Bridged Network Model for Dual NIC Host

Virtual servers should appear as independent devices on the private LAN and be accessible from the public Internet using the host server's IP address.

Dual NIC Network Model

I use this network model on most of my servers. It uses IP addresses efficiently, secures the virtualized servers on the public interface (eth1) and allows direct access over the private interface (eth0).

Host Interfaces

The host has at least two network interfaces.  My convention uses eth0 for the trusted connection to the local network and eth1 for the connection to the public internet.

Host Packages

Proxmox VE is used to manage the OpenVZ and KVM containers and virtual machines.  It provides a useful interface to the host server.  The same interface can be used to access multiple hosts when Proxmox clustering is configured.

Advanced Policy Firewall (APF) offers a convenient way to configure and maintain iptables as a firewall.  APF is configured to provide network address translation (NAT) from the public IP to the containers, egress filtering and masquerading.  Masquerading is used to change the container's eth1 IP address to the host's IP address.

NGINX is used as a reverse proxy to route port 80 and 443 requests to the appropriate container.

Public Interface Configuration

A guest bridge vmbr1 is created to connect the containers.  This bridge is accessible on the host server only.  APF and NGINX are configured to route traffic from the public interface Eth1 to the containers via this guest bridge.

Network Interface

The WAN interface is defined in the network interfaces file.  Below is an excerpt from the /etc/network/interfaces file for Debian systems:

APF Preroute Rules (NAT)

APF is used to route specific ports from the public interface to the containers.  The preroute.rules example below shows how ssh access is routed to the container.  The destination address is on vmbr1.

# apps02 - ssh access: XXXX --> YYY
$IPT -t nat -A PREROUTING -d -p tcp  -i eth1 --dport XXX  -j DNAT --to-dest 192.168.80.XXX:YYY
APF Postroute Rules (Masquerade)

The postroute.rules example below shows how APF is used to configure masquerade on iptables.  The source IP addresses from the vmbr1 network are changed to the host's public IP address, which is in this example.

# Guest Network Outbound Routing
$IPT -t nat -A POSTROUTING  -s   -o eth1 -j SNAT  --to-source
NGINX Reverse Proxy for Port 80 and 443

The NGINX configuration file for the virtual host defines the web request routing.  Here is an excerpt showing the location directive for one virtual host.

Private Interface Configuration

The private LAN is a trusted network.  We do not want firewall rules to interfere with traffic on the LAN over the trusted eth0 interface.  Traffic is routed from the containers using policy based routing that is configured in the network interface file.  The example below is specific to Debian.

IP Route Table

A route table name is created for convenience in the /etc/iproute2/rt_tables file. In the example below, this table is called t0 for "table for Eth0".

#vmbr0 Route Table
501 t0

Policy based routing is configured in the network interface file. For Debian based systems, this routing is created in the /etc/network/interfaces file.

# Trusted Interface
# Guests visible on LAN
# Not managed by APF -- Routing Configured in this Config Fileiface eth0 inet manual
auto vmbr0
iface vmbr0 inet static
address  192.168.10.YY
bridge_ports eth0
bridge_stp off
bridge_fd 0
post-up ip route flush table t0
post-up ip route add default via dev vmbr0 table t0
post-up ip rule add from 192.168.10.YY table t0 priority 501
February 06th, 2013 Posted by Jon Jaroker Filed in: Network Model

Be the first to comment. Leave a comment

Your email address will not be published. Required fields are marked *