I am contemplating a SOHO network with 2 virtualization servers, and virtualized network hardware.
I would like to know how rational this is, from a security standpoint and from a stability standpoint.
Proposed host model, times 2:
- 1x ethernet on-board
- 4x ethernet card
Backups and less-used VMs will be on separate hardware NAS, maybe a Synology.
My intent is to donate all physical NICs to virtualized routers.
My network configuration would be as follows:
R1: External firewall/router.
- Connects to DMZ and NAT networks, and to VPN endpoint.
- Connects to main router.
- This is a SOHO router appliance and will be the only wireless component.
- Can access DMZ and VPN endpoint as though it were on the greater Internet.
- No VMs here.
- This is where all the guests and digital cockroaches go.
R3: VPN endpoint.
- Connects to main router, or alternately the endpoint exists inside DMZ.
- Only public route to the VPN-secured network, of course.
- Absolutely everything blocked unless initiated from inside.
- Outbound blocked except for specific cases (software updates)
- Contains the VM hosts virtual network connection.
Just to be clear, there are 3 virtualized routers and 1 physical router. The virtualized routers have one or more physical interface as needed. The physical interfaces will be VLAN-aware, 802.1q compliant. I guess that some of the virtual interfaces will need to be as well.
OK so here's the complication:
I want to know if it's rational to have R1, R3 and R4 be virtual routers.
I would like to mirror the routers on both VM hosts, so if one host goes down I have another one available just by swapping wires.
It would be nice if I can make these redundant routers active, so speed between VMs on the same host can be fast.
Is it risky to have VMs on the same host be on different networks?
Am I going about this the wrong way?