Gateway Virtualization with Hyper-v

After the comrade’s stories about the burned-out router and the subsequent fakap, it was decided to protect themselves from such situations by creating a backup gateway. Since the management of it in my current company is not in the top ten most important things, as gateways we will use virtual machines with Ubuntu 14.04 LTS on Hyper-v, and as hardware we will use 2 system computers assembled from shit and sticks of what was in stock. This was said not to hear the words of sympathy, but to emphasize that it does not require much funding to create a backup of the main gateway.

image

Hardware requirements:
- processor with virtualization and x64 support
- 2 network cards with 802.1q support

Imagine that we already have a system unit with windows hyper-v server 2012 r2 installed and a second-generation virtual machine. Let's start with the hyper-v host settings.

The first thing we’ll do is configure the network card association. Open the server manager snap-in, right-click on our server and select “network card combining setup”:

image
all manipulations with windows snap-ins are performed under windows 8.1.

image

Settings may vary depending on the infrastructure. The combination of cards is made for the accessibility of the gateway in the event of a network card or switch failure.

Next, we will create virtual switches for the local network and the Internet. You can do this through the Hyper-v Manager snap-in or through powershell.

Open the snap-in, select our server and on the right side of the snap-in click the “virtual switch manager”. We need to create 2 external virtual switches.

image

Assign the name of the switch and select the appropriate network cards. Microsoft networkadapter multiplexor driver - our combined network card. There are cases when network cards are called the same and they differ only in the number at the end. To determine compliance, you can use the powershell get-netadapter cmdlet and determine the map by mac address or up -down status. For a virtual Internet switch, uncheck "allow the controlling operating system ...", for the local network, leave it, unless, of course, you have a separate network card to control the hypervisor. This option is required so that the hypervisor operating system can use this network card to access the network.

You can also create a virtual switch using the powershell new-vmswitch cmdlet.

Next, you need to create network adapters for our virtual machine. Via a snap-in or the powershell add-vmnetworkadapter cmdlet.

Creating a network adapter is not difficult and, as it seems to me, does not require a description. If your network uses VLANs, then you need to configure the interfaces for each network. There are several ways to do this:

  • creating virtual interfaces at the host level of the hypervisor
  • creating interfaces at the virtual machine level
  • creating sub-interfaces at the virtual machine level


The first method is not for us, because in the server core version and I could not open these settings in graphical mode, and editing the registry manually can break something. And if I'm not mistaken, this method is not recommended by Microsoft itself.

The second method is convenient and simple. We can create the number of network adapters we need and specify the vlan we need in the settings.

image

The only reason this method is inconvenient is that when a new vlan appears, adding a network adapter is possible only when the virtual machine is turned off.

The third way suits us all. We will stop on it.

In order to get traffic from all vlan that we want to route, we need to configure the trunk on the network card of the virtual machine. This can only be done through powershell.

Set-VMNetworkAdapterVlan -Trunk -AllowedVlanIdList "100" -VMName "router" -VMNetworkAdapterName "localnet" -NativeVlanId 0


It just so happened that when I got a job, only 1 vlan was used on the network, and all the equipment that was on the network, including the server and the PC, went without a tag. When configuring the trunk, for a long time I could not understand why untagged traffic did not reach my virtual machine until I came across a post in which I saw a powershell command with vlan 0, therefore 0. is specified as native vlan.

Next, we need to configure the virtual machine.

Let's start with the addressing.

Example file / etc / network / interfaces

# The loopback network interface
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.0.1
netmask 255.255.255.0
# подинтерфейс для маршрутизацияя трафика из 100 vlan
auto eth0.100
iface eth0.100 inet static
address 192.168.100.1
netmask 255.255.255.0
vlan_raw_device eth0
#internet
auto eth1
iface eth1 inet dhcp


Next, let our virtual machine do forwarding. Change the value of net.ipv4.ip_forward to 1 in the /etc/sysctl.conf file and apply the changes by executing the sysctl -p /etc/sysctl.conf command.

And the final touch will be to configure nat with iptables.

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source xxx.xxx.xxx.xxx 


where xxx.xxx.xxx.xxx is your ip address. Although dhcp is used in my case, the external address is always assigned one.
For dynamic addresses, use

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE


In order for iptables rules to remain after reboot, install the iptables-persistent package. The name may vary depending on the distribution.

Now users have access to the Internet and everything works, it remains only to configure replication. This is done through the same Hyper-v Manager snap-in. Open the snap-in, select our hypervisor and go to the hyper-v parameters through the action panel. In the parameters, select the replication configuration. Further details:

image

Turn on the replica.

Using Integrated Windows Authentication is less secure. It works only in the active directory domain and does not require additional settings.

Using certificate-based verification (HTTPS) is more secure. Use it in paranoia mode and outside the domain.

You can enable replication from all hyper-v servers or only from the specified ones. We select the second option and indicate there the server replica with installed hyper-v. A group may have an arbitrary name. Next, we make similar settings on the replica server.

So that when switching the machine to the server there is no replica, virtual switches should be called the same as on the main server.

Also popular now: