Lately, I've been finding myself building more and more complex environments in VMWare, simulating complex scenarios that have networking requirements above and beyond a mere LAN Segment. For example, as an SE, suppose I want to more closely mirror a customer environment, when simulating a deployment change. If you want to maintain the IPs of different offices when there is a router in between, and not engage in ugly hijinks to patch it together, you need to have a router in between. I wasn't able to find anything that exactly met that need, so I built it.
The VM below is built on OpenBSD 5.0, and is pretty much a vanilla config. It consumes less than 64 MB of ram, and provides routing/switching/SPAN porting for up to 10 Virtual Interfaces. Being OpenBSD, there are also daemons available that would let you run routing protocols -- I didn't have a need for that, so I didn't do too much of it. But if you need a straightforward router instance you can toss in VMWare Workstation (or likely ESX), then this may let you get running somewhat quicker than building it yourself.
(also included in the VM folder):
In short, this is an OpenBSD VM that works as a router, and can be deployed in VMWare Workstation or (untested, but theoretically) ESXi. It consumes less than 64 MB of RAM, and provides networking services
(routing, switching, SPAN ports) for up to 10 Virtual Interfaces (the max for VMWare Workstation 8). It also provides for the configuration of multiple routing domains / routing tables, akin to a VRF-Lite deployment on a traditional networking device.
* When you get beyond 5 VMs, you can often get into topologies where you want to send traffic in a particular way, but don't want to deal with the complexity of setting up GNS routers.
* Sometimes you want a SPAN port in VMWare Workstation
* Sometimes you want to show how VLANs work with Check Point firewalls, without having to use ESX.
* Sometimes you want to mimic a customer site exactly. This can require a complex topology, with multiple subnets, core switches, branch sites, routing protocols, and etc. You need more than a LAN Segment
* Because it gives you a lot of routing flexibility, and consumes only 64 MB RAM.
What is the username and password?
What is an rdomain / VRF?
In essence, an rdomain allows you to have multiple routing tables on one device. This provides a few benefits:
* Allows overlapping IP Spaces. You can have 10.1.1.0/24 in use for multiple VM networks, so long as they are in different rdomains
* Allows you to simluate multiple routers. For example, you could have 10.1.0.0/16 simulating a main office, 10.2.0.0/16 simulating a branch office, and 192.168.0.0/16 simulating a WAN. Local routing�would function for each /16, and you would still have firewall inspection points between the various networks
Do I need to use rdomains / VRFs?:
Definitely not. In the scenario I have configured by default, everything belongs to rdomain 1, which means communication between instances doesn't go between different rdomains. This works splendidly.
How would you use this in reality?
As I have this set up in my environment, I have a number of VMWare Workstation LAN Segments configured, for each section of the network. For example, I have a main office at 10.1.0.0/16 with the perimeter�gateway at IP 10.1.10.5. Then I have a branch office configured the same, at 10.2.0.0/16. Each network is a labelled LAN Segment. The router VM has interface in the edge networks at 10.1.10.254 and 10.2.10.254. It has a third instance on the VMWare NAT DHCP pool. This mirrors an enterprise network configuration with a firewall at the head of each site, leading to a backbone network with an inet router�at the perimeter.
I have not configured the following, but if desired, you could then create a separate "internet" rdomain where you have your inet router (unlike in a Cisco world, with OpenBSD you can have routes between rdomains) connected on the outside, and then toss a VPN client on that rdomain, to run through a scenario with Remote User VPN tunnels going across a NAT interface to a firewall. The power of having a router instance is that it will let you build virtually any topology. The only real limitation is 10 interfaces per rdomain -- if you need more rdomains at that point, you could just add more router VMs into the mix (and if you needed more than 10 interfaces per rdomain, you could run this in ESXi, where you can leverage vlan tagging).
How do I configure the system temporarily (not surviving a reboot)?
ifconfig emX rdomain N a.b.c.d/e
route -T N default gw l.m.n.p
ifconfig emY rdomain N
For example, providing the default configuration on the instance dynamically would be:
ifconfig em0 rdomain 1
ifconfig em1 rdomain 1 10.1.10.5/24
ifconfig em2 rdomain 1 10.2.10.5/24
How do I configure NAT?
Via pf.conf. Mimic what is there by default, or reference this for more: http://www.openbsd.org/faq/pf/nat.html
How do I configure the system permanently (surviving a reboot)?
Simply take a look at the default files: /etc/hostname.* and /etc/pf.conf
How do I configure a SPAN port?
I've only looked at this for non-persistent configurations, but in that case it is very easy. The below is the config I did to put a SPAN port on the segment going from a windows xp instance to the 10.1.10.0�network:
1. Add two lan segments: Bridge0 - Host Side; Bridge0 - TAP side
2. Add the segments to your router: I added the first segment to Network Adapter 5 (em4, and the second to 6 (em5).
3. Switch your client to be snooped on to Bridge0 - Host Side
4. Set your snooping interface on your snooping gateway to Bridge0 - TAP side
4. Configure the bridge:
# ifconfig bridge0 create
# ifconfig bridge0 add em4 add em1 up
# ifconfig em4 up
# ifconfig em5 up
# ifconfig bridge0 addspan em5
If you do this and your client can't ping the gateway, you probably forgot the "up" at the end of the "ifconfig bridge0 add em4 add em1 up"
Where can I learn more?
Google: openbsd rdomain