Hello,
I wouldn’t normally virtualize a router/firewall but since this doesn’t have a WAN interface I’m not as concerned about a security breach of the underlying hypervisor platform (only very, not extremely).
We use KVM/QEMU/Libvirt for virtualization and our virtualization hosts have an uplink to a trunk port on our switches where all VLANs are tagged. To give a virtual guest access to a specific VLAN we create a VLAN interface on the virtualization host and create a bridge for that VLAN interface and use the bridge as an interface for the guest that needs a particular VLAN. This works well.
For a VyOS install we use VLANs and firewall zones extensively and do this by abstracting the physical interfaces (NICs) via a bonded interface, so our interface names are bond0.10, bond0.20, bond0.40, etc with bond0 being 1 or 2 real interfaces. This is easy on bare metal since it links up to a trunk port and if we want a new VLAN/Zone we add a new bond0.X in VyOS and a new VLAN on the switch.
With virtualization I’d have to have 10-30 “real interfaces” (the bridges on the virtualization host). So instead of bond0.10, 20, 40, etc it would be eth1, eth2, eth3, etc and naming those according to their associated VLANs. This in my opinion would be error prone and is too much overhead (mentally). In this scenario to add a new VLAN/Zone I’d have to add the VLAN to the switch, create the VLAN and bridge interfaces on the virtualization host and reload the network config to make it active, add the new bridge to the VyOS guest as a new NIC then configure the new NIC in VyOS (and I’m not sure if the new NIC will show without rebooting the guest).
Instead I could dedicate a physical interface to the VyOS guest and continue as if it were a bare metal (interface configuration wise). But here I think I’d lose out on allowing other guests being able to use the dedicated interface.
I’ve read something about VLAN aware bridging but didn’t understand it enough to know if it applies.
I haven’t used OpenVswitch and don’t know if it could be used to keep things mentally simple and manageable.
Have any of you found a maintainable and reliable method of using multiple VLANs with a VyOS virtual guest, and do you have any other experiences with using VyOS as a virtual guest that only became obvious once it was put into production?
Thank you.