The SDDCbox Project — Part #5 — Networking Tidbits

In my previous article “The SDDCbox Project — Part #4 — From iMac to Mac Pro“, I presented two strategies for migrating from my current 2017 iMac to a brand new Mac Pro. Now, it is time to dig a bit further into the intricacies of building a software-defined data center. More specifically, let’s talk about the IP network and IP management.

When building a home lab, like an SDDC in a box, many virtual machines are needed. Each of them will use at least one IP address to operate. It is best to organize their distribution and put some thoughts into it. Let’s see how.

Managing Virtual Machines IP address

As you probably remember, my virtualization software is VMware Fusion 12 Pro. By default, VMware Fusion uses a class B subnet for NATted segments used by its virtual interface VMnet8 (more on this later), which is 172.16.xx.yy. That gives me more than a million IP addresses. In this project, I need IP addresses at different layers of the virtual environment. First, at the VMware Fusion layer, which I call ring 1. That’s where most of the virtual machines will reside. VMware Fusion will be responsible for IP address allocation with its internal DHCP server. The following diagram shows the concept of rings.

Virtualization layers also named "rings"
Virtualization layers also named “rings”

I plan to use 172.16.85 for all ring 1 virtual machines and 172.16.86 for ring 2 (nested virtual machines). I don’t expect to have many virtual machines sitting in ring 2 as nested virtualization if not very fast.

Understanding Vmware Fusion Networking

When creating a virtual machine, we have to configure a virtual network interface to allow the virtual machine to communicate over the IP network. They’re three types of networking options allowed in Vmware Fusion. I want to discuss two of them: bridge mode and NAT mode.

The Bridge mode means a virtual machine will get its IP address like if it was a different computer or device on the same network as the host, in this case my current iMac running VMware Fusion. For this to happen, Fusion will generate the DHCP requests for the virtual machine, to the router on my home network, in that case, the Unify Dream Machine (read me review here), and allocate it to the device.

The NAT mode means that each virtual machine will use an internal network that is not known from outside the virtual environment. Only the host running VMware Fusion will do the IP translation between the internal network and the outside world. VMware Fusion configuration to manage this resides in the vmnet8 file (more on this later). The following diagram illustrates an iPad on the same network as the Mac Pro, trying to establish an IP connection at port 9000 to a virtual machine running inside VMware Fusion with the IP 182.16.85.100 to port 22. The iPad has to use the Mac Pro address of 192.168.1.100 in its request for the translation to happen by VMware Fusion.

Port forwarding illustration
Port forwarding illustration

There is a way to control how Vmware Fusion works regarding the IP management and network translation. These settings are not all exposed to the end user, but are stored in text files located here: /Library/Preferences/VMware Fusion/networking. There are many directories and files as shown here.

Vmware Fusion Configuration Files
Vmware Fusion Configuration Files

In the vmnet8 folder, you’ll find a few files required for IP management features of virtual machines. The file dhcpd.conf is used by the DHCP server within Fusion. This is where you can add IP address reservations which is critical for certain types of virtual machines like a domain controller or a DNS server. The other important file is nat.config which controls TCP port forwarding. Finally, the file networking contains critical networking configuration defining VMware Fusion’s virtual interfaces available to virtual machines. So far, I didn’t have to change it’s content directly.

Choosing between NAT or Bridge mode

For simple tests, using the bridge mode is fine but is not portable. In other words, the IP addresses used will be dependent on the home network where VMware Fusion is running. On a non-portable machine like a Mac Pro, this is probably fine but running a home lab on a portable that can be used in any offices, it will be a problem.

In order to build a portable virtual environment, I prefer to use the NAT mode even if it is a bit more complex to manage. Why? Because virtual machines don’t expose their IP address to the rest of the home network. An external device that wants to connect to a virtual machine inside will have gone through IP port forwarding. This is configured in the nat.conf file. For example:

incomingtcp
Use these with care - anyone can enter into your VM through these...
The format and example are as follows:
<external port number> = <VM's IP address>:<VM's port number>
8080 = 172.16.3.128:80
9000 = 172.16.85.132:22

As explained earlier, from outside the virtual environment, a device who wants to establish an SSH session to the host behind the NAT, will have to use the host IP (which uses 192.168.1.14 for example) though port 9000 (user defined port: TCP-IP ports in the range of 1024 to 49151 are safe to use for port forwarding) which will in turn transpose this to 172.16.86.132 on port 22, the standard SSH port. I tried this from the excellent SSH client, Prompt, on my iPad, and it worked like charm as shown in the following two screenshots.

Managing IP addresses allocation

By default, when a virtual machine starts, an IP address will be automatically allocated by the VMware Fusion internal DHCP server within the 172.16.xx.yy subnet. In a virtual lab, most of virtual machines should be using fixed IP addresses. In order to set fixed IP address, there are two ways: manually on each machine or centrally from the DHCP server itself. I prefer the latter. The way to do this is to use the MAC address of the virtual machine and use it to modify the dhcpd.conf file. First, the MAC address can be found the VM settings, in the advanced view of its virtual network interface as shown here. Then add the following lines (these are examples).

Finding the VM's MAC address
Finding the VM’s MAC address
host esxhost01 {
    hardware ethernet 00:0C:29:43:73:4F;
    fixed-address 172.16.85.127;
}

When the virtual machine will start, Fusion will assign this IP automatically. Maintaining this file is done with elevated privileges and backing up its content is a must.

In this article, I explained what networking modes VMware Fusion provides to virtual machines, how to modify their configuration and enable port forwarding. Finally, I have shown my preferred way for using fixed IP addresses with a centrally managed place. In a future article, I’ll explain why a DNS service will be required and what strategy I chose to deploy one.

Leave a Reply

Up ↑

%d bloggers like this: