be able to communicate with each other meaning they should have a separate VLAN id. I heard that you can configure the per-port properties inside a vsphere Disrtibuted switch i-e multiple vlans inside a port group ( as each VM is connected to the port group via a separate port ).

So I have created a VDS but I am unable to add an isolated port group in there. Whenever I create a new port group It is connected to the default uplink adapter. I want an isolated port group with no uplink adapters and another port group connected to the uplink adapter so that tha gateway VM can communicate with the outside world and the VMS in the isolated port group should communicate with the external world only through the gateway VM.

Can Any one please guide me in creating an isolated port group and configuring per-port properties ?

Thanks.

Reply
0 Kudos
mcowger
Immortal
Immortal
Jump to solution

Once the port group is created, just remove the uplinks from that port group:

http://i.imgur.com/AL0Tx.png

--Matt VCDX #52 blog.cowger.us
Reply
0 Kudos
o_controller
Contributor
Contributor
Jump to solution

Hi matt, thank you for the help.

I was able to isolate the group and assign separate vlan ids to each of the vm in the isolated group and the VM_GATE_WAY was able to see all the traffic vlan tagged Smiley Happy.

However I have some confusion at this point. The VMS inside the isolated port group were not assigned IP addresses by DHCP. This makes sense as it has no connection to the uplink adapter which would connect it to the DHCP server. To generate the traffic I used TCP replay to replay a pcap file through the respective interface and I was able to see the traffic vlan tagged on the VM_GATE_WAY.

But I am confused as how to assign ip addresses to the vms in isolated port group. I tried configuring the ip as

ifconfig eth0 1.1.1.1 netmask 255.255.255.0 up.

Although the ip was assigned, but if for example I want to ping google then what I want is that ICMP packets should be generated by the vm which would then be received by VM_GATE_WAY.  But this does not happen as no traffic is generated by the VMs if I open for example a browser. Can you please give me some pointers as to how to set the ips for an isolated port group ? I know internet wont be accessible by those VMs but atleast they should generate the packets out the interfaces which I can receive on VM_GATE_WAY and then route them accordingly. All helo much appreciated.

Reply
0 Kudos