[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Can we run a qemu instance as a dedicated home network firewall?

Can we use a virtual qemu linux machine as a firewall for 
a real home network?

I have a small network at home, with a few desktops and a DMZ and 
a linux firewall machine.

Now that virtualization is working for me, via qemu, I would like to get rid
of all the old equipment that I use for little tasks.

Ie I have 
1) old 486 machine F used as dedicated arno-firetables firewall.
2) old 486 machine D used as dedicated web server in DMZ.
3) plus a few workstations on a LAN call them A, B C.

Internet -> firewall machine F -> local LAN ->machines A, B, C
	    	     	       -> DMZ ->web server on D

1. Here F does NAT for machines A, B, C on 192.168.100.* .
2. While F gets an outside  internet IP via dhcp from my cable provider.
3. F  has 2 physical NIC cards.
 
My question is: 
Can I replace F (and D) by virtual machines running on one of my desktop 
machines A?

Thus internet traffic for A would not go out of the NIC directly, 
it would rather go through
an internal virtual network to the virtual guest Firewall machine (called F)
, where F would get its full Internet IP from my cable modem provider,
and it F, would then do NAT for the machine A.

Thus there would might be 2 physical NICs on A, ?neither of which would 
actually be used by A. Both NICs would be bridged to F, to two internal
vde_switches running on A one connected to the
cable modem via NIC1  and the second NIC2  connected 
to a physical hub outside the workstation A so that
other workstation  machines B and C could also  use the virtual machine F
as their firewall.

A itself would connect via the local LAN network to F (its guest), by
a virtual NIC (or real NIC, or socket). 

So, is it possible, 
ie: does it make sense, 

ie to run a virtual machine to actually 
function as a firewall for the HOST itself? And to do NAT for the  host.

Clearly this would  be with VDE.

Thus we would have

Machine A (the Host machine) running linux 
(with 2 NIC cards which would later be bridged to the 
vde switchs.)
 
Machine A would be a full distribution install with a full workstation
capability.

Now Machine A would not be configured to connect directly to the internet
because we would want it to be firewalled by a virtual machine.

We set up a vde_switch on A.

Then we would  bring up a qemu instance F (for firewall). 

...

Thank  you,

Mitchell Laks
Reply to: