[OOTB-infra] connecting to internal server

Martin Cosgrave martin at ocretail.com
Tue Feb 17 20:02:36 GMT 2015 

Redirecting conversation back to the list again, please can we keep this 
as the default.

On 17/02/15 19:56, Heiko Robert wrote:
>
> Am 17.02.2015 um 17:28 schrieb Martin Cosgrave:
>> On 17/02/15 17:03, Heiko Robert wrote:
>>> Hi Martin,
>>>
>>> most virtualisation servers like VMWare handls/encapsulate the VMs 
>>> in a sandbox without any shared resource, network between the 
>>> management server and VMs (baremetal concept). The linux embedded 
>>> virtualisation frameworks like KVM, Vagrant are not so strict and 
>>> run inside a full blown OS and may not so focused on hosting 
>>> enterprise apps rather than getting easy virtualisation for linux 
>>> admins on any hardware. So you should keep this in mind when 
>>> accessing the ootb environment. You can get only network access to 
>>> the internal network using the interface of a VM. In our case it's 
>>> gw1 for direct access from the internet or the internal address via 
>>> VPN (which is routed thru gw1).
>>
>> OK so if one has access to the esx box via ssh, that's for 
>> controlling and inititating vms. But from there you can't get access 
>> to the network hosted by the VMWare host. So each time I make a new 
>> VM I have to also go into pfsense and set up port forwards etc.
> I think this shouldn't be the default. This is as if you try to to 
> expose any computer in a company network to the public internet. This 
> should be the exception.

I totally agree, I was speaking from a standpoint of my not being able 
to use the VPN.

I believe you have confirmed that the VPN connection no longer forces 
traffic through the bee network, so I am able to test that again, 
however I have not as yet.

> Default should be to access a VM thru VPN and to expose http thru 
> reverse proxy. I don't see a need to expose every VM to the public or 
> to expose many VMs to the internet. If you need a playground with 
> lower security we may setup a different subnet for that but this 
> doesn't answer how to make this secure and monitor against attacs from 
> outside. If you need to reset VMs I wouldn't create VMs at all. Just 
> return to a saved snapshot with a single command and you're done. So 
> why not setting up the 2,3,4 or whatever VMs you need and keep them?
I don't want to expose every VM to the public I am just trying to get 
things done.


>>
>> You know what would be really great? If the ESXi box could join the 
>> pfsense VPN, then we could just join a VPN without any funky routing 
>> stuff going on and be able to see the ESX management ports from our 
>> local networks.
> I'll try this when I mentioned "tweaking" VPN routing

Great, it would be the best solution as far as I can see.


>>
>> Alternatively how would you feel about connecting one of the boxes 
>> inside the bee infra into my own vpn? It probably wouldn't solve all 
>> my issues but I would have an easier route for a lot of things.
> I normally use a similar aproach using ipsec but this may also be 
> configured/used with OpenVPN server peer config (which the intit.d 
> scripts are meant to be used for). This allows to define clear 
> firewall rules what can be seen in which direction for that client. 
> But I only set this up with machines which are locked in a server room 
> to allow automatic connection. So I would recommend to use the 
> previous variant, but Ole may decide.
Ole's boss may decide I guess you mean. I suppose that he or she would 
be happy with us using the system in a responsible way. Whether that 
requires being "locked in a server room" is another question. Personally 
I think not, you should imagine that any person involved is responsible 
enough to report a loss of equipment as a key breach.

>>
>>>
>>> There is no way to connect to the internal network from the esx 
>>> embedded system itself because there is no internal interface by 
>>> design. That's a feature, not a restriction ;-)
>> You may have to explain that one to me.
> You mean the feature? This means VMs run normally in the dmz but the 
> management interface is normally bound to a separate network card 
> which is bound to the intranet. In this case there is no chance to 
> access the management port from the dmz/from a VM even if there are 
> bugs or leaks.

Is this the behaviour by default or something you have chosen to implement?

