I have a pretty unusual network setup due to my static IPs being on a Uverse DSL connection. Basically you are stuck using the router they provide and there is only one model that even half way supports static IP addresses. The only way to actually use them is to set up a public DHCP server with the 5 usable addresses you get. You also need to set up a private DHCP server and tell it to use the private one so it doesn’t give your static IP address to any machine. Then to actually use the static IP addresses you have to assign them to the machine directly. No ipmap, no nat just give the machine the address. I know it’s crazy but that is the only way to do it. So basically what I have is 3 existing servers taking up 3 of the 5 static IP address and each also having a 192.168.x.x address as well while leaves me with only 2 global (but plenty of local) IP addresses of left for servers. So what I need to know is what actually needs those global IP addresses. If both the SLES 11 host and the OES 11 client do then I’m out of IPs for anything else and it would seem actually going with a VM setup would be a waste at that point. If not then what does actually need the global IP and how would you configure this/what would the setup look like? Machine does have 2 network cards.
FUBAR wrote:
[color=blue]
I have a pretty unusual network setup due to my static IPs being on a
Uverse DSL connection. Basically you are stuck using the router they
provide and there is only one model that even half way supports static
IP addresses.[/color]
This part is not unusual. Many ISP’s insist on their customers using
the router/modem they provide.
[color=blue]
The only way to actually use them is to set up a public
DHCP server with the 5 usable addresses you get.[/color]
You lost me here. What you are describing makes no sense at all.
A common configuration used by some ISP’s is to provide a subnet of 8
IP’s: one broadcast, one for the gateway, the primary one assigned to
your server (used for routing), and five additional ones. Is that what
you have? Are the IP addresses consecutive or are they random IP
addresses that are part of a large subnet? What is your subnet mask?
[color=blue]
You also need to set
up a private DHCP server and tell it to use the private one so it
doesn’t give your static IP address to any machine.[/color]
First of all, you can only have one DHCP server on a network, A
computer doesn’t ask a specific DHCP server for an IP address, it just
asks “Hey someone, can I have an IP address?” and there had better be
only one “someone” listening.
Second, a DHCP server provides dynamic IP addresses which can change
but may not depending on the DHCP server. True static IP addresses are
not given out by a DHCP server, they are hard coded into your network
setup so they don’t change.
[color=blue]
Then to actually
use the static IP addresses you have to assign them to the machine
directly. No ipmap, no nat just give the machine the address. I know
it’s crazy but that is the only way to do it.[/color]
No, that’s not crazy. That’s how static IP addresses are assigned.
[color=blue]
So basically what I
have is 3 existing servers taking up 3 of the 5 static IP address and
each also having a 192.168.x.x address as well while leaves me with
only 2 global (but plenty of local) IP addresses of left for servers.
So what I need to know is what actually needs those global IP
addresses. If both the SLES 11 host and the OES 11 client do then
I’m out of IPs for anything else and it would seem actually going
with a VM setup would be a waste at that point. If not then what
does actually need the global IP and how would you configure
this/what would the setup look like? Machine does have 2 network
cards.[/color]
You need distinguish between public/private and dynamic/static IP
addresses. Servers need static IP addresses (ones that don’t change) to
ensure the services they provide can always be found. If there are
services on that server that need to be accessed from the Internet
(e.g. a web server) those services can only be accessed via a public IP
address. Either that public IP address has to be assigned directly to
the server or you you can use NAT, port forwarding, or some other
mechanism to ensure that traffic reaches its correct destination.
If you have plenty of public IP addresses you can simply assign one to
each device that needs to be directly accessed from the Internet but
normally that is not the case. You also should think about security. Do
you really want everything on your servers exposed to the Internet? I
think not!
You need to plan your deployments. For example, if you need a web
server and an FTP server and provided both services on the same
physical/virtual server, you would only need one public IP address.
These issues you have have little to do with virtualization. They are
network issues and apply as much to physical servers as they do to
virtual servers. Before I, or anyone else here, can offer suggestions
how to best deal with these issues, you need to have a deployment plan.
You need to know what services require public access and which
don’t/shouldn’t and you need to explain that to us.
