<div dir="ltr">Gilberto,<br><div><br></div><div>I believe I have a similar setup as yours (only have 1 public IP assigned to router instance running in KVM).</div><div>Make sure that your hardware node is not accessible from the public address, only the router/firewall should have the private address or you open up a security nightmare. As long as you have out of band access (iLo, DRAC etc) the hardware node should be only reachable from the NATed internal network (ie. a bastion host you log into first), and it should have access to the internet though the router/firewall instance.</div>
<div><br></div><div>Also <span style="font-family:arial,sans-serif;font-size:13px">172.172.10.254 is not within the RFC1918 range (it's actually an AOL address that is assigned), so if that's supposed to be an internal network, make sure to use one within the correct range: </span><font face="arial, sans-serif"><a href="http://en.wikipedia.org/wiki/Private_network">http://en.wikipedia.org/wiki/Private_network</a></font></div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Mar 6, 2014 at 11:13 PM, Gilberto Nunes <span dir="ltr"><<a href="mailto:gilberto.nunes32@gmail.com" target="_blank">gilberto.nunes32@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thanks guys...<div><br></div><div>I will change the configuration... As I said, "newbie question"... </div>
<div><br></div><div>Thanks a lot</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">
2014-03-06 17:04 GMT-03:00 Alain Péan <span dir="ltr"><<a href="mailto:alain.pean@lpn.cnrs.fr" target="_blank">alain.pean@lpn.cnrs.fr</a>></span>:<div><div class="h5"><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Le 06/03/2014 19:29, Gilberto Nunes a écrit :<div><div><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I am using PVE here and host has two NIC, one for LAN and one for WAN, like that:<br>
<br>
eth0 - 172.172.10.5<br>
<br>
eth1 - 200.201.299.299 -------- > THAT'S THE WAN CONNECTION<br>
<br>
<br>
Ok...<br>
<br>
Now I install a VM under PVE that is a Firewall...<br>
<br>
And this Firewall has two nic too...<br>
<br>
Like that:<br>
<br>
eth0 - 172.172.10.254<br>
<br>
eth1 - 200.201.299.299 --------------> THAT'S THE WAN CONNECTION<br>
<br>
As you can see, I set the IP for eth1 twice: one for Proxmox Host and one for VM host...<br>
<br>
I don't know if this is a good practice...<br>
<br>
What the adviced for that??<br>
<br>
</blockquote>
<br></div></div>
No, that's a bat idea, as said previously by Gerald. You only need to assign an IP address to a NIC if you want to have access to your proxmox server using this address. That's good for eth0, it is your LAN, the one you use to manage your Proxmox server. But I don't think you plan to access your server from the WAN, that is Internet ? That would be a big securuty risk...<br>
<br>
You don't need any IP address on eth1. Just create a new bridge, vmbr1, and assign it to eth1. Then your VM can have the IP address 200.201.249.249 (299 is not an allowed value for an IP), and you connect the second NIC of your VM (its eth1) to this bridge, and the first to vmbr0 (that is eth0 of the server).<br>
Just give your VM eth1 network parameters with as gateway the IP of your router for the WAN, and make sure it is accessible on your switch (VLAN perhaps...) to eth1 (server).<br>
<br>
But I am not sure it is a good idea to use a VM as a firewall. You want to protect your LAN ? Where is your router ? Your firewall should be between your router and the WAN.<span><font color="#888888"><br>
<br>
Alain</font></span><div><div><br>
______________________________<u></u>_________________<br>
pve-user mailing list<br>
<a href="mailto:pve-user@pve.proxmox.com" target="_blank">pve-user@pve.proxmox.com</a><br>
<a href="http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user" target="_blank">http://pve.proxmox.com/cgi-<u></u>bin/mailman/listinfo/pve-user</a><br>
</div></div></blockquote></div></div></div><span class="HOEnZb"><font color="#888888"><br><br clear="all"><div><br></div>-- <br>Gilberto Ferreira<br>
</font></span></div>
<br>_______________________________________________<br>
pve-user mailing list<br>
<a href="mailto:pve-user@pve.proxmox.com">pve-user@pve.proxmox.com</a><br>
<a href="http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user" target="_blank">http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br>Cheers,<br>Peter Sarossy<br>Data Center Operations - Google inc.
</div>