Hello
I would like to discuss with you the feasibility to run LEDE in ViartuaBox container on a device that will act also as advanced NAS and server, but having LEDE to provide to the server all the network connectivity
The reason why I would like to investigate this approach, instead of just having LEDE to provide all the services, is the availability of ready to use services, some of them are not supported by LEDE itself and can be troublesome to compile.
The requisite is that the server part (host operating system) shall NOT get the connectivity directly from the physical ethernet port, rather it shall get it from the LEDE instance running within the Virtualbox as guest O.S
Attached a scheme of the setup I have in mind:
(please not I already have LEDE running on an ARM SBC with one ethernet interface and two VLAN for making LAN and WAN area with the support of external VLAN aware switch)
As far as I can go with my knowledge, the setup "should" work, my only doubt are regarding the possibility to create two VLAN on a VirtualBox bridged interface and also to bridge an host only virtualbox adapter with a LEDE VLAN interface.
I think such setup could be very appreciated, since you can by for 80$ a very good Intel mini PC with Atom X5 processor that support Vt-x
Personally I switched to pfSense after my favourite third-party x86 version of OpenWRT stopped being supported. I found performance notably better than OpenWRT, plus you have access to the entire FreeBSD repository if you desperately need something not officially supported.
Ultimately LEDE is intended for consumer hardware, pfSense is much more business-grade. The only place pfSense falls down is WiFi support which is why I continue to use LEDE for WiFi APs.
pfSense is also frequently used virtualised as you described, although I prefer to keep mine on a dedicate Atom so that when doing work on the NAS I do not lose Internet connectivity across the whole network.
Ok, but regardless of the router distribution, the main concern here is the bridging capabilities among interface, so I guess the questions are still valid though
Fair enough, I think generally its expected that the NAS would also be virtualised so that the host OS is never exposed to the LAN at all. I don't see any reason why your method wouldn't work though.
Am I understanding correctly that traffic coming into eth0 is already vlan tagged?
If so I think you need to add two interfaces, eth0.2 (dhcp client) and eth0.3 (no ip) to the host OS and use those as vbox0 and vbox1, both bridged interfaces.
Then eth0.2 will pass the LAN traffic back across to the host OS.
@Menion Depending on your hardware specs, if you have at least 2GB of RAM (preferably 3 - 4) for the VM, I'd recommend Sophos XG or Sophos UTM(XG and UTM are free to home users as a software appliance)
@alexatkinuk I'd recommend the same to you as both support WiFi.
Thank you, but can we please stay in topic? I am not searching alternative to LEDE, unless my idea is proven to be incompatible (my major concern is regarding VLAN interfaces in VMs)
I could be mis-remembering, however believe there may be a way to do this on Unix based OSes, but I could be wrong.
The last time I looked into trying to get a non-VM manager host OS (such as ESXi) to do something similar was when I was investigating doing a similar project on Windows (which can't be done natively due to the network stack in Windows).
Is there a reason why you're not utilizing a VM host OS, such as ESXi to run the different OSes?
When you're dealing with a WAN facing VM, it's a major security risk to not run it as a guest OS within a VM host OS, or in a jail, otherwise there's a chance of the host being exposed directly to WAN with no firewall in place should something go wrong.
The setup you desire will work. Many people have used a routers in VM, while still using the host hardware.
I currently use Lubuntu with VirtualBox as my hypervisor.
I can assign VLANs, etc to the VMs. I create the VLAN on the host, then assign the VM to that interface in VirtualBox. You can also make a flat LAN, and tag the frames in the VM. Both will work just fine.
Thanks! I hope I can start soon, major "problem" here is to find some time, since some work will require me to be connected directly to the PC, since when re-arranging the networking I will likely loose network connection to the PC
Hello @lleachii, I have a quick question: there is no need to install vbox guest addon in LEDE? I am planning to provide wifi access via USB adapter assigned to the VMs, but I am not sure if I need such addon
Also, won't they increase performances?
Bye
If you don't need any of the above (most are unavailable on LEDE anyways), then Guest Additions are unnecessary. I've never attempted to install the additions on a non graphical VM anyways.