–
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…
[QUOTE=KBOYLE;13391]FUBAR wrote:
[color=blue]
I have a pretty unusual network setup due to my static IPs being on a
Uverse DSL connection. Basically you are stuck using the router they
provide and there is only one model that even half way supports static
IP addresses.[/color]
This part is not unusual. Many ISP’s insist on their customers using
the router/modem they provide.
[color=blue]
The only way to actually use them is to set up a public
DHCP server with the 5 usable addresses you get.[/color]
You lost me here. What you are describing makes no sense at all.
A common configuration used by some ISP’s is to provide a subnet of 8
IP’s: one broadcast, one for the gateway, the primary one assigned to
your server (used for routing), and five additional ones. Is that what
you have? Are the IP addresses consecutive or are they random IP
addresses that are part of a large subnet? What is your subnet mask?
[/quote]
Yes this is what I have it’s an 8 IP block with 5 usable. Other are broadcast, network, and the gateway which is used for the private DHCP. Subnet is 255.255.255.248
[qutoe]
[color=blue]
You also need to set
up a private DHCP server and tell it to use the private one so it
doesn’t give your static IP address to any machine.[/color]
First of all, you can only have one DHCP server on a network, A
computer doesn’t ask a specific DHCP server for an IP address, it just
asks “Hey someone, can I have an IP address?” and there had better be
only one “someone” listening.
Second, a DHCP server provides dynamic IP addresses which can change
but may not depending on the DHCP server. True static IP addresses are
not given out by a DHCP server, they are hard coded into your network
setup so they don’t change.[/quote]
Well this is how the router has to be configured. The public DHCP is used to configure the static IP block. You have to put in the gateway address as the DHCP server address and then the first and last of the 5 usable as the start and end of the DHCP range. Then you have to setup a private DHCP and tell the router to use it to assign DHCP addresses or it would give any not currently in use public IP out to any machine requesting an address. Basically it looks like they are forcing the hardware to do something it wasn’t really designed to do.
If you think that is bad on top of it I have a second uverse line with a second static IP block on the same network so I technically have 4 DHCP servers. Of course I assign everything statically on my network so it’s usually not an issue. I also make sure none of the DHCP address ranges overlap anything that is being used so if something does grab one (like during a system load) it really doesn’t hurt anything as it just gets one from the first router that answers the request.
Well before I changed over to Uverse the static IP’s were assigned in the router and 1-1 mapped to the individual machine. If it was done one way you didn’t give the machine the static IP the router did all the translation from the public IP to the private. If you did it the other then you gave the machine the static IP as a secondary IP address and still used your private IP as the primary. So every machine on the LAN had a 192.168.x.x address as the primary but some machines had a 75.x.x.x address as secondary.
Now basically the router isn’t doing any routing between the public and private IP addresses except for those machines that don’t have a public IP and are just using the gateway.
[quote]
[color=blue]
So basically what I
have is 3 existing servers taking up 3 of the 5 static IP address and
each also having a 192.168.x.x address as well while leaves me with
only 2 global (but plenty of local) IP addresses of left for servers.
So what I need to know is what actually needs those global IP
addresses. If both the SLES 11 host and the OES 11 client do then
I’m out of IPs for anything else and it would seem actually going
with a VM setup would be a waste at that point. If not then what
does actually need the global IP and how would you configure
this/what would the setup look like? Machine does have 2 network
cards.[/color]
You need distinguish between public/private and dynamic/static IP
addresses. Servers need static IP addresses (ones that don’t change) to
ensure the services they provide can always be found. If there are
services on that server that need to be accessed from the Internet
(e.g. a web server) those services can only be accessed via a public IP
address. Either that public IP address has to be assigned directly to
the server or you you can use NAT, port forwarding, or some other
mechanism to ensure that traffic reaches its correct destination.[/quote]
This is where the problem lies with this Uverse setup there is no NAT or IPmaping since the only piece of hardware available doesn’t support it for static IP addresses. I’m basically now stuck with an all or nothing situation where if anything on the machine needs to be seen from the internet then the machine needs one of the public static IP addresses. Again it’s bad hardware. Can’t even do a router behind a router config as it’s not supported either. Well the device actually supports it but the version you have to use has it disabled in the firmware so unless you want to hack the device and re-enable the option your stuck.
