ClearOS in Gateway Refuses to Route KVMs
I'm running clearOS 7.4 in gateway mode. It is known that clearOS uses at least 2 NICs in this mode: external (em1 in my case) and internal (em2).
As I elaborated before, clearOS gateway is currently having issues with KVM bridges. This leaves us with one feasible option for VMs networking for now, which is macvtap.
One can add two networks to KVM/Kimchi of macvtap type. Each network is associated with one clearOS NIC. A virtual machine (VM) can hence be setup to have 1 or 2 virtual NICs (vNIC). Here is a summery of the pros and cons of each setup:
1) One vNIC connected to clearOS' External NIC:
- VM can access the Internet
- VM cannot access intranet services, unless the ports for these services are wide opened for the Internet. This is a big security concern.
- LAN clients behind the clearOS server cannot access VM via local IP. They can only access it using its Internet address if any.
2) One vNIC connected to clearOS' Internal NIC:
- LAN clients can access the VM (remote desktop, VNC, web services, etc.)
- VM cannot take IP address from clearOS DHCP. The address must be manually entered.
- VM cannot access the Internet via clearOS gateway
- VM cannot access intranet services, such as flexshares.
3) Two vNICs connected to Both clearOS' NICs
- VM can access the Internet.
- LAN clients can access the VM.
- VM cannot take IP address from clearOS DHCP. The address must be manually entered in the VM settings.
- VM cannot access the Internet via clearOS gateway.
- VM cannot access intranet services.
The scenario worth fixing is number 2 above; each VM has one vNIC connected to clearOS internal NIC and solve all the cons currently found in such setup. This means configuring the clearOS to deal with VMs as normal LAN clients, so that it provides them with IPs and routes their traffics between its NICs. This will make the VMs be able to access the Internet and the intranet and will also allow the LAN clients to access the VMs.