>>
>>> Connecting to the esx IP is for managing host services only like 
>>> backup/recovery, copying or manipulating VM config resources 
>>> directly, calling services commands from a ssh shell.
>>>
>>> Again: try to forget the esx1 address and work with the gw1 address. 
>>> Only use gw1 for connecting from vShere Client or from VMWare 
>>> Converter or ovftool command line tool
>>
>> you say 'again', it's the first time I've heard that you have to 
>> connect to gw1 to use the client. Have you never heard of the 
>> principle of least surprise? Wouldn't it make sense in this case to 
>> connect to the 'esx1' host to use the esx ports? No wonder I was not 
>> able to connect with any tools I tried. >.<
> vmware tools trying to connect the esx management services need to 
> connect to the esx1 ip/ports and may require to work around firewall 
> rule in our setup
> ssh clients trying to connect to vms should allways use the gw1 ip
> 'again' is meant to the previous mail

apologies, you made a correction regarding the esx1/gw1 confusion

>>
>>>
>>> A new VM should be configured to use dhcp and you could forward 
>>> ports to the internal IP from the gw1 address in case you really 
>>> need to access a port from the internet.
>>
>> OK so your base VM has dhcp set, when I create a new VM I am going to 
>> have to go to pfsense and look at the dhcp leases to find out what 
>> the new address is, a bit awkward but I guess manageable.
> hey man, what is your suggestion? This is just the easy to manage 
> version in long term. You could always set static ips but this will 
> get troubel since people are not good in keeping track on the IP docu.

I am just stating for the record, that is to help Lanre's documentation, 
what needs to be done to get a VM up in this scenario. You may have 
responded, "no Martin you can do 'vm-info what-is-the-ip <vm id>'" which 
could have been helpful but since you didn't I presume there is no such 
command. Since you ask, what I would really like is an interface which 
lets me set the IP address as well as disk and memory etc. No worries 
I'm sure we'll get there.

>>
>>
>>> If you want to predefine IPs you can configure this in the guest VM 
>>> (we need to document and define static ip ranges) or better you add 
>>> MAC address to fixed IPs using the pfsense user interface: 
>>> https://pfsense.ecm4u.intra/status_dhcp_leases.php --> just click on 
>>> the (+) sign and define IP and name.
>>
>> I don't mind configuring networking from inside the guest but I need 
>> to connect to it first :-P
> This is beeing done from the vShere Client on the console, but I would 
> vote for the dhcp version since this will always be documented and 
> consistent.
>>
>> I guess I need to connect to it to find out its mac address too.
> you don't need to know the mac address. When you set up servername in 
> the console everything should be done. As long there are free 
> addresses in the dhcp pool your vm will get the same address (if not 
> statcally mapped)

"better you add MAC address to fixed IPs using the pfsense user 
interface" - this is the only reason I thought I might need the mac address
>>
>>>
>>> Heiko
>>>
>>> P.S.: I cc'd lanre and Ole to share the knowledge
>>
>> I added the list, couldn't see anything sensitive within. Redacted a 
>> couple of port numbers.
> Unfortunately I just read this at this moment because I try to answer 
> your mails durch my job and I read mails from back
> Fortunately I use a different email address for our internal 
> communication (and don't want this email on the list). The list send 
> me a notification waiting for approval but I revoked.

Unfortunately it seemed to make it to the list, perhaps Lanre is 
approving them, when I looked it was not pending. I think the messages 
you sent made it to the main list.

Martin

>
> -- 
> Heiko Robert [heiko.robert at ecm4u.de]
> Consultant / Geschäftsführender Gesellschafter
>
> ecm4u GmbH
> http://www.ecm4u.de
> Hölderlinplatz 2b
> 70193 Stuttgart
>
> t: +49 (711) 912775-72
> m: +49 (176) 347475-72
> f: +49 (711) 912775-80
>
> ecm4u GmbH - die IT in Prozessen einfach sinnvoll nutzen
> Handelsregister: Amtsgericht Stuttgart HRB 734004, Geschäftsführung: Heiko Robert

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.xtreamlab.net/pipermail/ootb-infra/attachments/20150217/30a0fdf4/attachment-0001.html>

More information about the OOTB-infra mailing list