[quote]
If you have plenty of public IP addresses you can simply assign one to
each device that needs to be directly accessed from the Internet but
normally that is not the case. You also should think about security. Do
you really want everything on your servers exposed to the Internet? I
think not![/quote]
Do I want it no but it seems I’m stuck with it at least for anything that acts as a server in some way.
This is what I am trying to figure out. Does the VM host need a public static IP for the VM client to be able to be assigned one as well? With my previous setup I would have been able to just give both a private static IP then use the router to map the public static IP to the private static IP on the client. With this setup I can’t do that.
As for what services I’m going to be using that need access that would be a web server, FTP, and SVN. All of these would probably be on the one OES client. Which brings back the question if everything is on the same client do I really need a VM setup in the first place? Yes it would be nice so I could play with other installs, configs, etc but I could do that on another machine.
That’s great! That is a pretty standard way to do things.
Okay… One step at a time… I tried to find some information about Uverse DSL. It seems AT&T offers two different routers. Is yours one of these?
Static IP setup for the Motorola NVG510
Static IP Setup 2WIRE 3600/3800/3801
The AT&T U-verse® Internet Support page has this to say:
[QUOTE]Information about a Static IP
A Static IP Address is an IP Address that is associated with your account that never changes and can be assigned to a specific device. Every time that you connect to the AT&T Network the Static IP address will route traffic to the computer or other device that can be assigned an IP (such as a Router or Firewall). This allows you to host a variety of applications on their computer that can be accessed remotely.[/QUOTE]
That is a bit vague… then there is this:
[QUOTE]How your Multi Static IP address works
When you connect to the AT&T network you will get a Dynamic WAN address. The Dynamic WAN address is then associated with your Static IP and acts as a gateway for the Static IP addresses to reach the network. AT&T doesn’t automatically assign Static IP addresses to devices connected to the Dynamic WAN. In order to use your Static IP addresses you will need to contact us to have your equipment configured.[/QUOTE]
I don’t understand why “you will need to contact us to have your equipment configured”!
[QUOTE]
If you think that is bad on top of it I have a second uverse line with a second static IP block on the same network so I technically have 4 DHCP servers. Of course I assign everything statically on my network so it’s usually not an issue. I also make sure none of the DHCP address ranges overlap anything that is being used so if something does grab one (like during a system load) it really doesn’t hurt anything as it just gets one from the first router that answers the request.[/QUOTE]
It sounds as if you have found a way cope with the way your routers are configured.
[QUOTE]
Well before I changed over to Uverse the static IP’s were assigned in the router and 1-1 mapped to the individual machine. If it was done one way you didn’t give the machine the static IP the router did all the translation from the public IP to the private. If you did it the other then you gave the machine the static IP as a secondary IP address and still used your private IP as the primary. So every machine on the LAN had a 192.168.x.x address as the primary but some machines had a 75.x.x.x address as secondary.[/QUOTE]
So your LAN consisted of two subnets: a private (192.) one and a public (75.) one. That is one way to make things work if your router is not capable of routing between the two subnets.
Well let’s try to figure out what you can do.
It would appear that a more sophisticated router would solve your problems. The SLES Firewall has all the functionality you require. Yes, I know it would be one more thing to learn and you are probably already suffering from information overload but it might be an option!
Most ISP’s provide the capability to connect one computer directly to the internet. Do you know if your router can be configured so that AT&T’s WAN dynamic public IP address can be assigned directly to a single computer? If that can be done, you may be able to configure your own router/firewall to work the way you want.
This is what I am trying to figure out. Does the VM host need a public static IP for the VM client to be able to be assigned one as well?
No!
With my previous setup I would have been able to just give both a private static IP then use the router to map the public static IP to the private static IP on the client. With this setup I can’t do that.
Are you sure?
You have configured your router to use DHCP to provide your public static IP addresses. The problem with that setup is that the router might decide hand out a different IP address if the lease expires. Can you not just hard code the static IP address when you configure your network settings? I don’t see why it has to be obtained from the DHCP server.
You should read up on networking in a Xen environment. The most common way it is configured is with bridging. Traffic arriving at the nic on the box is seen by your Dom0 and DomU’s. You can certainly deploy a combination of public and private addresses but that is a whole separate discussion.
As for what services I’m going to be using that need access that would be a web server, FTP, and SVN. All of these would probably be on the one OES client.
I assume you mean your OES server!
