All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Simplification of pfSense and private IPs in different datacenters - Virtual Network?
Hi there,
I always try to optimize my network, and I'm wondering if there is a smart solution for following available:
Right now, I have some dedicated servers, where virtualized KVM machines with private IPs are running. On dedi1 I use 192.168.1.xxx, on dedi2 192.168.2.xxx and so on. On all dedis I run pfsense (moving to OPNsense) where I have the secure OpenVPN connections to reach any KVM on any dedi.
As soon as I order a new dedi, I need to update all pfSesne installations, so the new dedi is reachable, or insert all other dedis in the new dedis pfSense Installation.
When I am at a single provider I can use a virtual network to manage this, but unfortunately all my dedis are at different providers. Perfect would be some open source virtual network software, which does not involve too much work when adding or removing dedis.
Thank you so much!
Comments
Webmin has clustering that can send commands to each member, maybe that?
Opnsense is much much better imo
Yes, that's why I'm changing to OPNsense. Basically, all I need is to be able to ping any KVM in my network, regardless if it's on the same server or somewhere else. I have to look into webmin cluster, but that tool might be an overload.
Maybe give https://github.com/slackhq/nebula a look?
I don't know about pfSense, but you can do that quite simple with a Mikrotik software router using EOIP: https://wiki.mikrotik.com/wiki/Manual:Interface/EoIP
Some time ago I would use a Tinc VPN in L2 mode with a range of ULA (private) IPv6 addresses on each server for VMs, and radvd, so that each server would announce its designated ULA subnet into the Tinc network with route advertisements, and other servers would automatically know how to reach it, without any reconfiguration for each, or even logging in to them at all.
IPv6 route advertisements let you run a toy routing protocol like that, something an order of magnitude simpler than BGP or OSPF.
But now there's a much faster and simpler WireGuard VPN, so I switched to that, and largely removed my Tinc network by now. The problem is that WireGuard is L3, not L2, so you can't run RA over it. So instead I built a set of custom shell scripts to set up WireGuard, and automatically login into each server via ssh to mass-update everything when needed.
So my ideas summarized are Tinc+ULA+RAs, or building some automation of WG, or perhaps explore where I stopped short for now, i.e. a real routing protocol such as OSPF. But another and a massively simpler solution, if you want to reach any VM by its own IP regardless of where it is, would be to just deploy IPv6 and use the global addresses, not and kind of private IPs. For me that was not an option because not all locations that I use provide native IPv6 and enough if it (at least a /60 or more). Solving that with IPv6 tunnels from HE.net or via tunneling some subnets from other location might be doable, but that's already not as "simple" as native.
I setup iBGP/OSPF between all my routers at each datacenter. Adding the route in one router propagates it to the others. I use IPSEC/GRE between sites and route the IGP over that.
My understanding of Microtik/EOIP means it's effectively the same thing for tunneling. I believe it extends your L2 to other dcs.
Used to use tinc, want to use Wireguard if there's ever a mesh for it. For now ZeroTier, self-hosted controller.
Any software to centralise firewall management for bunch of different vps's? Prefferably open source, free.