Index.
07-Nov-2011: initial release.
Introduction.
virtual two networks
In the next article is the setup of amanda backup, which is a backup system that uses the client/server model. When the backup server fetches the data from a client computer, say our web server, the normal user traffic on the network will block for periods of time because of the backup traffic builds up in the network queue.. Traffic shaping helps a bit but not enough to let user traffic flow as if there is no backup running. The solution is simple, add a special network that will be used for backup traffic only. Then you also don’t need to route backup traffic through the gateway, just connect every virtual host directly to the homeserver host. The picture on the left shows this blue network with it’s own firewall rules. In the firewall configuration we can block backup traffic on the regular network and only allow it on the new network.
Note that this principle is often used in data centers between servers that need to work together. There are often separate networks for database traffic, and other maintenance traffic. In our case it costs nothing because the new network is a virtual network.
Configuration.
First we need to update our network plan to select a address range for the new network.
| IPv4 | IPv6 | Remark |
|---|---|---|
| 10.126.160.0/24 | 2001:1af8:fecf:7ea0::/64 | Workstations LAN |
| 10.126.161.0/24 | 2001:1af8:fecf:7ea1::/64 | Server/Gateway LAN |
| 10.126.162.0/24 | 2001:1af8:fecf:7ea2::/64 | DMZ Network |
| 10.126.163.0/24 | 2001:1af8:fecf:7ea3::/64 | VPN trunk |
| 10.126.164.0/24 | 2001:1af8:fecf:7ea4::/64 | Maintenance LAN |
| 10.126.165.0/24 | 2001:1af8:fecf:7ea5::/64 | Spare |
| 10.126.166.0/24 | 2001:1af8:fecf:7ea6::/64 | Spare |
| 10.126.167.0/24 | 2001:1af8:fecf:7ea7::/64 | Spare |
The next table shows the used addresses and the new interfaces.
| Host | Interface | IPv4 | IPv6 |
|---|---|---|---|
| homsrv.wpl.ym | vboxnet1 | 10.126.164.1 | 2001:1af8:fecf:7ea4::1/64 |
| gateway.wpl.ym | eth3 | 10.126.164.2 | 2001:1af8:fecf:7ea4::2/64 |
| websrv.wpl.ym | eth1 | 10.126.164.3 | 2001:1af8:fecf:7ea4::3/64 |
We need to create a new host-only network for the host to all the virtual machines. You can create a new one using the VirtualBox user interface and set the addresses. Disable DHCP on that new network. When that is done you must reboot the whole system and if everything went well the home server should have a new vboxnet1 network interface.
Next you must stop each virtual server and add a ethernet card connected to the new host-only network. Then start that machine again and configure the new network card in /etc/rc.conf. After you reboot the machine the network card should be visible and configured. Note that if you used the firewall more or less based on what is in the example file, you cannot test the new network yet because the firewall (at least on the gateway machine) will block unknown traffic.
Firewall.
vboxnet1
Now you must add the new Ethernet interfaces and their addresses to each server in the firewall configuration. You should also create a new IPv4 and IPv6 networks belonging to the new network. Put these in a new object group. With this new group we will configure the firewall so that only network related traffic is allowed on the new network. Later protocol restrictions will be added, for now leave it to “Any” so that for testing everything is allowed and we can test the network with ping.
Firewall rule
Once you created all the firewall interfaces and rules, and have uploaded the firewall you will be able to test your new network.
Download.
Here are the configuration files and examples.
