Jump to content
Welcome to our new Citrix community!
  • 0

Simple and Secure Network Setup?

Michael Cropper


Let's say we have the following setup;


 - Physical Router -

 - - Laptop -

 - - - Xen Server

 - - - - HostOS -

 - - - - GuestOS VM 1 -

 - - - - GuestOS VM 2 -


Currently they are connected to NIC 0, the only physical cable that links the physical server to the physical router. 


Whenever I SSH into VM1 and VM2 - I can successfully ping each machine - which I don't want. I only want VM1 and VM2 to be able to reach the internet. What do I need to click/configure within XenCenter to set this up? 


I've been having a play with different settings so far, along with going through this guide, https://doc.yonyoucloud.com/doc/xen/xs-design-networkadvanced-131004052202-phpapp02.pdf, but I'm still none the wiser at the moment exactly what I need to do. I have a feeling it's something to do with VLANs, i.e. ;


 - NIC 0

 - - VLAN 1

 - - - - Guest OS VM 1 (which can connect to anything in VLAN 1 and also the internet)

 - - VLAN 2

 - - - - Guest OS VM 2 (which can connect to anything in VLAN 2 and also the internet)


But I'm not exactly sure how to make this happen. Unless I'm on the wrong track here? 





Link to comment

7 answers to this question

Recommended Posts

  • 0

Yes I think you're right on the licencing front re. vSwitch. Spotted that in a single line in the 90 pg. PDF that mentioned it in passing.


Looks like I'll have to stick with the firewall option within the GuestOS VM for now then while I find my feet. Thankfully many of the Linux OS these days are an 'open up' rather than 'close down' approach to firewalls so there has to be a conscious effort to open the ports. 


In the mean time, I'll have a good read up on the vSwitch to get up to speed with that in preparation. 





Link to comment
  • 0

Thanks for confirmation. 


I'm currently having a play with pfSense which looks like it can do VLANS. Not sure how this interacts with XenServer / VMs as of yet but I'll have a play. Have you ever setup VLANs with this approach or do you tend to purely use the vSwitch functionality? 


Interestingly while I've been having a play over the last few days, from what I can tell so far (I need to test this) but I believe I should be able to create a VM hosting OpenVSwitch with a static ip address, then within the XenServer boot management screen there is an option within the 'Network and Management Interface' menu option that looks like it is still possible to set up vSwitch and point that to an IP address (Version 8.0 of XenServer). 


I'm also starting to research XCP-NG as that looks to do everything XenServer can do without the licencing restrictions. Thoughts? 

Link to comment
  • 0

Not something I've ever played with, but if you need firewalling between vlans adding a firewall like pfsense is a possibility.

The advantage of the vSwitch controller is you could firewall between VM's on the same VLAN.  XCP-ng seems to be gaining

quite a bit of traction and giving XenServer a run for their money, especially now that you can purchase support.




Link to comment
  • 0

I guess my thoughts are at the moment, imagine the scenario whereby you have User 1 and User 2 who has completely independent requirements. It's how you securely segment those two users. VLANS sound like a possible solution.  i.e. User 1 only has access to VLAN 1 and User 2 only has access to VLAN 2. 


Containers - Well, that's a discussion post-VM security setup I would say. To an extent, whatever containers people decide to setup on their VMs is their choice. 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...