VLAN for HyperV

Security Gateway Discussions
Post Reply
THaala
Posts: 29
Joined: 13 Jun 2008, 15:21

VLAN for HyperV

Post by THaala » 05 Apr 2016, 11:53

Dear Users,

i am struggling here into a problem using/configuring VLAN connecting Virtual machines.
To access internet i need to NAT all traffic behind 11.11.11.158 from Local network. There are some other ip adresses free to allow DMZ - traffic to VMs. Therefore i want to capsule this type of traffic to a VLAN 2222 which allows VM - Creator to connect VM to addess 11.11.11.148 (or other...) This VLAN transport data between IF1 (VLAN2222) and IF6 only. Could anyone help me with the configuration? Sure - there is a need to control the traffic between VM and ISP and from Local Network to the VM...
Thank you in advance.

My scenario in a picture:
Attachments
scn1.jpg
scn1.jpg (33.43 KiB) Viewed 7409 times

Peter
Posts: 699
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Re: VLAN for HyperV

Post by Peter » 05 Apr 2016, 14:31

Hi.

Not sure i understand the scenario 100%, but can't you just NAT traffic from 11.11.11.148 towards IF6?

I assume you have a route looking something like this:

Route Vlan2222 11.11.11.148 LocalIP=11.11.11.158

Where .158 is the default gateway for the Virtual Linux Machine. The IP rule then looks something like this:

NAT Vlan2222 11.11.11.148 if6 all-nets service=whatever

BR
/Peter

THaala
Posts: 29
Joined: 13 Jun 2008, 15:21

Re: VLAN for HyperV

Post by THaala » 05 Apr 2016, 17:10

Hello Peter,

the idea was to connect DMZ to internet by switching without NAT. The address .158 is used for internet access of employees from (10.10.10.x network). Remaining adresses of (11.11.11.144/28-network) should be accessible through VLAN2222 from VMachines. I dont want to use NAT or SAT for connecting those machines to Internet or better from Internet. So i need a coupling between IF6 and VLAN2222 for all adresses except .158 and .145 (which is the default gtw.)

Best Regards,
Thilo

THaala
Posts: 29
Joined: 13 Jun 2008, 15:21

Re: VLAN for HyperV

Post by THaala » 06 Apr 2016, 15:59

...

it is maybe an easier way to bring the defaut - gateway 11.11.11.145 as PROXY to the VLAN2222 ? But how?
this should not have negative influence of existing NAT-routing between IF1 and IF6.

thanks in advance..

BR
Thilo

Peter
Posts: 699
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Re: VLAN for HyperV

Post by Peter » 07 Apr 2016, 08:16

If you want to use 11.11.11.145 as default gateway for machines behind VLAN2222 you only need a route looking something like this:

Route Vlan2222 11.11.11.148 LocalIP=11.11.11.145 ProxyARP=IF6

It is the same principle if you want to assign a public IP directly on a machine behind the Clavister.

LocalIP does two things:

1. Responds to ARP queries towards this IP on VLAN2222.
2. ARP queries from the Clavister (on VLAN2222) towards 11.11.11.148 will use IP 11.11.11.145 as sender.

This way you can use 11.11.11.145 as your default gateway on the 11.11.11.148 machine.

ProxyARP is needed as the Clavister must on IF6 respond to ARP queries from the ISP towards 11.11.11.148, basically we tell the ISP that we own this IP.

For communication between 11.11.11.148 and 10.10.10.xx (and wise versa) would only need a standard allow rule if you don't want to NAT or SAT.

/Peter

THaala
Posts: 29
Joined: 13 Jun 2008, 15:21

Re: VLAN for HyperV

Post by THaala » 07 Apr 2016, 10:01

Dear Peter,

after a master explained this, it looks always easy.
I guess my thinking was too complicated. I thought bringning VM-addresses to IF6 was the right way but route the default-gateway to that VLAN does the trick instead. The meaning of that additional entries of LocalIP and DefaultGateway in routing tables was a miracle to me fromerly.

However - my problem is solved
Thank you.

Peter
Posts: 699
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Re: VLAN for HyperV

Post by Peter » 08 Apr 2016, 14:02

Great, glad you got it working :mrgreen:

/Peter

Post Reply