Skip to content

Network#

  • in Network
  • 2 min read

Network Blocks

Network Blocks Overview

Network blocks in VergeOS are a powerful way to assign multiple IP addresses to tenants or networks for workloads. This method is preferred over virtual wires since VergeOS focuses on Layer 3 connectivity, avoiding the common issues associated with Layer 2 connections (like virtual wires). Network blocks also allow the direct assignment of public IP addresses to VMs inside an internal network or a tenant.

Creating a Network Block

  1. In the VergeOS UI, navigate to the External Network where the network block will originate.
  2. In the left menu, select Network Blocks, then click New.
  3. Enter the network block information in CIDR notation (e.g., a.b.c.d/n).
  4. To assign the block to a tenant at creation, set the Owner Type to Tenant, then select the tenant from the Owner drop-down. new-network-block.png
  5. Submit your work to create the block.
  6. To apply the automatically created rules, select the External breadcrumb in the header to return to the network dashboard. Then, select Apply Rules from the left menu or click the notification pop-up. net-block-rules.png

Creating a Network from a Network Block

  1. Log in to the tenant's URL with the necessary credentials.
  2. Navigate to Networks, then go to the External Network Dashboard.
  3. In the left menu, select Network Blocks.
  4. Select the network block assigned to the tenant.
  5. Click New Network in the left menu. new-net-from-block.png
  6. Give the new network a name. The rest of the details will be pre-filled based on the CIDR information.
  7. Modify any details in the form if necessary, then submit to create the network.
  8. After creation, the system will redirect you to the new network's dashboard. The necessary routes and accept rules will be set up automatically, but note that inbound traffic will be dropped by default. Add appropriate firewall rules to allow inbound access.
  9. Power on the network using the option in the left menu.
  10. Assign any desired virtual machines to the network and test connectivity.

Document Information

  • Last Updated: 2024-08-29
  • vergeOS Version: 4.12.6

Allow Root to Tenant Site Connection

Overview

Important

Adding this rule will allow tenants to connect on the DMZ network. By default, this is disabled for security reasons.

This guide provides instructions on how to connect a root system to a tenant site in VergeOS. The Sites feature is typically used to connect two VergeOS sites together, but to extend this functionality to a tenant site, you’ll need to add a specific rule on the root system's External network.

Prerequisites

  • Access to the Root system with administrative privileges.
  • A basic understanding of network rules and DMZ interfaces in VergeOS.

Steps

  1. Access External Networks - In the Root system, navigate to Networks and then External Networks. - Double-click on the External network.

  2. Add the Rule - In the left menu, click on Rules. - Before adding a new rule, ensure it doesn’t already exist. - Click New in the left menu. - Enter the following details:

    • Name: Enter a descriptive name such as "Allow Tenant to Root".
    • Action: Translate.
    • Protocol: ANY.
    • Direction: Outgoing.
    • Interface: DMZ.
    • Source: Other Network Address (DMZ).
    • Destination: Any/None.
    • Target: My Router IP.

Rule Configuration

  1. Submit and Apply - Click Submit. - In the left menu or at the top, click Apply Rules to activate the new rule.

After the rule is applied, the root system should now be able to connect to the tenant site.

Testing the Rule

To verify that the rule works, follow these steps:

  1. From the Home screen, click System in the left menu.
  2. Click on Nodes in the left menu.
  3. Double-click on Node1 or select Node1 and click View.
  4. In the left menu, click on Diagnostics.
  5. Change the Query to TCP Connection Test.
  6. Set Host to the UI IP/Host of the tenant system.
  7. Set Port to 443.
  8. Click Send.

Diagnostics

The Response should say Connection successful. If the connection fails, review the rule to ensure accuracy, particularly ensuring that the Interface is set to DMZ rather than Auto.

Troubleshooting

Common Issues

  • Issue: Connection test fails.
  • Solution: Double-check that the rule is configured correctly, especially the interface settings. Also, ensure there are no blocking rules that could prevent the connection.

Additional Resources

Feedback

Need Help?

If you encounter any issues while setting up the root-to-tenant site connection, or have any questions, feel free to contact our support team.

