2

I want to do a physical-to-virtual migration of BSD server, saving the IP address. The destination virtual host is Linux/KVM.

The current setup: I had a BSD server with failed Hardware. I have just replaced it with a new server, and its HardWare is too new to be used by BSD directly.

So, I have Linux on new server and want to move the BSD into virtualization with KVM.

I have full HDD dump of old server.

The problem is: I have only single real IP and I should use this IP both in guest and in host.

I want to use the IP on the guest because it is a mail server and I want my Real IP to be used in mail headers.

Usage of the IP on the host is because I have no any other IP.

TCP Services of the machines are:

  • sshd on host at non-standard port;
  • sshd on guest
  • smtp of guest, POP3/IMAP of guest.
  • Outgoing SMTP, HTTP, FTP requests must be enabled from guest.

Ports 22,25,53,110 will be just forwarded from host to guest using iptables. If it is possible I would also forward guest's DNS server into realIP.

How should I configure KVM network and libvirt to achieve same IP usage in guest and in host?

osgx
  • 583
  • 11
  • 26
  • The main task is to enable SMTP and POP3. DNS can be easily moved to host, so UDP access is not the problem to solve first. – osgx Jul 29 '11 at 09:51
  • 2
    Split your problem in two: making TCP/IP protocols work (for which you already have the answer: NAT), and getting the right IP address in the mail headers (for which the answer is to configure your MTA, so ask how to do this with whatever MTA you're using). – Gilles 'SO- stop being evil' Aug 03 '11 at 09:56
  • Gilles, so your think, MTA can put false IP in the header if it will be configured in such way? – osgx Aug 03 '11 at 10:34
  • Given your description, some program decides to put a bunch of digits and dots in a header. If the digits and dots form an IP address, it's because the program chose to generate them in this way. So post a question saying you're sending mail with foo MTA, that it's generating a Bar: header with an IP address, and asking how to change what IP address is being put there. – Gilles 'SO- stop being evil' Aug 03 '11 at 12:07

4 Answers4

5

Ugh... this is so NOT the suggested way of doing things, but what should work would be:

  • turn on IP forwarding in host
  • assign real IP to host
  • assign real IP to a loopback interface on guest
  • assign IPs on a private subnet between host and guest
  • setup NAT on host to DNAT incoming connections to the private IP of the guest
  • setup NAT on host to SNAT outgoing connections from the guest's private IP to the real IP
  • setup NAT on guest to DNAT incoming connections to the real IP
  • setup NAT on guest to SNAT outgoing connections to the private IP of the guest

It's convoluted and ugly, but will probably work. This way the real IP can show up in, for example, mail headers and the guest will think that it's the owner of the real IP.

MikeyB
  • 38,725
  • 10
  • 102
  • 186
  • Hi! And what about ARP? Will natted packets flow in the private subnet? Can you give more verbose example of SNAT/DNAT (guest uses OpenBSD/pf, host uses linux30/iptables)? – osgx Aug 05 '11 at 00:25
  • 1
    What about ARP? ARP will work just fine as the host and guest communicate on their private IPs. I'm not going to be really verbose about it as ultimately you'll need to understand everything pretty well for it to actually work and to debug any problems that may crop up. I don't mean to sound too negative about it, but it's really an ugly problem that requires an ugly solution. – MikeyB Aug 05 '11 at 00:42
  • Alternately, can you upgrade your OpenBSD server so that it runs on the real hardware? – MikeyB Aug 05 '11 at 00:44
  • "HardWare is too new to be used by BSD directly.". And bi-nat is not an ugly, it is just complicated. I understand this, but if you can, add iptables/pf rules here. – osgx Aug 05 '11 at 01:03
  • 2
    I can't for a few reasons: You need to understand this inside and out so you need to learn how to write them. There are *tons* of resources out there to help you learn to write the rules. And *I* don't know `pf` :) You have the idea - now try it out for yourself. – MikeyB Aug 05 '11 at 01:44
  • Even better - you should move to IPv6. Or at least create a tunnel on the host and do it from there. You'll have all the IPs you'll ever need! – MikeyB Aug 05 '11 at 01:56
  • no, i need a real-world ip, and not a mythical-world ip-for-nerds-please-use-ton-of-tunnels. both server and its clients are ipv4 w/o any ipv6. – osgx Aug 05 '11 at 02:36
  • this solution fits your request!!! except for the missing iptables!!! when I had fully understud the posibilities, I had arrived to this also, but in windows and in spanish. Swear that you understud the risks and @MikeyB will post the iptables here :) – Luis Siquot Aug 05 '11 at 12:35
3

