Static routing virtual interfaces

xlameee · December 13, 2020, 6:46pm

**Operating system:UBUNTU Server 20.04.1
**OS version:20.04.1

I use pfsense to control traffic on my network. I installed VIRTUALMIN on UBUNTU Server 20.04.1 on vSphere 7

Ubuntu have only 1 nic added to it.
I have 2 virtual IPs added to this NIC
I have 2 virtual servers created on VIRTUALMIN and assigned 1 virtual IPs to each.
I am managing VIRTUALMIN/WEBMIN via default IP on the nic

VIRTUALMIN IP: 10.122.122.16
Virtual Server 1 IP: 10.122.122.17
Virtual Server 2 IP: 10.122.122.18

I don’t want both Virtual servers to have access to Internet only Virtualmin
but When I allow virtualmin IP address to have internet access both virtual servers have access too

What do I have to do to prevent that?

The gateway of this network is 10.122.122.1 mask /27

Should I add some routes to each IP to use gateway address or something else

Thank you

EDIT: I use pfsense to resolve hostnames domains VIRTUALMIN BIND DNS is switched OFF

xlameee · December 14, 2020, 9:17am

Anyone please

calport · December 14, 2020, 10:21am

Virtualmin uses ports 10000 - 10100, Usermin uses 20000 so if you keep these open and lock down all other ports via your firewall on Virtualmin or one that is further upstream, you will be able to access Virtualmin from the net but all other services on all your IPs will be inaccessible to the rest of the net nor will any processes or services on the Virtualmin server be able to access the net.

If that is indeed what you wish then I must caution you that this will impede some of the functionality of Virtualmin.

xlameee · December 14, 2020, 5:28pm

Hello

I added a second nic to UBUNTU and configured it on the different network
I also bind it WEBMIN USERMIN to this NIC IP address and now I have full control via my firewall witch goes where, but is there anything else I have to bind to this IP in order to separate the main system from all Virtual servers i.e websites?

“Virtualmin uses ports 10000 - 10100” You mean useing all ports from 10000 to 10100 ports ?

xlameee · December 16, 2020, 8:27pm

If I want to update anything on the server I have to at least open http and https then all website goes online again. is there a way I can separate virtual servers on one interface and the system to the other interface. I tried few advance routing, but nothing is working

any advice

calport · December 16, 2020, 8:33pm

All websites run on Apache / Nginx but Virtualmin does not, hence you can use firewall rules to access Virtualmin remotely via 10000 and keep 80 & 443 locked down.

You are attempting to overengineer a solution for what appears to be a simple problem.

xlameee · December 17, 2020, 9:58am

well this is what I am trying to explain

I have to open those ports in order to update or upgrade anything

sudo apt update
Err:1 http://us.archive.ubuntu.com/ubuntu focal InRelease
  Could not connect to banjo.canonical.com:80 (91.189.91.38). - connect (111: Connection refused) Could not connect to kazooie.canonical.com:80 (91.189.91.39). - connect (111: Connection refused) Unable to connect to us.archive.ubuntu.com:http:
Err:2 http://us.archive.ubuntu.com/ubuntu focal-updates InRelease
  Unable to connect to us.archive.ubuntu.com:http:
Err:3 http://us.archive.ubuntu.com/ubuntu focal-backports InRelease
  Unable to connect to us.archive.ubuntu.com:http:
Err:4 http://us.archive.ubuntu.com/ubuntu focal-security InRelease
  Unable to connect to us.archive.ubuntu.com:http:
Err:5 http://software.virtualmin.com/vm/6/gpl/apt virtualmin-focal InRelease
  Could not connect to software.virtualmin.com:80 (163.172.162.254). - connect (111: Connection refused)
Err:6 http://software.virtualmin.com/vm/6/gpl/apt virtualmin-universal InRelease
  Unable to connect to software.virtualmin.com:http:
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.
W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/focal/InRelease  Could not connect to banjo.canonical.com:80 (91.189.91.38). - connect (111: Connection refused) Could not connect to kazooie.canonical.com:80 (91.189.91.39). - connect (111: Connection refused) Unable to connect to us.archive.ubuntu.com:http:
W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/focal-updates/InRelease  Unable to connect to us.archive.ubuntu.com:http:
W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/focal-backports/InRelease  Unable to connect to us.archive.ubuntu.com:http:
W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/focal-security/InRelease  Unable to connect to us.archive.ubuntu.com:http:
W: Failed to fetch http://software.virtualmin.com/vm/6/gpl/apt/dists/virtualmin-focal/InRelease  Could not connect to software.virtualmin.com:80 (163.172.162.254). - connect (111: Connection refused)
W: Failed to fetch http://software.virtualmin.com/vm/6/gpl/apt/dists/virtualmin-universal/InRelease  Unable to connect to software.virtualmin.com:http:
W: Some index files failed to download. They have been ignored, or old ones used instead.

calport · December 17, 2020, 11:08am

Yes, and you said in your original message that you have pfsense to control traffic on the network… so use it to let some selective traffic pass.

xlameee · December 18, 2020, 10:47am

I can’t they all go trough a single IP 10.122.122.16

I created second interface 10.12.15.5/25 with some advanced routing tables on both interface and I still can’t do anything from my firewall

If I allow internet access on int1 :10.122.122.16 and deny on int2: 10.12.15.5 int2 still can access internet and if I allow on int2 and deny on int1, int1 still can access internet

This should be done I think with iptables. I don’t see any other option in my case

system · January 17, 2021, 10:47am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.