Hi, I'm currently using OpenWRT (19.07.2) on my Netgear WNDR3700(v1, architecture: Atheros AR7161 rev 2) and I two LAN Interfaces, LAN (bridged with WAN access, connected to VLAN eth0.1 & wlan0) & ZAN (bridged without WAN access, connected to VLAN eth0.2 & wlan1).
I have setup a server which is running virtualbox with multiple VM's (they all have bridged adapters so they are accessible from other pc's) and I have static IP addresses set for all of the VM's in OpenWRT.
Scenario:
I really would like to have the Server connected via Ethernet to the LAN interface (so it has internet access for updates and remote SSH) and all of the VM's connected to the ZAN interface (so they don't have internet access, can't communicate with the server and are only accessible to users that are connected to ZAN via wifi or ethernet).
Reality:
My problem is that if I connect the server to LAN, all of the VM's will have IP addresses on the LAN interface instead of ZAN (even when I set static IP addresses in OpenWRT for them to be in ZAN). This way they have internet access, can communicate with the host and are on the wrong network. If I connect the server to ZAN, all of the VM's get ZAN IP addresses, but the server has no internet access and VM's can communicate with it.
Is there a way to connect server to LAN and all of the VM's to ZAN, without connecting the server via ethernet to ZAN interface?
(EDIT: forgot to mention that the 'server' is actually a gaming pc, running ubuntu server with one ethernet port).
Hi, thank you for responding to my question. Two physical interfaces should probably do the trick, but I forgot to mention that the 'server' is actually a gaming pc, running ubuntu server with one ethernet port on the back. Would it still be possible to do all of that using one physical interface?
logical separation only using true static addresses ( not reservations )
or via making your wired link a trunk so it can carry multiple tagged VLANs. That would require reconfiguring openwrt
or via multiple gre tunnels within host bridges or similar
Option one is the simplest and clearest albeit somewhat insecure as separation is purely logical. And at the openwrt end... terminating the VLAN's on the switchports would likely need to be changed into a common L2 segment.
Either way... wait to see what others have to say... Depending on your hostOS/ethernet-driver-features... you may be able to run the VM frames tagged... and the HOST frames untagged/or also tagged...
I wouldn't mind reconfiguring OpenWRT, but I don't know how to accomplish this. Could you maybe point me in a direction?
My host OS on the server is Ubuntu Server 18.04 and the VM's have different OS's ranging from Win server 2012, Win10 PC's, multiple smaller Ubuntu Servers and other linux distros.
I'm happy to track down some good resources and guide you with the config.
Configuring this type of setup can be a real pain without an additional out of band NIC for the HOST. The openwrt side is fairly easy surprisingly ( any posts here that discuss multiple VLANs on a trunk will help you with that )... But when fiddling around with the host bridges, it's very easy to lose connectivity... so having good skills to be able to quickly revert / modify interfaces, vlans and bridges is a lifesaver.
Anyway... you can google "VirtualBox Bridge Guest to VLAN" while others have a chance to reply...
attempt1
#1 ONHOST
ip link add link enp0s25 name enp0s25.50 type vlan id 50
ip link set dev enp0s25.50 up
#2 In VirtualBox change bridge for a VM to interface enp0s25.50
#3 In Openwrt
-Go to switch... add vlan 50 tagged on same port as pc/server + cpu1
-Go to interfaces... add interface... eth1.50 192.168.50.1 etc. etc.
So far I got step #1 and #2 working (my ethernet interface was called eno1 so I have used your commands but replaced enp0s25 with eno1 and it showed up in virtualbox, so that's great).
As for the switch, I have the server plugged in to LAN 4, but should it be tagged on both VLANs? and what about the CPU? I just started learning about VLANs and I don't really know how which (tagged or untagged) I should use for what if running multiple VLANs.
While running this configuration I got an IP on LAN and WAN access for the server, but when starting the VM with the new bridged adapter (eno1.50 showed up on the bridged adapters list) I get the error: Nonexistent host networking interface, name 'eno1.50'. Do you know how I could fix that?
Nope, you can leave it and leave it "native" aka "untagged" then at openwrt it will hit the untagged native VLAN... or you can run it tagged... but try that later...
Yeah, thought they have only 1 cpu... same as your lan so in your case cpu0 ( correct )
ip link set dev eno1.50 up
or
ifconfig eno1.50 up
? ( if you used systemctl it would have trashed the non-persistent commands we used )
Dude, I really want to thank you for your time and help. I am looking at the Active DHCP leases and the VMs are getting an IP address on ZAN while the server is working on LAN as it's supposed to be.
Don't forget to add that vlan interface (eno1.X) to the typical "ubuntu" network config files to make it persistent on reboot.
Later on... keep LAN untagged... for your "server" it's safer... then add a separate tagged network for other VM's if you need one ( i.e. "SPARE"/60 ) and the rest is just messing around with the general routing / firewalling rules as need be.
Wait, so if I would turn off the server at the moment eno1.50 would get lost? Could you maybe guide me on how to make this configuration with eno1 and eno1.50 persistent in the network config files? I have already set a static IP in OpenWrt for the server (eno1 with LAN IP address) and VMs (eno1.50 with ZAN IP addresses).
Hi, I've tried this method, but even after following the whole guide from the link I couldn't get the interface to be persistent. I've found a thread describing my problem and adding the commands below (with the right names) to the /etc/rc.local file of the server did the trick.
good job...