IN order to achieve this:

  1. Host systems needs to be configured with your "REAL IP"
  2. Your guest OS will need to be configured with NAT networking
  3. Services which you want to be served from your guest will need to be port forwarded by the host.

This is the only was I can think of achieving what you want, you can not have 2 machines physical or virtual sharing the same IP address.

Oneiroi
  • 2,008
  • 1
  • 15
  • 28
  • if [2] is in action, guest will have a virtual IP, and not a real one? But I want guest to use RealIP. Can I rewrite this IP into virtual one with iptables? (Host has RealIP on external eth0; VirtHostIP on virtual bridge. Guest has RealIP on its en0, but it will be rewritten by iptables on virtual bridge into VirtGuestIP) – osgx Jul 29 '11 at 10:13
1

Instead of configuring the host with the real IP and guest with a private IP, you can do vice versa: Configure the guest with the real IP (because it runs the services) and set up a private network between the host and the guest. The host does not need to have a (real) IP address bound to the bridge interface which connects the real network interface to the guest. To access the host you need to first go through the guest.

The good thing about this solution is that you do not need NAT and thus your guest can run any protocols without problems and without configuring NAT rules in the host. Another thing is that your host will be more secure because it will not be accessible directly from the internet.

The downside is that if your guest does not work you can not use it to connect to the host to troubleshoot the problem. This may be a problem if you do not have other way to access the machine if it is at a hosting provider for example. Using IP-KVM to access the host in emergencies might be a solution for remote access in this case.

snap
  • 1,201
  • 9
  • 17
  • I have no other way to access the machine, it is remotely controlled only via SSH, no IP-KVM. (what is typical price of IP-KVM? Can them control the power via "power-button interface on motherboard" (low voltage two pins?) – osgx Aug 02 '11 at 07:57
  • @osgx, ok, I was suspecting that. Nowadays many servers have IP-KVM (often a feature of IPMI) as standard or optional component. It is basically another small computer within the server. I have good experience with one brand and bad experience with another (not sure if I can mention brands here?). I do not any more use servers which do not have this functionality because it is very convenient (when it works). I can mount a boot CD over a network and access the console, including BIOS settings, as if I was physically at the machine. I do not know the prices of external units. – snap Aug 02 '11 at 12:08
  • My server has no iLO, IPMI/BMC, or other LOM – osgx Aug 02 '11 at 12:17
1

Do you need the host on an IP address for management purposes only?

You could consider something like this setup:

  • Attach real IP to virtual NIC in BSD VM
  • Add second virtual NIC to BSD VM, create a (private IP) subnet just for this, assign a static IP in this range to the VNIC
  • Attach host NIC to the private subnet on a different IP

Depending on your virtualization platform, this may involve different amounts of work. I've done something similiar to this to firewall an ESXi host exposed to a public IP, when I did not have access to a hardware firewall (placing a VM on the public IP, ESXi host is only accessible through vswitch network).

VERY IMPORTANT - With this setup, you would need to connect through the BSD VM in order to perform remote maintenance on the host itself. If the host had issues and you lost connectivity, you would require KVM access in order to resolve. Also not a pretty solution.

[EDIT] I just realized snap had posted this same answer above me - woops, I didn't read through all the posts before replying... I'll +1 his post.

jlehtinen
  • 1,958
  • 2
  • 13
  • 15
  • And again, yes, this is possible, but is hard to set up remotely. I can't even do a reboot to known-good config in case of fault. – osgx Aug 05 '11 at 22:05