Virtualising servers on a DMZ - IP allocation

[dbrb2]

Hi,

We currently have three physical servers on a DMZ, each with a static, public IP address. I'm looking at virtualizing these servers, but am trying to work out how I can do this without having to use one of our static IP's for the virtualbox host machine - since the host interface on the DMZ will require an address.

Can I transparently allocate this interface address to one of my guest machines?

I hope the above makes some sense...

Cheers,

Ben

[Perryg]

If you want to be able to communicate with the host remotely you will need to assign it a public address.
If you do not need to communicate with it remotely then a private address should work.
You would still be able to get to the guest via ssh, or rdp, or what ever you need to use, but the host <> guest nor remote host connections will work.

[dbrb2]

What I had been planning was as follows:

The host machine has two network interfaces
One would sit on the DMZ, and the address allocated to this interface would be transparently bridged to one of my guest machines. My other guests wouldbe allocated other static addresses.

The other interface would be used just for management, and would sit on my local LAN

Does this sound possible? The bit I wasn't sure about was the allocating one of my guests the same address as the DMZ host interface...

[Perryg]

You need to look at this as these are separate computers in the same box (kind of like a rack). You can't assign two PCs the same ip address.

[dbrb2]

No, but since I have two physical interfaces on my server, can I not manage the host through one )on my LAN), place the other on my DMZ, assign a static address to the DMZ interface of the host, and then configure the host PC to bridge its physical DMZ interface with the virtual interface of one of my guests?

[Perryg]

Short answer is no, you can not assign two network interfaces the same ip address.
If you feel the need to see this yourself, I suggest that you do not try this in a production environment as it will bring down at least two units when you do.
Remember that while it is called a virtual network interface it works and performs exactly the same way that a real network interface works, right down to having its own MAC address.

[dbrb2]

Ok - well in that case presumably I could set one of my guest OS's up with a NATed address, and set the host machine to route all traffic on all open ports arriving on the host machine's DMZ physical interface to that virtual machine

I can then still manage the host machine either locally or through the second physical interface

I'm just trying to find a way of virtualising my three physical servers, which currently each have a public static address, without needing to use a fourth static address for the host.

[vbox4me2]

That won't work as you want, stick to Bridge mode. You can assign any address to the Host bridged adapter(s) even a non existing/local one to keep public traffic away from the Host.

However, you mention the 3 servers have a public address, I do hope they are firewalled properly A much better way would be a firewalled router that can handle multiple public addresses, then its a matter of adding firewall rules. I have done the same here exactly like I said, the firewall/router is where I manage what goes where internally.

[dbrb2]

Hi,

Yes - currently the three public servers are completely firewalled from the rest of our network. Our hardware firewall has a number of physical interfaces, one is used for the LAN, and another for the DMZ containing the public servers.

I could give the host machine an address on the LAN. In this case I could give the host a local address, and configure the firewall to route any public traffic to the host machine, which would then send it to the relavant guest machine.

However, I'd rather keep everything public on the DMZ interface of the firewall. The problem here is that the DMZ interface on the firewall is currently defined as connecting to a subnet containing all of our available static addresses, so to put the host machine here it would need to use one of these addresses.

Our ISP allocates us a dynamic WAN address, but then routes any traffic to our static addresses to this dynamic address. Our firewall then has a DMZ interface that is defined so as to have our statics hanging off of it.

I suppose I could increase the size of the DMZ subnet on the firewall, then allocate one of the new addresses to the host machine. the host would never get any traffic directed to this "newly created" address, since it would be a public address that isn't actually ours, but I could then allocate all of our actual public addressses to virtual machines, and manage the host machine locally or via the second NIC.

Any traffic for any of our allocated static addresses would still arrive at the host machine, and be routed onto the virtual machines.


Does the above make any sense?

[vbox4me2]

It does, it should work, the only way to know for sure is to try it with some test Guests.

[Perryg]

Hummm,
Strangely sounds like my first reply.