Internal Routing with XenServer and Vyatta

A couple weekends ago I spent some time getting Vyatta Core 6.1, vyatta-xenserver_VC6.1-2010.10.16_i386 to be precise, deployed in my lab. I found a few tutorials for configuring Vyatta with VMware products, but didn’t really see anything for XenServer. Citrix highlighted the possibilities fairly soon after the XenSource acquisition in a blog post, but that was a couple years ago. Since then Vyatta and Citrix have announced a closer partnership and Vyatta was even part of the C3 Cloud Bridge blueprint. All positive signs that it should be fairly painless, so off we go.

First and foremost you need to download the latest version of their XenServer virtual appliance. If you’re a newbie to Vyatta, like I was, you’ll probably want to grab some documentation as well. The great thing about the appliance is you don’t need to muck about with a custom installation. Once you’ve imported the virtual appliance you should have a new template ready for VM deployments (in my case it was called: vyatta-xenserver_VC6.1-2010.10.16_i386).

XenServer Networks

You can see in the screenshot above that I’m using 3 physical NICs in my XenServer. The on-board NIC is a dedicated management interface (highlighted in the screenshot) and I’ve bonded a pair of Intel NICs for VM traffic. The third network, without a physical NIC associated to it, is an internal-only network and the primary reason I want the Vyatta router.

With my networks outlined, I’ll walk through the process of configuring the Vyatta router so that the internal-only network (remember: 192.168.48.x/24) can access the lab network (remember: 192.168.24.x/24).

New VM

Using the imported template, create a new VM, adjusting the settings as appropriate until you get to the networking configuration. Ensure a virtual interface is added for both the lab and internal-only network(s). Treat the router like you would any other VM; it doesn’t need an interface on the management network, unless you’re using it for VM traffic as well.

Networking Config

Complete the VM setup and have it boot up automatically. To login, use the default credentials: vyatta/vyatta.

Vyatta Console

Initially, we’re going to configure each interface with an IP address and enable SSH access. You’re not required to use SSH to complete the configuration, but it will allow you to access the CLI without XenCenter in the future.

configure
set interfaces ethernet eth0 address 192.168.24.254/24
set interfaces ethernet eth1 address 192.168.48.254/24
set service ssh
commit

You should now have a rudimentary configuration up and running. The two networks won’t be able to communicate with each other yet, but you should definitely be able to ping each interface from another device on the same network segment. In order to get the internal-only network talking to the lab network we’ll configure a NAT rule to pass traffic back and forth.

set service nat rule 1 source address 192.168.48.0/24
set service nat rule 1 outbound-interface eth0
set service nat rule 1 type masquerade
commit

If you were to stop here, any VM on the internal-only network using 192.168.48.254 as its default gateway would have access to the lab network, BUT it won’t be able to access the Internet. This may not be a big deal in your environment, but I still wanted to access OS updates, software installs, etc. without jumping through too many hoops. To achieve that we need to configure the router to use the default gateway on the lab network.

set system gateway-address 192.168.24.1
commit

Test your setup. From a VM on the internal-only network you should be able to ping hosts on the lab network and the Internet. To save the configuration so it persists after a reboot, run this final command in the CLI.

save

The last thing I did in my environment was configure a static route on my wireless router so that devices on the lab network can access the internal-only network without any client-side modifications. I’m running Tomato v1.28 on a Linksys WRT54G, so adding the static route is under Advanced -> Routing. The exact method for performing this step depends on your wireless router, but the gist of it is that you want all traffic destined for the internal network (192.168.48.x in my case) to use the Vyatta router’s interface as its gateway (192.168.24.254 if you’re following my example).

And with that, you should now have an internal-only network that’s completely accessible from the lab network, but allows you to retain greater control of the isolation. Need a DHCP server for PVS? Want to test the Branch Repeater VPX on separate networks? Start exploring and leave me your feedback in the comments.

-LF

Hello XenCenter Consoles+

First, I’d like to say thanks to everyone that checked out Better XenCenter. The response to my first release has been extremely positive and for that I’m thankful. As a way to show my appreciation, I’ve get a new version of the plugin for everyone. New features include:

  • Revamped the tab pages. Instead of assuming the URL and always going there, you now have to configure a custom field called xcpURL and provide the URL you would like loaded. This enables support for HTTPS & FQDNs and by extension can reduce the security warning dialogs.
  • Added an About page which includes detailed usage instructions. It’s a “xencenter-only” tab, so it’ll be on the parent XenCenter node.