Document Information

  • Last Updated: 2023-09-12
  • VergeOS Version: 4.12.6
  • in Network
  • 2 min read

VLAN Creation in VergeOS

Overview

Key Points

  • Add VLANs to appropriate switchports
  • Create a new external network in the VergeOS UI
  • Configure the network settings
  • Attach workloads to the new VLAN

This guide walks you through the process of creating a VLAN (Virtual Local Area Network) in the VergeOS environment. VLANs are essential for network segmentation and improving network performance and security.

Prerequisites

  • Access to the VergeOS system as an administrator
  • Physical network infrastructure that supports VLANs
  • Basic understanding of networking concepts and VLANs

Steps

  1. Prepare the Physical Network - Add the desired VLAN(s) to the appropriate switchports so they are accessible to the nodes running the VergeOS environment

  2. Navigate to Network Creation - From the Main Dashboard, go to Networks - Select "New External" in the left menu

  3. Configure Network Settings - In the network creation page, enter the following settings: new-vlan.png

Interface Network Selection

For the "Interface Network" option, be sure to select the physical network on the nodes that the VLAN enters the environment on. These are typically appended with the name "Switch" during install. For all other settings, the default options are typically sufficient.

  1. Submit Configuration - Click the submit button to create the new network

  2. Verify Network Status - You will be brought to the newly created network's dashboard - Verify that the status shows as "Running" if the configuration from above was used

  3. Attach Workloads - Workloads can now be attached to the newly created network

Adding VLANs to Tenants

See the Virtual Wires KB article for adding VLANS into Tenants.

Troubleshooting

Common Issues

  • Problem: Network status not showing as "Running"

  • Solution:

    1. Verify that the physical network supports the VLAN configuration
    2. Check if the correct Interface Network was selected
    3. Ensure that the VLAN ID matches the one configured on the physical switch

  • Problem: Unable to attach workloads to the new VLAN

  • Solution:
    1. Confirm that the network is in "Running" status
    2. Verify that the workload has the correct network configuration
    3. Check for any conflicting network policies

Additional Resources

Feedback

Need Help?

If you encounter any issues while creating VLANs or have questions about this process, please don't hesitate to contact our support team.

Document Information

  • Last Updated: 2023-06-06
  • VergeOS Version: 4.12.6

Troubleshooting VM Network Connectivity Issues

Before you begin, verify if other virtual machines in the environment can access the internet. If no other machines can, there may be a network issue upstream of the VergeOS platform that is preventing access to the outside world. If other VMs are still able to access the internet, the most likely cause is that a configuration step was missed.

The following are the most common configuration mistakes that cause network issues:

  • Missing NIC Configuration: The newly created VM may not have a NIC configured. To verify this, review the NICs section of the VM dashboard. Ensure at least one NIC is present. If not, add one.
  • Incorrect Network Assignment: The VM's NIC may be connected to the wrong network. In the NICs section, ensure at least one NIC is present with the status set to Up, and verify that the correct network is listed. If not, edit the NIC and assign the correct network (one used by a VM with internet access).
  • Improper IP Configuration: The VM might not have a properly configured IP address. Typically, this is resolved at the guest level. Refer to the guest operating system’s documentation to ensure the NIC is detected, installed (with drivers), and configured correctly.
  • Virtio Drivers Not Installed: If the Virtio drivers are not installed, the NIC may not function properly. For instructions on installing Virtio drivers, refer to the Product Guide.

Document Information

  • Last Updated: 2024-09-03
  • VergeOS Version: 4.12.6

Accessing the Verge.io UI from a VM

Overview

Key Points

  • Access the VergeOS UI from a VM within your environment
  • Utilize hair-pinning network technique
  • Create a specific network rule on the internal network

This article guides you through the process of setting up access to the VergeOS User Interface (UI) from a virtual machine (VM) running inside the VergeOS system. This is accomplished using a networking technique known as hair-pinning, where a packet travels to an interface, goes out towards the Internet, but instead of continuing, it makes a "hairpin turn" and comes back in on the same interface.