Yes, apparently there is no need of them (apart of VM memory sharing mechanism introduced recently, that has a meaning only if running several VMs in the same host).
I am running a prototype of the setup, I have noticed that there is the little chance the eth interface numbering in the VMs guest, can change based on the virtualized hardware choosen and on the type (bridge, NAT, etc...). Is there any way to make them constant, based on something (like MAC)?
Is there any particular reason you need VLAN support between the VM and the host OS? I already described a setup which I "think" will work with the VLAN side completely handled host side.
I'd also seriously consider PCIe WiFi cards over USB, in my experience USB never have as good a range even with the same antenna. I suspect its that they do not have amplifiers as good as PCIe cards. Its also a lot harder to find compatible chipsets.
Well, the main reason is logical assignment of the functions: I want that the LEDE guest will take care of all the networking, including VLAN and WiFi management.
I know that WiFi USB sticks are troublesome, especially when it comes to AP mode, but I have found a dual band Ralink and 2.4 only Atheros 9k that work very very well, and since they are USB I can use them in VM.
I have prepared almost all the setup, unfortunately I have some trouble in setting up all the required interfaces (including fallback one) on Host.
This is the updated schema:
This scheme is the result of some elaboration, in order to maintain a fallback connectivity in case the LEDE installation gets corrupted for some reason.
If this happen I will loose the connectivity to the host also, since it gets the main networking from the LEDE VM itself.
So I have identified a dedicated net on VLAN4, that I can use to reconnect to the Host and to investigate the LEDE VM. Also, if it is not completely dead, I can use the "mng" connection to enter in the LEDE VM. This connection can be used also for configuration that affect the LAN/WAN zone, via some static rules
You may say that the eth2-tap0 Virtualbox bridge is strange and it could be implemented by another host only network, but it is not possible, because the host only network can be configured only as static IP (and eventually provide DHCP server) and not as DHCP client. It is not possible also to set it as static IP in the LAN network range (192.168.182.0/24) because then it would be problematic to add the default gateway rules, and it cannot be done at the startup since the interface is created only when the VM is actually started.
This setup works except of a big issue in the Ubuntu ifup scripts: for some reason, if I set auto enp1s0 (renamed from eth0 via net-persistent rules), enp1s0.4 and tun0, what happens is that tun0 is not created automatically at the startup! The /etc/network/interface seems to be ok, because I can ifup the interface fine in terminal, but won't work at host startup for some reason!
Now I am looked out to my server (need to go back home and connect it to a monitor), I will provide the interface content soon, but @alexatkinuk do you know a possible reason for this behavior? I have read about some race condition (see here: https://lists.ubuntu.com/archives/foundations-bugs/2014-July/201623.html) in the VLAN interface automatic creation, but I only have seen problem with this tap interface!
Unfortunately I'm not going to be any help at this point as this sort of headache is a big reason I stick with a dedicated router.
One thing I can suggest is to check if network manager is running on the host as I have had all sorts of problems with that trying to take over bringing up the network interfaces and its just not as a reliable in my experience as the traditional scripts.
I run ubuntu server, so no NetworkManager
You are right, it is a troublesome setup, but I am working on it for the fun of experimenting
I have my router (actually it is a bananapi) that use same VLANs. So I can easly swap it and to use the server host of the device, it is enough to re-enable enp1s0 and quit the VM, so the server will work exactly the same as if it is getting connectivity from the LEDE VM!
I have written a post on ubuntuforums to see if they came up with an help. Another quick option is to ifup the tap0 interface in a ExecPre stage of the virtualbox auto startup service
One. That is the reason of the VLANs
I gave a try to the monster here (with the trick explained for the interface bring up). It works in internal LAN, but internet access on WAN has some problem, sites take long to show up, maybe some DNS issue, but it will require some troubleshooting
Sorry for my suggestion - I know it will not be helpful regarding your VLAN questions. I have built a similar machine but with three physical lan cards. If you are interested I will describe it more detailled.
