VMware Cloud Community
shawn130c
Contributor
Contributor
‎07-03-2009 08:21 PM

Network Segregation with only one physical soho router on PE2850

Hello Guys,

I have a Dell PE2850 that is running the free version of ESXI 4 on my personal network. My main reason for installing esxi was to create a test environment to test different operating systems and software without having to worry about my personal machine. I have been able to successfully do this but I am also interested in creating a seperate virtual network for some of the vm (virus testing, ect), while allow others to stay on my current network and communicate and share files with physical machines.

My current setup is this: DSL Modem- WRT54GS Router - Gigabit Switch

with two network cables going to PE2850 (one for the dell remote access

card and the other to one of the onboard gigabit ports for esxi) There is also another onboard gigabit switch available.

I understand through my limited networking/esxi knowledge I could create a seperate network by adding another soho physical router like this: . But I would than lose the gigabit speed and sharing (which I want to keep for some of the vms). Another option I researched was creating different vSwitches and than using a virtual router to create a virtual networks. I attempted to do this by using a virtual router (ipcop) and vswitches. I was able to successfully get vm to get online through ipcop but even though ipcop was set to hand out 192.168.2.x ips I still was able to communicate with my machines on 192.168.1.x network through vm behind ipcop.

Is there a way to create a virtual network that will allow me to prevent vm from communicating on my personal network but still allow other vms to share files between physical machines and maintain gigabit speed for file transfers? Also I know this is probably easily done with more expensive networking gear, but at this point I want to first investigate setting up a virtual router first.

I didnt want to make my first post too long but if you need more information let me know. Any assistance would greatly be appreciated.

Thanks,

Shawn

0 Kudos
4 Replies
DSTAVERT
Immortal
Immortal
‎07-04-2009 09:18 AM

Check whether you can create separate vlans on the linksys. If not with the standard linsys image check dd-wrt.com.

-- David -- VMware Communities Moderator
shawn130c
Contributor
Contributor
‎07-04-2009 01:45 PM

Thanks for the reply DSTAVERT. I did look into the vlan option and current linksys firmware does not do vlans but I do have another router with ddwrt that should have that option but I left it at my office... But assuming i am able to configure vlan on that router with ddwrt what is the best way to accomplish what I want to do (seperate "bad" vm) and still maintain gigabit speed for transferring files to and from esxi and easily share files between physical and vm that I want on my personal network?

If I am understanding vlan correctly I would first connect the ddwrt router to the wrt54g (main) router and tell the ddwrt router to make vlan by say assigning port 1 as vlan1 and port2 as vlan2. Then I would connect the "safe/management" vswitch to vlan1 and bad to vlan2 using the two onboard nics on my server and two network cables. But doing this I would loose gigabit speed while transferring files to esxi correct since the router that has ddwrt is only 10/100?

The only way i am able to figure out how to do that would be to run another cable from the main router to ddwrt router and connected the second router to the extra onboard gigabit nic on PE2850. Than configure another vswitch and make sure to have all the bad vms on that vnetwork using the nic connected to ddwrt router. That way I would have the router segregating my personal network from the bad network and still have gigabit speed since other gigabit nic will be connected directly to a gigabit switch and not a 10/100 router. So is this my best option or am I missing some with the vlan option?

Thanks and have a fun and safe 4th of July,

Shawn

0 Kudos
Josh26
Virtuoso
Virtuoso
‎07-04-2009 09:14 PM

If I read this correctly, you have one physical server. You can:

Create one new vSwitch

Build one Linux box with a NIC on your existing vSwitch (and therefore has internet access) and one NIC on the other vSwitch. Setup that machine to do routing and apply ACLs as desired.

Every VM you build on the new switch will be internally isolated.

0 Kudos
shawn130c
Contributor
Contributor
‎07-05-2009 08:17 PM

Thanks for the reply Josh.

I am not familiar with ACLs in Linux. But I did some research on it and it seems like the acls are more for controlling access to files stored on the linux box and not necessarily networks. But since i am unable to test out vlan untill monday, I setup ipcop again and this time added an add-ons called block out traffic (bot). Within ipcop i setup different "color" networks and assigned them to vswitches like i did previously. This time with some bot rules i was able to control which color networks can access the internet/ports and more important disable access to shared resources/computers on my network from vm on the bad network and still allow vm on good networks to access them.

It is not the cleanest or the easiest to setup, but so far it seems to be working fine and untill I can play with vlans. I will keep this question open for alittle bit longer if anyone else have any other ideas to setup networking with the vm to do what I want.

Thanks,

Shawn

0 Kudos