The other major change is that I’ve renamed the plugin to XenCenter Consoles+. I think its a more fitting name and removes the implied deficiency in XenCenter itself.

Announcing the Better XenCenter plugin

UPDATE (01/23/2011): The Better XenCenter plugin has been renamed XenCenter Consoles+. The old landing page will redirect you to the new one automatically. See my announcement for details on the name change.

A lot of people may not be aware of this, but XenCenter, the management console for Citrix XenServer, supports 3rd-party plugins and even has a community site for people interested in developing their own. I’m proud to say that I’m now one of those people. I’ve spent the last couple weeks working on a new XenCenter plugin that I call Better XenCenter.

Inspired by the Access Gateway, NetScaler and Branch Repeater VPX plugins already available on the community site I decided to replicate their functionality, but also expand upon it to include other management consoles. Right now Better XenCenter supports 10 different management consoles and I intend to keep it updated as I test new virtual appliances or receive requests from the XenServer community. Find out more about the plugin on its dedicated page: Better XenCenter.

You should expect to see a few updates in the coming weeks, as I plan to enhance the plugin’s functionality with a PowerShell configuration script and support for custom URLs. I’m also planning to include some PowerShell scripts that automate routine CLI tasks. I’ve got a couple brewing and am always open to requests/feedback from others.

Leave a comment below or on the project page with your questions or requests.

One Password to Rule Them All

In Matt Martin’s post, A confession: Three workshifting sins, he admits to a pretty common practice: using the same password on multiple websites. I’ve done it. I bet you’ve done it, too. Well, no more, I say. I’ve got a few recommendations for password management tools that should help prevent you from ever re-using the same password again.

KeePass: For the longest time I was using KeePass as my primary password management tool. Its open source and came with a strong recommendation from my security buddies, not to mention the countless posts about it on Lifehacker. The only reason I switched is because their cross-platform support is somewhat limited. I love the Windows client and made due with the Mac client, but after I added the iPad to my arsenal of devices I got a little tired of the different user interfaces across the different platforms. You can easily couple KeePass with Dropbox to help you synchronize the database across your computers.

1Password: I didn’t test 1Password personally, but received numerous recommendations for it from my colleagues. The only reason I didn’t give it a test drive is because they are heavily slanted towards Apple devices. They have a client for Mac, iPhone/iPad, and a beta client for Windows. One of the cool things about 1Password is that they have a dedicated section for managing software licenses. What’s more, they also allow you to attach files to your entries.

eWallet: Like 1Password, eWallet is designed to be used for more than just password management. Think of eWallet like a secure digital wallet with all of your important information locked up inside it. They’ve got great mobile support (iPod touch/iPhone/iPad, Blackberry, Palm, Windows Mobile), but only have a client for Windows PCs.

SplashID: SplashId, by far, has the most comprehensive cross-platform support without going to a browser-based tool like LastPass. Their clients provide support for customizable record types, which means you can store just about anything you want in their AES/256-bit Blowfish encrypted database. I highly recommend you give SplashID a thorough review before making your final decision.

LastPass: As their name indicates, LastPass positions itself as the last password you’ll ever need to remember. Unlike all of the other password management tools listed above, this is the only one that doesn’t have a traditional OS-dependent installer. Instead you install the LastPass extension (IE, Safari, Firefox and Chrome are supported) and it automatically integrates with your browser. They also have an app for the iPhone/iPad.

Personally I decided to use LastPass. They’ve got an excellent subscription-based license model (unlike most of the others that are per OS/platform) and most importantly it integrated with my regular workflow. When I was using KeePass I didn’t always update it with new usernames/passwords so I would eventually end up re-using passwords to keep things simple. Now that LastPass automatically stores my usernames and passwords and automatically fills in forms I’ve gotten to the point where I only need to remember my password for LastPass. I’ve even gone so far as to use their auto-generated, super-crazy passwords. What’s more secure than not knowing your own 20-digit password?

Do you have a favorite password management tool that’s made your life easier? Leave us a note; we’d love to hear about it.

[ This post was originally contributed to Workshifting.com. ]