Ubuntu
virtualbox-ose package

complex net setup for virtualbox; advice needed

Asked by mc5686

Hi,
I *did* read the manual, but I'm a bit confused nonetheless.

I have a fairly up-to-date ubuntu 8.4 host.
I have two real NICs on my host.

One is connected to a small home net (eth0:192.168.0.x) and the other is connected to my ISP (eth1:192.168.120.x)
I need to use an OpenVPN tunnel to get to the Internet this exactly means i must:
- use eth1 to as gateway to a well defined server in my ISP's non routable address space
  /sbin/route add -host 192.168.xx.yy gateway 192.168.120.1
- start an OpenVPN tunnel with that host and that will give me a routable address
  /usr/bin/openvpn --daemon --dev tap0 --writepid /var/run/openvpn.pid --lport 11949 \
    --remote 192.168.xx.yy 11949 --ifconfig my.end.ip.no 255.255.255.252 \
    --route-gateway isp.end.ip.no --redirect-gateway local --secret /some/place/key \
    --no-replay --ping 10 --ping-restart 60 --verb 1 --mute 10
- use the newly created tap0 as default gateway

I would like to use virtualbox to implement is the following:

A) Install a dedicated firewall distribution (pfsense) with three logical NICs:
  1) connected to the Internet
  2) connected to the home LAN
  3) connected to a private DMZ LAN

B) Install a dedicated Web server (Apache+FTPd,+...) with just:
  1) logical NIC connected to the DMZ private net.

I understand I should build three bridges (WAN, LAN and DMZ) in the host and four virtual NICs (three for the router/firewall and one for the WebServer), but I'm more than a bit confused because it seems to exist several different ways to do this and I cannot understand which is the "ubuntu approved" (or simply coherent!) way. Here are my doubts:

a) should I run OpenVPN on the host, creating /dev/tap device and then I should bridge it to the virtual device A1? or can I just attach A1 to the tap device created with OpenVPN? Can this be done? or should I just bridge the ISP NIC (eth1) to the router/firewall VBox and run OpenVPN there?

b) is there a way to prevent the host from using the created tap device? I would like to avoid bypassing the firewall!

c) DMZ should be clear: create one bridge (brDMZ) and two host interfaces (DMZ0 & DMZ1) and then bind them together.
in /etc/network/interfaces:
auto brDMZ
iface brDMZ inet dhcp
bridge_ports
then:
VBoxAddIF DMZ0 mauro brDMZ
VBoxAddIF DMZ1 mauro brDMZ

d) The LAN interface should also be clear:
in /etc/network/interfaces:
auto brLAN
iface brLAN inet dhcp
bridge_ports eth0
then:
VBoxAddIF LAN0 mauro brLAN

e) how do I make sure the ISP interface (192.168.120.x) is used only by OpenVPN? can I do this?

f) Is this correct? Will any of this work?

Can someone be so kind to point me in the right direction, please?
Thanks in Advance
mauro

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu virtualbox-ose Edit question
Assignee:
No assignee Edit question
Solved by:
mc5686
Solved:
Last query:
Last reply:
Revision history for this message
mc5686 (mc5686) said : 		#1

Ok,
Just for the record: I solved it; I'm still unsure this is optimal and/or compliant with ubuntu guidelines, but it works.

This is my current /etc/network/interfaces:
===========================================
auto lo
iface lo inet loopback

#--------------------------
# permanent host interfaces
#--------------------------

# LAN -------------------------------
auto eth0 tap0 br0

iface eth0 inet manual

iface tap0 inet manual
    up ifconfig $IFACE 0.0.0.0 up
    down ifconfig $IFACE down
    tunctl_user mauro

iface br0 inet static
    address 192.168.0.5
    netmask 255.255.255.0
    #gateway 192.168.0.254
    bridge_ports eth0 tap0
    bridge_maxwait 0
#-----------------------------------

# WAN ------------------------------
auto eth2 tap2 tap4 br2

# physical interface to Ydea net
iface eth2 inet static
    address 192.168.120.5
    netmask 255.255.255.0

iface tap2 inet manual
    up ifconfig $IFACE 0.0.0.0 up
    down ifconfig $IFACE down
    tunctl_user mauro

iface tap4 inet manual
    up /root/Ydea/tap-up.sh
    down /root/Ydea/tap-down.sh
    tunctl_user mauro

iface br2 inet manual
# address 192.168.120.5
# netmask 255.255.255.0
    bridge_ports tap4 tap2
    bridge_maxwait 0
#-----------------------------------

# DMZ ------------------------------
auto tap1 tap3 br1

iface tap1 inet manual
    up ifconfig $IFACE 0.0.0.0 up
    down ifconfig $IFACE down
    tunctl_user mauro

iface tap3 inet manual
    up ifconfig $IFACE 0.0.0.0 up
    down ifconfig $IFACE down
    tunctl_user mauro

iface br1 inet static
    address 192.168.77.5
    netmask 255.255.255.0
    bridge_ports tap1 tap3
    bridge_maxwait 0
#-----------------------------------
===========================================

As soon as I will nail down all residual issues I will write an howto to help other people (where should I put it??)

Regards
Mauro