Hello,
To clarify what I am trying to do:
- I am doing teaching for a cybersecurity club, where I have offered Incus VM’s to students
- I would like for them to be able to semi-manage their own environments (hence why I am interested in OVN rather than Linuxbridge)
- I would like for them to deploy a setup similar to what’s described in this blog post, internally.
A TLDR of the blogpost: Author uses a firewall VM. They enable port isolation, mac filtering, and then use a interesting solution of telling VM’s are on a /32 subnet instead of the real /24 that they are actually on, in order to force the VM traffic to go through the firewall VM, and not get dropped because the VM’s can’t find eachother directly on the bridge due to port isolation. I think I can achieve something similar but more orthodox, by using ARP proxying, where you have one machine respond to ARP requests of another host, on a same or different subnet, which then forwards traffic.
Anyway, it’s a lot of work to achieve something similar to what Incus ACL’s can already do on OVN networks, controlling internal traffic flow. But I am trying to teach people networking concepts, like DHCP, subnetting, and firewalling, on an interface similar to what they would see on a real physical switch (thank you for the openwrt image), which is why I want to share this setup specifically.
I have something similar to what I want working with Linuxbridge, and then port isolation could be used to restrict traffic. But what I think would even cooler, is to have this on an OVN network(s) instead, because then an OVN ACL could be used to restrict the whole subnet’s traffic to eachother, except to the firewall vm on xxx.xxx.xxx.1. And then with OVN, people could create multiple logical networks and link them together and play with that.
However, OVN seems to restrict DHCP traffic by default, in ways that Linuxbridge does not. I am still investigating, but it looks like OVN has internal firewall rules or ACL’s that do so. I am wondering if it is possible to loosen those, and if it’s possible to loosen them for a bunch of OVN networks at once or automatically depending on factors like user creation in some way.