Can we run a qemu instance as a dedicated home network firewall?
Can we use a virtual qemu linux machine as a firewall for
a real home network?
I have a small network at home, with a few desktops and a DMZ and
a linux firewall machine.
Now that virtualization is working for me, via qemu, I would like to get rid
of all the old equipment that I use for little tasks.
Ie I have
1) old 486 machine F used as dedicated arno-firetables firewall.
2) old 486 machine D used as dedicated web server in DMZ.
3) plus a few workstations on a LAN call them A, B C.
Internet -> firewall machine F -> local LAN ->machines A, B, C
-> DMZ ->web server on D
1. Here F does NAT for machines A, B, C on 192.168.100.* .
2. While F gets an outside internet IP via dhcp from my cable provider.
3. F has 2 physical NIC cards.
My question is:
Can I replace F (and D) by virtual machines running on one of my desktop
machines A?
Thus internet traffic for A would not go out of the NIC directly,
it would rather go through
an internal virtual network to the virtual guest Firewall machine (called F)
, where F would get its full Internet IP from my cable modem provider,
and it F, would then do NAT for the machine A.
Thus there would might be 2 physical NICs on A, ?neither of which would
actually be used by A. Both NICs would be bridged to F, to two internal
vde_switches running on A one connected to the
cable modem via NIC1 and the second NIC2 connected
to a physical hub outside the workstation A so that
other workstation machines B and C could also use the virtual machine F
as their firewall.
A itself would connect via the local LAN network to F (its guest), by
a virtual NIC (or real NIC, or socket).
So, is it possible,
ie: does it make sense,
ie to run a virtual machine to actually
function as a firewall for the HOST itself? And to do NAT for the host.
Clearly this would be with VDE.
Thus we would have
Machine A (the Host machine) running linux
(with 2 NIC cards which would later be bridged to the
vde switchs.)
Machine A would be a full distribution install with a full workstation
capability.
Now Machine A would not be configured to connect directly to the internet
because we would want it to be firewalled by a virtual machine.
We set up a vde_switch on A.
Then we would bring up a qemu instance F (for firewall).
...
Thank you,
Mitchell Laks
Reply to: