Proxmox virtual lab with NethServer


(Sgt_Wirehead) #1

Hi every one,

I have been trying to setup a Proxmox virtual lab with Neath Server at the head of the network.

I have these interfaces. Green (bridged to real lan currently working), Blue (virtual network not working correctly), Red (connected to modem in its own DMZ currently working) .

I will be running web-servers on the Blue interface the issue is that i am not sure how to configure the Reverse Proxy or DNS for the Blue interface i have followed the Doc’s but the web-servers are unreachable in a web browser from the internet.

Red (192.168.1.4, 255.255.255.0)
Blue (172.168.1.1, 255.255.255.0)


(Giacomo Sanchietti) #2

The blue network is used to give access to guests to the internet, not for providing services to external world.

You may need an orange or an extra green network.

Please, take a look at the firewall documentation and create the rules accordingly to your needs:
http://docs.nethserver.org/en/v7/firewall.html#policy


(Sgt_Wirehead) #3

I guess I should ask then what the pros and cons of each are befor I make a decision on whitch to use? As I don’t want to compromise my real network on my other green conection either if possible. I am very much a novice at this so please bear with me if I am asking stupid questions. Thank you for replying also :slight_smile:

Lets say i am using a green zone and have multiple servers that i want to accept web traffic (port 443, 80) with reverse proxy and DNS, where and how do i do this? i have been reading the NS doc’s and trying to follow the examples as best i can, but when i do a website request externally all i get is the default NS page. is there an actual guide for setting up this or am i kind of on my own on this :frowning:


(Sgt_Wirehead) #4

Any one! i am completely lost with this :sob:


(Jeroen Visser) #5

I would like to help, but I am unsure what you are trying to do, and how you connected your components.
Could you at least provide the default gateways for these interfaces, and explain how they are connected to the physical network ?


(Sgt_Wirehead) #6

Hello Jeroen,
any help would be greatly appreciated. here is what my Network Map looks like.!
NethSever is sitting in the modems DMZ to allow bidirectional communication to the outside world
i need help with the reverse proxy and DNS then i can move on to setting up NethServer as an email server for each webserver.


(Rob Bosch) #7

Some things are not clear (to me)

  • Why do you draw a green and a red line from modem/router to switch and from switch to proxmox and from proxmox to nethserver vm? Are that supposed to be red and green interfaces?
  • Do you intend to have NethServer as a gateway for your webservers? If so, then you should have a different subnet on the green/internal interface of NethServer than you have on the red/external interface of NethServer. As you have it now, the NS red interface is correct: in the 192.168.1.0/24 subnet.
  • do you use the proxmox firewall?

If you want your webservers to be accessible from the outside, you need to port forward the ports those webservers are listening on (probably 80 and 443) to the external IP of NethServer (192.168.1.4) Then NethServer needs to be configured as gateway with red interface 192.168.1.4 and a green interface in another subnet. (for instance 192.168.2.4/24) Your webservers will get an IP address in the 192.168.2.0/24 range with another IP than the green interface of NethServer.

Have a look at previous topics about snat routing: https://community.nethserver.org/search?q=snat


(Sgt_Wirehead) #8

The green line there is for management of proxmox feel free to ignore it as its not in use by the virtual network. I was just trying to be detailed. NS will be the gateway for all proxmox VMs proxmox firewall is disabled globally. what subnet will give me the most webservers? not that i am running a lot.

I dont understand the snat either i’m afraid Rob

Complete nube here with setting up something this complex


(Rob Bosch) #9

the most would be a class A subnet, but you probably don’t need more than a class C network.
More info on subnets: https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13788-3.html
or http://ipprimer.com/#/
A default class C (or /24) network would give you 253 IP Addresses to use for webservers. (last digit as 0 is rarely used, 255 as last digit is for broadcast, and your NethServer needs 1 IP address in the subnet too, you are left with 256 - 3 = 253 free addresses) That should be sufficient… :wink:


(Sgt_Wirehead) #10

Ok I will meet yo half way on the subet to keep it separate from the red gateway so that woild be class B will that be suitable Rob? I can go with whatever is recomended though.
Just tried a class B of range 172.16.0.0 - 172.31.255.255 and got error
The IP address is outside the network range.

http://www.vlsm-calc.net/ipclasses.php

I will stay with the 192.168.2.4/24 in your example

I will leave the ips as is and move on to whatever the next step is.