Which brings back the question if everything is on the same client do I really need a VM setup in the first place?
No you don’t but that assumes that everything is on the same client errr… server. The decision as to how to proceed is yours.
I might point out that it is a lot easier to deploy a virtual server than to worry about whether the necessary hardware is available and already there may be a need for a more robust firewall/router.
Yes it would be nice so I could play with other installs, configs, etc but I could do that on another machine.
There are always tradeoffs. That decision is yours to make.
By the way, this question should have been asked in the Networking forum!
[QUOTE=KBOYLE;13405]That’s great! That is a pretty standard way to do things.
Okay… One step at a time… I tried to find some information about Uverse DSL. It seems AT&T offers two different routers. Is yours one of these?
Static IP setup for the Motorola NVG510
Static IP Setup 2WIRE 3600/3800/3801
The AT&T U-verse® Internet Support page has this to say:
That is a bit vague… then there is this:
I don’t understand why “you will need to contact us to have your equipment configured”!
It sounds as if you have found a way cope with the way your routers are configured.
So your LAN consisted of two subnets: a private (192.) one and a public (75.) one. That is one way to make things work if your router is not capable of routing between the two subnets.
Routers can perform different functions. If the AT&T supplied router can’t do what you want it to (and I haven’t established that to be the case), you may have to use a different one or an additional one.
I need to know which router you are using.
Clearly NAT is supported since you are given a primary WAN public IP address which is NATted to the private subnet (192.168.). You don’t need or want NAT to be used for devices on your LAN that already have a public IP address.
This is really no different from how your network was configured before switching to Uverse.
Not necessarily! It’s just a limitation of the router being used. Remember, this is a home network. AT&T may have deliberately provided limited functionality to entice you to purchase a business solution.[/quote]
It is an NVG-510. The instructions they give are fine if you have a single static IP not a static IP block. They say you will have to contact them to configure it because their field techs have no idea how to even do a regular static IP setup not alone a static block (at least I got my $200 back on that). It took over 4 1/2 hours of bouncing back an forth between departments around the world a few time before I finally found 1 person that knew how to configure a static IP block on this router.
I was told not to even think about the 2-wire router for static IPs by everyone from the line man all the way up to tier-2 support. Also every previous 2-wire router I have tried to use results in Netware spitting out constant gateway xxx.xxx…xxx.xxx should be xxx.xxx.xxx.xxy since they use a non-standard method for assigning the broadcast/network/gateway addresses. So that leaves the NVG-510 as the only real option.
With the current setup I have every device on the network assigned a static IP on the 192.168.x.x. The ones that act as a server are also assigned one of the 10 usable 172.12.x.x addresses (the 75.x.x.x addresses were the old DSL ones). Now the ones that don’t act as a server use the 192.168.x.x address assigned to one of the routers as a gateway. So a simplified version of my network would look like this:
192.168.1.1 - 192.167.6.30 all static IPs assigned to local machines
192.168.1.31 - 192.168.6.50 - DHCP range 1
192.168.1.51 - 192.168.6.100 - DHCP range 2
172.12.x.40 - 172.12.x.47 public block 1
172.12.x.32 - 172.12.x.39 public block 2
172.12.x.46 is the gateway and assigned to 192.168.1.8 which is the DHCP server for the range 192.168.1.31-50.
172.12.x.41, 192.168.1.1 is a Netware 6 server
172.12.x.43, 192.168,1.2 is a Netware 6.5 server
172.12.x.45, 192.168.1.17 is a game server
172.12.x.42, 192.168.1.3 will be the new OES server
172.12.x.44, was a game server but is currently open as the machine died recently and is 13 years old so no plans on fixing it. This could be used for a SLES server with address of 192.168.1.4
The other block is configured similarly with all 5 used by various servers. No devices actually use DHCP assigned addresses except for the rare occasion I pull out my old laptop and enable wireless. Personally I’ve always hated DHCP and prefer actually knowing what device has what address.
