Welcome to the Sophos User Bulletin Board.
If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Reply
 
LinkBack Thread Tools Display Modes
Member
Join Date: May 2010
Posts: 47
#1 (permalink)  
Old 12-12-2012, 12:13 PM
Default Astaro in a ESXi VM, best network setup?

I've used Astaro previously in a VM running on a Windows host but have now finally updated to a full ESXi setup. I have more options available here for the network setup then I did within the Windows host, so I'm wondering what the best way to setup Astaro would be.

I have plenty of physical NIC ports to pass through and dedicate 2 ports to Astaro, one for the WAN, the other for the LAN. I figure this would be best as there would not be a need for the network traffic to transverse through the emulated VMXNET 3 (lots of gamers in the home so ping times are a concern, however small the affect may be). However, the ESXi will also be running a couple of VMs that will need access to the WAN, so keeping the network traffic entirely on a vSwitch for those VMs instead of having to go through 2 physical NICs and a physical switch seems like a more logical choice. However, being that this is also just a cable internet connection (30Mbps/5Mbps), I'm unsure which setup would be the best performing, or if it even matters with these speeds.

Maybe a compromise of 2 NICs pass-through (WAN, LAN) and a vswitch on a 3rd to bridge in Astaro with the LAN nic?
Reply With Quote
Moderator
Join Date: Jul 2001
Location: southern California
Posts: 12,031
#2 (permalink)  
Old 12-13-2012, 07:28 PM
Default

Hi,

1. make sure you use the VMXNET2 or 3 or e1000 NIC driver emulator in VMWare; the 'flexible' VMWare driver is terrible with Linux.

2. If the other VMs could be put in a DMZ, then you could have, in Astaro:
WAN interface (physical NIC)
LAN interface (physical NIC)
DMZ interface (virtual NIC to vSwitch)


This should perform well, and provide good security.

If your VMs need to be on LAN, then yes, you should be able to use some bridging to get what you need, or just put the entire LAN on the vSwitch and don't dedicate a NIC to the Astaro LAN side; it should perform fine.

Barry
__________________
http://BlogSec.net
http://JobOyster.com
http://DealBert.net
IT Consultant specializing in high-performance Web Infrastructure and Security.
Astaro End-user since v1.x
  • ASL 9.2x, HP DL360G5 - FW, IPS, VPNs
  • ASL 9.2x, 2 Dell 1950's as WAF/proxy w HA
  • UTM 9.1x, Atom n270, 2GB RAM, 2 Intel GigE
    Netgear GS108T gigE switch & Astaro AP30 Access Point with 4 VLANs.
    60/60mbit FiOS internet.
  • Pending - UTM 9.2x, i5-4670, 4GB RAM, 2 Intel GigE
    Needs new NIC drivers before deploying

Last edited by BarryG; 12-13-2012 at 07:42 PM.
Reply With Quote
Junior Member
Join Date: Jan 2013
Posts: 2
#3 (permalink)  
Old 01-22-2013, 01:33 PM
Default Flexible driver should not be used ever

Unfortunately even with the newest UTM 9.003 download the subsequent OVF template that creates the VM has a flaw in that it uses the Flexible adapter. Perhaps this was just my issue but it caused all sorts of havoc for me with an AT&T Uverse installation.

I've been using the Astaro product for a very long time now 8-10 years and until recently was running on Comcast 50mbps/10mbps internet with a bridged SMC business router providing a static IP to my vnic no problems. When I changed to the Uverse gateway model 3801HGV I encountered erratic downloads and response times.

A long long story short spanning many days of testing the resolution was the adapter which was flexible and using the vlance. Remember this was a clean install of UTM 9.003 (2 days ago) and I followed the install perfectly. I ended up changing the Guest operating system from Linux Other 64-bit to Suse Linux Enterprise 10 64bit and used the VMXNET 3 adapter for LAN and WAN.

Works great now same speeds and response that my laptop gets connected to the 3801HGV directly. Hope this helps someone out.
Reply With Quote
BrucekConvergent's Avatar
Master of Reality
Join Date: Oct 2005
Location: SC, USA
Posts: 4,841
#4 (permalink)  
Old 01-22-2013, 01:48 PM
Default

I've always told people that are setting up the UTM on ESXi to just do a clean install, choosing Other 2.6x 64 bit Linux as the machine type, and using VMXNET2/3 NICs -- this avoids the pre-packaged machine's issues. Not sure why they still ship the pre-built appliance this way, maybe it's for backward compatibility with an older version of ESX, who knows. The last poster is absolutely right, never use Flexible NIC with the UTM in a virtual installation.
__________________
Convergent Information Security Solutions, LLC
Sophos Platinum Solution Partner
Reply With Quote
Junior Member
Join Date: Jan 2013
Posts: 2
#5 (permalink)  
Old 01-22-2013, 02:12 PM
Default

I stand corrected, other Guest operating system type "Other 2.6x Linux" does allow VMXNET2 and 3 also E1000. So selecting Suse Linux Enterprise 10 wasn't necessary. In my case the OVF deployment had it set for "Other Linux 64bit" which did not allow me to select other adapters.

Thanks Bruce and an Astaro/Sophos engineer has been made aware of this issue hopefully it will get to the correct people.
Reply With Quote
Junior Member
Join Date: Feb 2013
Posts: 1
#6 (permalink)  
Old 02-27-2013, 01:25 AM
Default

I, too, am having very bad latency with ssh sessions locking up (if it really is latency...). I installed via the OVF template which already has the "flexible" driver. The only way I could work out to use the vmxnet module is to edit the .vmx file on the esx box itself. Just replace "flexible" with "vmxnet3". I don't know if this will solve my particular problem, am now doing testing.
Reply With Quote
ASG Field Medic
Join Date: Sep 2011
Location: Vancouver, Canada
Posts: 134
#7 (permalink)  
Old 03-01-2013, 06:25 AM
Default

Quote:
Originally Posted by Pentium View Post
Thanks Bruce and an Astaro/Sophos engineer has been made aware of this issue hopefully it will get to the correct people.
I made them aware of this issue over a year and a half ago, when I was troubleshooting a customers machine. It's not high on the list of things to fix, unfortunately
Reply With Quote
Junior Member
Join Date: Mar 2011
Posts: 14
#8 (permalink)  
Old 03-03-2013, 09:11 PM
Default

Just delete the NIC after import and add E1000 NIC.
Reply With Quote
Junior Member
Join Date: Mar 2012
Posts: 3
#9 (permalink)  
Old 03-14-2014, 12:47 AM
Default

Thanks guys VMXNET 3 adapters are working really well. Hope they will fix the ovf, its a simple thing that cripples the product.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT. The time now is 12:19 AM.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2015, Jelsoft Enterprises Ltd.

These pages are specifically maintained for the discussion of firewall issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases.