Currently the iptables firewall running on xen and kvm hypervisors prevents using a VM as a gateway device for other VMs. Because of this, Vyatta is the only solution if you your customers to be able to create a VPN to their resources in the cloud. On top of that, you can only use Vyatta with VMWare. PfSense is a great alternative to Vyatta, and it is easy to setup in a Xenserver environment, so I'd like to be able to use pfSense as a VM in Onapp.
If you disable the iptables service on a kvm or xen hypervisor, you will see that you are then able to use a VM as a gateway device for other VM's. As such, you can then use solutions other than Vyatta for VPNs. You can also then setup firewall rules, NAT'ing, etc.
The use of iptables at the hypervisor level is understandable- it provides isolation between VM's; it will prevent IP conflicts between VM's if the wrong IP is configured. However, there should be more control over the function of these iptables. If you are used to running other stand alone hypervisors like Xenserver, then you will know it is very easy to setup private networks and only have a firewall/VPN VM like pfSense visible to the outside world.
One way to solve this issue could be allow the creation of private networks to which the hypervisors' iptables do not apply to traffic between VM's in this private network.
So the feature request is to:
1.) Allow the creation of private networks to which hypervisor iptables rules allow unrestricted access between every VM on that network
2.) Allow either specific public IPs or a network to be specified to act as a gateway into the aforementioned private networks
3.) These two things should allow any VM to be setup as a gateway device for a private network, but specifically I am looking to be able to use pfSense VM's, so the ability to add a pfSense firewall the same way you add a Vyatta firewall would be nice.
Please sign in to leave a comment.