Home / server / Questions / 140641
In Process
bwizzy
Asked: 2010-05-12 05:33:18 +0800 CST

How to subnet hosted VMs

  • 772

I have a network of VMs each one having a LAN IP address and a public IP address. They each have a 1:1 NAT map for public access via the public IP for HTTP, SSH, etc. I'm trying to figure out a way to restrict the LAN IPs from communicate to each other, but there are some cases where a group of LAN IPs will need to communicate.

I'm using pfSense as a firewall / router on a 192.168.0.0/24 configuration.
It seems like I could assign each VM it's own subnet and add a static route to the firewall for that VM to get back to the firewall for internet access and other firewall rules. Is that right?

I assigned 1 VM with:

address 192.168.1.2
netmask 255.255.255.254
gateway 192.168.1.1

Then added a static route on the FW's LAN interface using 192.168.1.0/30 as the destination network and 192.168.1.1 as the gateway.

Nothing appears to be working, so anyone has any ideas? Please be aware I'm not that familiar with subnets.

Thanks!

virtualization subnet pfsense

4 Answers

  1. What OS are you running on the VMs? It might be easier to just use internal firewalls on the machines. That way you can pick and choose what addresses each VM responds to.

    • 0

  2. Mask = 255.255.255.254???? Take a look at this

    Network           Net Broadcast     CIDR Mask              UsableHosts 
192.168.1.0       192.168.1.3       30   255.255.255.252   2           
192.168.1.4       192.168.1.7       30   255.255.255.252   2           
192.168.1.8       192.168.1.11      30   255.255.255.252   2           
192.168.1.12      192.168.1.15      30   255.255.255.252   2

    The output if from my Subnet Planner

    • 0

  3. I don't understand why you do this step:

    "Then added a static route on the FW's LAN interface using 192.168.1.0/30 as the destination network and 192.168.1.1 as the gateway."

    Create one VLAN per virtual machine or customer. Assign a proper network, /30 or larger. First address is network, second would be the Firewalls IP on that subnet - and the other or the rest until the broadcast are to be used by the VMs.

    That's it, all you need is adding rules either for the VLAN interfaces, or if you prefer for the IP's within the VLANs.

    • 0

  4. Most firewall rules use masks which work the same as subnet masks, but can be used to target multiple subnets, or blocks of IP addresses within a subnet.

    So leave your gateways alone, but group your VM IP addresses together within your subnet so you can write masks that specify those VMs. You can target a single IP address with the mask 255.255.255.255. You can use a CIDR Calculator to help you figure this out, or take a look at the IP allocation diagram in Gary A. Donohue's excellent Network Warrior book.

    • 0