Could a KVM virtual firewall work?

Mon, 03/02/2009 - 01:00 — dgoodwin

Anyone know of a reason why a setup like this *wouldn't* work: three physical network interfaces, bridges created for all three but two reserved exclusively for a guest operating system, the host won't even use them. Run cable modem into one, connect the other to uplink on a wireless router, run a cable from there back into the third interface for the host operating system.

Seems to me is should be doable but before I go break the bank on a $15 USB ethernet adapter (only have room for one more NIC on the motherboard) I thought I'd check. :) I guess the big question is around the bridged interfaces, must they have an IP assigned on the host? Hrm.

I'd kind of prefer having something I could control/monitor as my first line of defence as opposed to the cheap wireless router I use today, preferably OpenBSD, but I'm too cheap to run physical hardware 24/7 for something so small. I also need to keep all my home systems behind that wireless router, otherwise I can't get UPnP out on the wifi where the PS3 current resides. If I could get it up and running in a guest that sits in front of it all it would really be ideal, and arguably just as secure.

Suggestions? Thoughts?

Next day update

Regarding my last post, I did actually get this up and running today, but unfortunately as soon as any traffic started moving the network seems to just fall apart. I tested by starting a ping against google.com on the OpenBSD guest connected straight to the open internet. Then I started another on the host OS pinging the IP assigned to that OpenBSD guest's internal interface. (so technically all the traffic is using the same bridge)

The pings are fine until I start doing something, in this case I fired up an ssh to an external system and just repeating a key causes everything to suddenly stop transferring, the internal ping spikes way way up to over 5 seconds and the ssh session stops responding. (meanwhile the external ping stays constant) Eventually a little data starts moving again but a spike will happen every few seconds and indeed the connection is all but useless.

Quite possible I just botched something on the networking side (although not sure how likely as the NAT was actually working). Mostly I think it's probably a failed experiment for the time being as I probably don't have the required networking skills to debug what's wrong. :)

dgoodwin's blog

Comments

Post new comment

Your name: *

E-mail: *

The content of this field is kept private and will not be shown publicly.

Homepage:

Comment: *

Input format

Filtered HTML

Web page addresses and e-mail addresses turn into links automatically.
Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
Lines and paragraphs break automatically.
You can enable syntax highlighting of source code with the following tags: <code>, <blockcode>, <bash>, <c>, <cpp>, <java>, <python>. Beside the tag style "<foo>" it is also possible to use "[foo]".

Full HTML

Web page addresses and e-mail addresses turn into links automatically.
Lines and paragraphs break automatically.
You can enable syntax highlighting of source code with the following tags: <code>, <blockcode>, <bash>, <c>, <cpp>, <java>, <python>. Beside the tag style "<foo>" it is also possible to use "[foo]".

More information about formatting options

CAPTCHA

Sorry for the inconvenience but spam bots really suck. Are you a real person?

What is the fifth word in the phrase "lonuba xaya omil fites lawupa"?: *

rm-rf.ca

Projects

Recent blog posts

Links

User login