Prerequisites

  • A running VergeOS environment
  • A virtual machine (VM) within your VergeOS environment
  • Access to the VergeOS UI
  • Basic understanding of network rules in VergeOS

Steps

  1. Navigate to the Internal Network - Log into your VergeOS environment - Go to the internal network that your target VM is connected to

  2. Create a New Rule - Locate the option to create a new rule - Configure the rule with the following settings:

    Rule: - Name: Use a reference name, such as "Allow UI" - Action: Translate - Protocol: TCP - Direction: Incoming - Interface: Auto - Pin: No

    Source: - Type: Any / None - Source Ports/Ranges: Leave blank

    Destination: - Type: My Network Address - Destination Ports/Ranges: 80, 443

    Target: - Type: Other Network DMZ IP - Target Network: Core - Target Ports/Ranges: Leave blank

  3. Submit the Rule - Click "Submit" to save the rule

  4. Apply the New Rule - Click "Apply Rules" to activate the newly created rule

  5. Access the UI from the VM - Open a web browser within your VM - Navigate to the IP address of the internal network (e.g., if the internal network IP is 192.168.0.1, use this address)

Pro Tip

Always ensure that your VM's network settings are correctly configured to use the internal network where you've set up this rule.

Visual Guide

Here's a visual representation of the rule configuration:

hairpin.png

Troubleshooting

Common Issues

  • Problem: Unable to access the UI after creating the rule
  • Solution:
    1. Verify that the rule is applied correctly
    2. Check if the VM's network interface is on the correct internal network
    3. Ensure no firewall rules are blocking the connection

Additional Resources

Feedback

Need Help?

If you encounter any issues while setting up UI access or have questions about this process, please don't hesitate to contact our support team.

Document Information

  • Last Updated: 2024-08-29
  • VergeOS Version: 4.12.6

How to Configure Routing Between Networks

The following is a simple method to establish a route between two networks in the VergeOS platform.

Create a Network Rule on the First Network to Route Traffic to the Second Network

  1. Navigate to the first network that you would like to route traffic from.
  2. From the network dashboard, click on Rules in the left navigation menu.
  3. In the Rules menu, click on New to create a new network rule.
  4. Configure the rule with the following settings: - Rule:
    • Name: A name indicating this rule is a route to the second network.
    • Action: Route
    • Protocol: Any
    • Direction: Outgoing
    • Source:
    • Type: My Network Address
    • Destination:
    • Type: Other Network Address
    • Network: The name of the second network
    • Target:
    • Type: Other Network DMZ IP
    • Target Network: The name of the second network
  5. After completing this rule, click Submit to save the rule.

Create a Network Rule on the First Network to Allow Traffic from the Second Network

  1. From the same network dashboard, click on Rules in the left navigation menu.
  2. In the Rules menu, click on New to create a new network rule.
  3. Configure the rule with the following settings: - Rule:
    • Name: A name indicating this rule allows traffic from the second network.
    • Action: Accept
    • Protocol: Any
    • Direction: Incoming
    • Source:
    • Type: Other Network Address
    • Network: The name of the second network
    • Destination:
    • Type: My Network Address
  4. After completing this rule, click Submit to save the rule.
  5. Click Apply Rules to enable the rule.

Info

After completing the two rules on the first network, you will need to create identical rules on the second network.

Create a Network Rule on the Second Network to Route Traffic to the First Network

  1. Navigate to the second network that you would like to route traffic from.
  2. From the network dashboard, click on Rules in the left navigation menu.
  3. In the Rules menu, click on New to create a new network rule.
  4. Configure the rule with the following settings: - Rule:
    • Name: A name indicating this rule is a route to the first network.
    • Action: Route
    • Protocol: Any
    • Direction: Outgoing
    • Source:
    • Type: My Network Address
    • Destination:
    • Type: Other Network Address
    • Network: The name of the first network
    • Target:
    • Type: Other Network DMZ IP
    • Target Network: The name of the first network
  5. After completing this rule, click Submit to save the rule.

Create a Network Rule on the Second Network to Allow Traffic from the First Network

  1. From the same network dashboard, click on Rules in the left navigation menu.
  2. In the Rules menu, click on New to create a new network rule.
  3. Configure the rule with the following settings: - Rule:
    • Name: A name indicating this rule allows traffic from the first network.
    • Action: Accept
    • Protocol: Any
    • Direction: Incoming
    • Source:
    • Type: Other Network Address
    • Network: The name of the first network
    • Destination:
    • Type: My Network Address
  4. After completing this rule, click Submit to save the rule.
  5. Click Apply Rules to enable the rule.

Document Information

  • Last Updated: 2024-08-29
  • vergeOS Version: 4.12.6