Previously, I installed OpenWrt on VMware Workstation (What is a soft router? What is OpenWrt? What does it look like? Let’s take a look at it on VMware). I initially planned to install OpenWrt directly on ESXi, but I couldn’t generate OVF or OVA files when converting the image. So I first installed the image on Workstation, exported it as an OVF file, and then migrated it to ESXi.
While OpenWrt is running, let’s check the host status information.
The disk space utilization and memory utilization are surprisingly low; out of a total of 272.5 MB of disk space, only 20 MB is used, and 25 MB of memory is used.
Checking resource utilization, 99% of the resources are remaining. It seems that allocating 256 MB of memory to it is more than enough.
From this perspective, it seems like my 360 router could handle it.
First, change the network controller to bridged mode.
Then export the OVF.
In ESXi, create a new virtual machine, and select the type as Deploy VM from OVF or OVA file.
Select the exported OVF and VMDK files, and give the virtual machine a name.
Select the storage.
Then steps 4 and 6 disappear, leaving only step 5 Deployment Options. Choose Thin Provision for disk provisioning.
Confirm the host configuration and click Finish.
Auto-start successful, import successful.
Using the previous method, change the host network card address to 192.168.1.221, and test access is normal.
A normal router can’t have just one network card, right? Let’s add another one, and change the adapter type to VMXNET.
Check the network card information, where eth0 and br-lan are bound, corresponding to the host’s network adapter 1, connecting to the VM Network, which should normally be the WAN port, but is currently being used as the LAN port, which is definitely a problem.
To avoid disconnection, first configure eth1 as the LAN port, selecting the protocol as Static Address, and check Bridge Interfaces to set the interface as a bridge interface, selecting eth1.
Set the address to 172.16.113.1, with a subnet mask of 24 bits. Since it is the gateway itself, there is no need to configure the gateway.
Then enable DHCP on this interface, with the default subnet mask of 24 bits, indicating that it will automatically assign addresses in the C class where the LAN port is located.
Then check the interface information from the backend, and the new Layer 2 interface is successfully created.
Then find a host and connect to the port group corresponding to the eth1 network card, LINK01. You can see that the new network card successfully obtained an address.
Then use the gateway of the LAN port on this host to log into the router, delete the previously bound LAN port of eth0, and create a new WAN port on the eth0 interface.
Set the name to WAN, choose the protocol as static address, and select the interface as eth0.
Then set the interface IP address, subnet mask, gateway, and DNS information.
Create a security domain named WAN. After that, the host can access the internet.
At this point, the network card adjustments are completed.
Use iperf to test the bandwidth and see if the traffic topology can work.
Uncertain about the reason, the size of the stream fluctuates quite a bit. Without going through OpenWrt, the forwarding rate can reach a maximum of 4 G, while the average traffic through OpenWrt is 2.35 G, and OpenWrt monitors about 2.4 G, which is not far off. Even with a large amount of traffic, the device load is not high at all, even less than 10%.
Check the interface traffic statistics, the LAN port received 28.77 G, and the WAN port forwarded 28.99 G, which is basically accurate.
This is what a router should be.
This firewall function is quite appealing to me; let’s test whether it works well. First, delete all rules, restart the firewall, and the traffic should stop.
However, at this time, traffic to the device is still accessible, such as pinging the device’s LAN port and WAN port, but the upper-level devices cannot be accessed.
First, confirm the security domain settings, as the configured rules will call here.
Then create a rule allowing ICMP packets.
After clicking apply, it was found that it did not take effect until the firewall status page was refreshed; I wonder if this is normal.
After restarting, it worked, but why did the latency become 1ms, and TTL became 64?
Pinging Baidu is the same; is this the so-called ghost wall?
Address resolution is normal, but the latency and TTL are incorrect. Confused, right? The above configuration is DNAT, and normally SNAT should be configured on the page below.
Then I chased away the ghost.
Another configuration is to allow ICMP traffic, configured in Traffic Rules.
Now only ICMP is allowed, but TCP port 5201 traffic is not accessible.
So let’s allow the iperf traffic. Create a rule to match TCP port 5201.
Actually, it should work now.
So the question arises, after reviewing today’s firewall configuration, there are 3 states below: one is timeout, one is rejected, and one is normal. The server side is all normal; do you know the reason?
Long press the QR code to follow us
-
What is a soft router? What is OpenWrt? What does it look like? Let’s take a look at it on VMware
-
Software Defined Networking (SDN): Layering and Architectural Terminology
-
Software Defined Networking: An SDN Perspective from Service Providers
-
Data Center (DC) Network Virtualization Framework
-
Network Address Translation – Protocol Translation (NAT-PT)