Isolate network traffic

Daniel_Ruiz_Molina · October 25, 2018, 11:24am

Hello,

First of all, I’m going to explain my OpenNebula configuration and, later, I will explain what I need.
I have only one server that acts as OpenNebula-server and OpenNebula-kvm-node. It has 4 NICs but only 1 is connected to the physical switch.
I have configured network with eth0 attached to bridge br0 (I’m using LinuxBridges, not OpenvSwitch). This “br0” is configured with my public IP address and, then, I have created 3 more bridges (br0:1, br0:2 and br0:3), each of them with an private IP address from my three OpenNebula private networks. So my server has configured 4 IPs.

Each private network, during its configuration in OpenNebula, was attached to “br0” device, no “br0:X” device (parameter “BRIDGE”), but I have not configured parameter “PHYDEV” of each private network (neither on the public network).

In my scenario, several users need to use these three private networks. They are not been able to create network, so they ONLY could use three I have create as “oneadmin”.
But now, I have got this problem: machine 1 of user A in private network #1 can ping machine 1 of user B in the same private network #1 because both machines are attached to the same network. So, could I configure OpenNebula private networks or bridges for isolate this traffic?

Thanks a lot!!!

kingbuffalo · November 19, 2018, 12:11am

Hi Daniel,

I might be reading it wrong.

So you do have 4 networks.
1 Public, 3 Privates?
All setup as bridges

It sounds like you may have confused bridge for physical device (phydev)
bridge is just the name of the linux bridge it creates (So like br0)

to confirm run brctl show Opennebula in bridged mode will bridge the VM Guest NIC to a physical bridge, you do need to specify the physical and you could leave the bridge bit out.

so Network 1: Public
physdev: br0

Private 1:
phydev: br0:x
bridge: private1-To-Br0:x

Private 2:
phydev: br0:x:
bridge: private2-To-Br0:x

Private 3:
phydev: br0:X
bridge: private3-To-Br0:x

Then when you attach a VM to Private 3 it will create a bridge called private2-To-Br0:x visible via brctl show it should show that this is connected to physical port/bridge br0:x and you will see another port which is the VM’s NIC in KVM

I think the bridge bit is mis-leading, by default if you leave blank it will just name it one-br-[Network ID] or something.

So mine for example (little bit different as using Vlan’s but should help)

[root@PBC-FE01 ~]# brctl show
bridge name bridge id STP enabled interfaces
Mgmt-Web 8000.68b599b6c45c no bond0.10
one-38-0

Topic		Replies	Views
How to segregate service network from internet access for VMs Community Support	6	1783	July 6, 2015
About Virtual Private Network in Opennebula Community Support	1	2257	June 17, 2015
Private networks without physical device Community Support	5	3113	October 25, 2018
Linux Bridge and VLAN trunk inside KVM VM Community Support	5	3820	February 17, 2017
OpenNebula VM Internet Access Community Support	0	769	July 29, 2017

Isolate network traffic

Related Topics