Hi,
I am contemplating a SOHO network with 2 virtualization servers, and
virtualized network hardware.
I would like to know how rational this is, from a security standpoint and
from a stability standpoint.
Proposed host model, times 2:
- 1x ethernet on-board
- 4x ethernet card
- SSD(s)
Backups and less-used VMs will be on separate hardware NAS, maybe a
Synology.
My intent is to donate all physical NICs to virtualized routers.
My network configuration would be as follows:
R1: External firewall/router.
- Connects to DMZ and NAT networks, and to VPN endpoint.
R2: NAT.
- Connects to main router.
- This is a SOHO router appliance and will be the only wireless
component.
- Can access DMZ and VPN endpoint as though it were on the greater
Internet.
- No VMs here.
- This is where all the guests and digital cockroaches go.
R3: VPN endpoint.
- Connects to main router, or alternately the endpoint exists inside
DMZ.
- Only public route to the VPN-secured network, of course.
R4: Private-only.
- Absolutely everything blocked unless initiated from inside.
- Outbound blocked except for specific cases (software updates)
- Contains the VM hosts virtual network connection.
Just to be clear, there are 3 virtualized routers and 1 physical router.
The virtualized routers have one or more physical interface as needed.
The physical interfaces will be VLAN-aware, 802.1q compliant. I guess
that some of the virtual interfaces will need to be as well.
OK so here's the complication:
I want to know if it's rational to have R1, R3 and R4 be virtual routers.
I would like to mirror the routers on both VM hosts, so if one host goes
down I have another one available just by swapping wires.
It would be nice if I can make these redundant routers active, so speed
between VMs on the same host can be fast.
Is it risky to have VMs on the same host be on different networks?
Am I going about this the wrong way?
Thanks.
