Void's Forums

[Void Main]

Ok, I've been having a ball configuring my OpenWrt routers and doing some cool stuff with VLANs, bridges and trunks on both the WRTs and on a regular Linux host running kvm based virtual machines (previously VMware). I wrote up a document roughly describing my home network along with the configuration of the kvm host and the WRT routers:

http://voidmain.is-a-geek.net/redhat/vlan/

"wrt1" acts as my main firewall (running OpenWrt + shorewall) and I have it divided into 3 vlans. I have vlan 1 which is the WAN (public) zone that faces the Internet and connects to the DSL modem. I have vlan 2 which is the DMZ and contains my web and mail servers. I have vlan 0 which is the LAN (private) zone that my user desktop/laptops connect to.

I just recently bought a Quad Core AMD processor and motherboard with 4GB of RAM (all for $199) from Tiger Direct and I decided I had enough resources I could virtualize a couple of my older machines. I decided to move my mail server into a virtual machine guest and an XP guest (don't really have a need for it but it's there for testing).

The mail server is in the DMZ and the XP instance needed to be on the private LAN side so initially I installed them in VMware server 2.0 and ran two network cards. I trunked the VLANs from the main firewall WRT downstairs to the WRT upstairs where my desktop is. I ran two network cards in the desktop, one on a DMZ port for the mail guest and one on a LAN port for the XP guest. I really wanted to run one physical network card plugged into a trunk port and split out the VLANs on the Linux host for the two guests. I couldn't figure out how to make VMware do that and there is nothing in the documentation about it.

I really wanted to use kvm/qemu/libvirt for my virtual machines instead of VMware but I had trouble getting it running at first and caused me to go to VMware. Well, after getting some time to learn more about kvm and figure out where I went wrong I decided to switch the guests over to kvm. You can even convert the disk image from VMware format to qemu format using the qemu-img command that is included with qemu.

Not only could I easily migrate my guests from VMware to kvm/qemu but I could get both DMZ and LAN connectivity to them over one cable from the host to the WRT. I just trunked DMZ/LAN to the port the KVM host was set up on, then created the vlan interfaces eth0.0 (LAN) and eth0.2 (DMZ) on the host. I created a bridge br0 which is used to bridge eth0.0 (LAN) with the interface on the XP guest and bridge br2 on eth0.2 (DMZ) with eth0 on the mail host.

I have all (most) of the configurations at the bottom of the page that I linked at the top of this post.

What I really need to do is find another one of those $199 deals and move my entire DMZ into guests on that server.

[Master of Reality]

That is a crazy deal. Crazy.

[ichilton]

Hi,

This is really cool - exactly what I was looking to do (though with not so many WRT's!) - thank you for posting the config files and diagram.

I have a question though....

If you look at the config file - http://voidmain.is-a-geek.net/redhat/vl ... rk.cfg.txt and the diagram, you seem to be using the "eprt"'s in the config rather than the "iprt"'s.

Should the openwrt config not use the iprt?

Thanks,

Ian

[Void Main]

It depends on which router you are referring to. For whatever reason on some WRTs the internal and external ports are mapped in the same order:



and on other WRTs they are mapped in reverse order:

[ichilton]

Hi,

Oh - that's odd!

Do you still have that setup then?

What was your reason for using all the WRT's and not fewer, bigger, managed switches? - just because you had them around?

Thanks,

Ian

[Void Main]

Bigger managed switches are more expensive and they are usually loud, and they don't run Linux of course (well most don't). I don't need 24 ports in one location, I need a few ports in several locations, and the WIFI range can be extended. For me these WRTs are the most appropriate for the job. They are also useful for much more than just switching. Since they run Linux the possibilities of what you can do with these things are enormous.

[ichilton]

Good points!

Do you still run the same setup?

[Void Main]

It's roughly the same. Also running 6in4 IPv6 tunnels from Hurricane Electric on the WRT running my Shorewall firewall.

[ichilton]

Interesting! - have you written about / documented that anywhere?

Thanks,

Ian

[Void Main]

Talk a bit about it here:

viewtopic.php?f=7&t=2332

[ichilton]

Cool, thanks!