(Who is watching the football Spain vs Russia :grin: im trying to work and cant stop getting distracted by the game)


(Rob Bosch) #11

To make it a bit more fuzzy :stuck_out_tongue: You can perfectly create a C class subnet in the B class range. It is all about subnet mask.
If you use a subnetmask of 255.255.255.0 (or /24 in CIDER notation) you will end up with a 256 bit subnet (IE 256 IP addresses in the subnet)


(Sgt_Wirehead) #12

So i am assuming this will be fine…?!

eth1


(Jeroen Visser) #13

Actually, it isnt. Your server has an IP that is inside the DHCP scope. That means you will get IP conflicts.

From your earlier drawing, a few questions:

  1. Based on this drawing, it looks like your webserver 1, 2 and 3 are virtual machines on the Nethserver. Is that correct ?
  2. Why does your proxmox have 2 IP’s ?
  3. Could you elaborate on the IP ranges marked 'All below with i.p. ranges from 192.168.1.100 to 192.168.254, given that you use 192.168.1.180 and 181 to the right ?
  4. What exactly do you need to reverse proxy from where to where in this network diagram ?

(Sgt_Wirehead) #14

Q 1: yes they are VMs but on proxmox NethServer is a VM as well.
Q 2: one is for the NethServer pass-though to modem in its own DMZ, the other is for proxmox management and backup transfers to backup server (NO firewall is enabled on any interfaces or VMs on proxmox)
Q 3: This is a privet internal network and is functioning as intended and includes the proxmox backup storage server and should not have any effect on whats happening in the virtual environment. i just included it to be a detailed map.
Q 4: Just need all webservers to be public facing (live on the internet) and thought reverse proxy would be the way to go, but am open to suggestion. there using DynDNS host-names.

In short i just need multiple public facing webservers at this stage.

So what would be outside the dhcp scope 192.168.2.0 ?

if this helps here is my virtual network without all the other confusing parts

My_Network_virtual


(Sgt_Wirehead) #15

Hmmm… must be a lot of :soccer: fans out there.

Dont fear the :penguin: and don’t unders estimate the powe of Linux.

:sleeping:


(Jeroen Visser) #16

You seem to be overcomplicating. If your Proxmox host is beefy enough to host 4 virtual servers, host 4 virtual servers on it. You can then only create firewall rules for your nethserver and set up revorse proxy on it to the 3 webservers that are also on the proxmox host. That seems to meet your goals without putting an extra network between them, and creating a really messy situation that almost nobody will be able to intuitively grasp. Never make yourself unmissable.

With just Nethserver exposed, and the others unlocked through reverse proxy, you only need one DynDNS address (to your Nethserver).

What you didnt tell yet, is if these websites are all on the same domain or not … of not, I’m not sure I would know how to configure that.

From the picture with the Nethserver IP, that address is in the DHCP scope. That means it can be given to clients as well.

If there is not a really good reason for dual virtualization, just host all servers on the proxmox host. They can then all use the same internal DNS, the same gateway, and you will save yourself a lot of headaches.


(Sgt_Wirehead) #17

Hi Jeroen,

There all different domains example site1.ath.cx, site2.dyndns.org, site3.dyndns.biz and not dual vitalized. If i use just the modem as DNS, the same gateway i can only run 1 website at a time hence wanting to use NethServer as the head of the Virtual network, to allow more then 1 webserver.

So for me pointing the modem to the NethServer with server1.ath.cx is not a problem that works and i get the default NS webpage, i don’t know how to configure reverse proxy or the port forwarding within NethServer. I have tried but all i get is the default NS webpage. hence why i am here asking for help.

I need to make start somewhere so here are my two interfaces eth0 and eth1 curently, if there need to be changes please advise. lets get this rite so i can move on. :weary:

eth1 settings

eth1_settings_1

eth0 settings


(Rob Bosch) #18

Another thing: on your GREEN interface you do not set a Default gateway. Just leave it blank. (your GREEN interface is the default gateway for your webservers in the situation you describe)


(Sgt_Wirehead) #19

Ah… ok done

Thank you Robb :grinning: that was most helpful.

eth1_settings_2

I probebly have lots of these type of mistakes around. Is there anything more there to change or can we try for setting up 1 webserver now as shown in my small network map webserver1.ath.cx on 192.168.10


(Sgt_Wirehead) #20

So i have tried with the reverse proxy again and and now am not even getting the default NethServer page, instead i am getting

Service Unavailable

The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

Not sure what needs configuring from here.

Do i have to add firewall rules or port forward rules for every web server and how where please?