Now here is the real weird part about Uverse static IP blocks. There is actually a static IP address that the router uses to log in that is in the 108.230.x.x (no idea what subnet) range. That is unusable for me but that is what the router uses to log in. So there is some weird hackish method that they are using to assign static IP blocks. They wanted to push small businesses in the area to upgrade to Uverse and only recently added static IP support. Yes I pay for business class service you can’t get static IP blocks for residential (well you can but there are a whole list of thing like living west of the Mississippi but not in certain states, having a grandfathered account, etc none of which I qualified for when my old ISP went under and I lost my block of 32 addresses). Anyway long story short business class can only get IP blocks of 8 in this area that is why I have to have 2 lines and routers. If I knew what I know now about Uverse I would have kept the DSL even though it was more expensive and slower it’s that bad. Every tech I’ve talked to at AT&T from the linemen to tier-2 support have all agreed that the routers are terrible and something better is needed but management wont do anything about it.
[quote]
Are you referring to the Cascaded Router in Static IP setup for the Motorola NVG510? I don’t know what it does. Maybe someone else has used this function? It sounds as if it might provide the additional capabilities you desire.
I asked you “You also should think about security. Do you really want everything on your servers exposed to the Internet? I think not!” and you replied:
Well let’s try to figure out what you can do.
It would appear that a more sophisticated router would solve your problems. The SLES Firewall has all the functionality you require. Yes, I know it would be one more thing to learn and you are probably already suffering from information overload but it might be an option!
Most ISP’s provide the capability to connect one computer directly to the internet. Do you know if your router can be configured so that AT&T’s WAN dynamic public IP address can be assigned directly to a single computer? If that can be done, you may be able to configure your own router/firewall to work the way you want.[/quote]
No you have to use either one of their router or they do have a modem but it cannot be hooked up to any routers. Talking to the techs many small businesses have run into the same issues that I have. Some have succeeded in using a router by enabling the Cascaded Router in Static IP that you mentioned (this was meant to allow you to use their router as a modem and pass all 6 addresses the gateway included to your router behind the NVG-510 so you could use it as the router/gateway without using up a static IP) but the newer routers disabled that function. Also the routers contain a registration code locked to your account so you can’t just go out and buy one that has the ability.
[quote]
No!
Are you sure?
You have configured your router to use DHCP to provide your public static IP addresses. The problem with that setup is that the router might decide hand out a different IP address if the lease expires. Can you not just hard code the static IP address when you configure your network settings? I don’t see why it has to be obtained from the DHCP server.[/quote]
Actually while the public IPs are configured in the DHCP section they are not assigned via DHCP as the private DHCP is set to do the assigning. That is why you have to configure both a public and private DHCP server in the router. The public DHCP isn’t really used for DHCP assigning just a place to put the configuration information. Pretty much a hackish way of configuring something.
[quote]
You should read up on networking in a Xen environment. The most common way it is configured is with bridging. Traffic arriving at the nic on the box is seen by your Dom0 and DomU’s. You can certainly deploy a combination of public and private addresses but that is a whole separate discussion.[/quote]
Do you know of a visual representation of such a configuration? I can read about something 50 times and it won’t click but if I see it in a diagram or see someone do it I get it the first time. For example the diagram here: https://www.suse.com/documentation/sles11/book_xen/data/sec_xen_basics_arch.html did more for me understating a VM setup then anything else.
I assume you mean your OES server!
No you don’t but that assumes that everything is on the same client errr… server. The decision as to how to proceed is yours.
I might point out that it is a lot easier to deploy a virtual server than to worry about whether the necessary hardware is available and already there may be a need for a more robust firewall/router.
Yes I meant the OES server. Really the way I see everything is on one server. Maybe I just don’t quite understand how the VM drives work yet and am still looking at it as if it was Netware 6 but the web servicse, ftp, and svn are all just directories available to those services. If I was setting it up on a 6.5 server they would just be in folders on my //server/web volume. To me they are just folders on that mapped drive. The only special cases are where access to a specific folder isn’t public and requires a login from the web side. 99% of this thing is just going to be file storage for me.
[quote]
There are always tradeoffs. That decision is yours to make.[/quote]
Yea it’s just hard when you don’t know what those tradeoffs are. On one hand the VM setup seems nice as it would allow flexibility down the road but on the other it seems overly complicated for what I need right now. Seems easier to re-purpose one of my existing game servers down the road if I need additional services. After this is all up and running I might just do that anyway to have a test box for the linux version of the game server.
[quote]
By the way, this question should have been asked in the Networking forum! ;-)[/QUOTE]
Can you move it? This seemed like the place since it pertained to setting up the VM environment.
[QUOTE=FUBAR;13406]It is an NVG-510.
With the current setup I have every device on the network assigned a static IP on the 192.168.x.x. The ones that act as a server are also assigned one of the 10 usable 172.12.x.x addresses (the 75.x.x.x addresses were the old DSL ones). Now the ones that don’t act as a server use the 192.168.x.x address assigned to one of the routers as a gateway. So a simplified version of my network would look like this:
192.168.1.1 - 192.167.6.30 all static IPs assigned to local machines
192.168.1.31 - 192.168.6.50 - DHCP range 1
192.168.1.51 - 192.168.6.100 - DHCP range 2
172.12.x.40 - 172.12.x.47 public block 1
172.12.x.32 - 172.12.x.39 public block 2
172.12.x.46 is the gateway and assigned to 192.168.1.8 which is the DHCP server for the range 192.168.1.31-50.
172.12.x.41, 192.168.1.1 is a Netware 6 server
172.12.x.43, 192.168,1.2 is a Netware 6.5 server
172.12.x.45, 192.168.1.17 is a game server
172.12.x.42, 192.168.1.3 will be the new OES server
172.12.x.44, was a game server but is currently open as the machine died recently and is 13 years old so no plans on fixing it. This could be used for a SLES server with address of 192.168.1.4
The other block is configured similarly with all 5 used by various servers. No devices actually use DHCP assigned addresses except for the rare occasion I pull out my old laptop and enable wireless. Personally I’ve always hated DHCP and prefer actually knowing what device has what address.[/QUOTE]
This has been an interesting discussion…
You can assign IP addresses to your Dom0 and DomU’s exactly the same way you have been doing with your physical deployments. Each DomU would be assigned a private IP address and if some services needed to be accessed from the Internet, you would also assign a public IP address.
I see the following limitations with this approach:
[LIST]
[]Public access is limited to a combination of ten physical and virtual computers as there are only ten usable public IP addresses.
[]Computers with public access require two IP addresses.
[]Router limitations prevent the use of NAT and/or port forwarding with your public IP subnet(s).
[]There may be routing limitations between subnets.
[/LIST]
There may be an alternative configuration that could work. If you had another router that could do NAT, masquerading, port forwarding, etc., you could make much better use of your limited number of public IP addresses. Does the Cascaded Router in Static IP work on your modem/router or can you get one where it does work? That would be the ideal situation. If that feature were available, all traffic with any one of the public IP addresses would be routed to the device at the specified IP address giving you full control over that traffic and those IP addresses.
If the Cascaded Router feature is not available, you could assign all available public IP addresses to a single device, like you do in NetWare with a primary IP address and one or more secondaries. This approach would not allow you to assign a public IP address to a specific computer but you may be able to make better use of the available public IP addresses and permit public access to more than ten devices. All the devices on your LAN would be on a single subnet and you would have full control over what services are available at each IP address. You could, for example use the same public IP address for HTTP and FTP but have those two services running on two different computers by using port forwarding. As always, there are tradeoffs.
If you want to consider such a configuration, the SLES Firewall can do all of this and more. I’ll let you research this one.
Linux is everywhere. If you want to know something, try Google. For example, I found these links when I searched for “xen networking”.
http://wiki.xen.org/wiki/Xen_Networking
http://doc.opensuse.org/products/draft/SLES/SLES-xen_sd_draft/cha.xen.network.html
[QUOTE]
Yea it’s just hard when you don’t know what those tradeoffs are. On one hand the VM setup seems nice as it would allow flexibility down the road but on the other it seems overly complicated for what I need right now. Seems easier to re-purpose one of my existing game servers down the road if I need additional services. After this is all up and running I might just do that anyway to have a test box for the linux version of the game server. [/QUOTE]
Now that you have Xen installed, setting up a new virtual server or a new physical server is about the same effort.
If you need OES and intend to use NSS, NSS should be installed on its own uninitialized disk (not a partition of an existing disk). That restriction has been relaxed in OES11-SP1 but it is still a good practice to follow. One advantage of running OES in a DomU is that a partition on a disk in Dom0 can be assigned to a DomU and the DomU will see it as a separate disk thus allowing NSS to think it is using an uninitialized disk while actually using free space on an existing disk.
I hope this discussion has helped you.