Community discussions

MikroTik App
just joined
Topic Author
Posts: 5
Joined: Sat Oct 11, 2014 6:11 pm

Correct deployment of CHR on Hyper-V 2016

Wed May 23, 2018 10:03 am

Hello guys!
What is correct deployment of CHR on Hyper-V 2016?
1U server HP DL360G7 - server is provided for colocation with VM servers IIS10+SQL2017+DEV.WS (inside)
All VM's shilded with CHR.router on the same host.
As far as i know CHR not supported SR-IOV for now, so the question is, -
How to secure HOST itself on it's - EXTERNAL Virtual Switch interface????
In any scenario we must enable at least one physical ethernet port on server and
that's immediately opens a doorway to host itself!?
OK - guests are behind CHR, CHR itself get internet from external VS and pass it to
internal VS.swutch subnet... With - VM servers IIS10+SQL2017+DEV.WS (inside)

But what about host? What is correct way of isolating HOST from direct external VS traffic?
With support for SR-IOV, (which is realised or not?) we can provide one of our physical NIC's directly to CHR VM as External.VS
and this is elegant and simple decision, but what to do for now?

How you did it now, without any external equipment? (any aditional HW or SW external routers)
Only bare metal server and white real Internet IP from colocation-provider (may be some iLO3 isolated Net from hoster also as well;-) )
just joined
Topic Author
Posts: 5
Joined: Sat Oct 11, 2014 6:11 pm

Re: Correct deployment of CHR on Hyper-V 2016

Wed May 23, 2018 6:18 pm

OK, i'm corrected my config by resetting check mark - Allow management OS to share the network adapter...
(on configure External Virtual switch tab of course)
Is this enough for securing external ethernet port from host machine OS?
Need some detailed guide for safe configuration of CHR on WS2016.
From the server side, not the config of CHR itself.
Such as good practice of something of that kind.
Links to such materials are also welcome! :-)
User avatar
just joined
Posts: 12
Joined: Wed Jan 17, 2018 3:23 pm
Location: Sofia

Re: Correct deployment of CHR on Hyper-V 2016

Sat Jun 30, 2018 12:04 am

Hey :)

Not sure if it would be in great help, but we have configured it the following way:

We are using Hyper-v Core 2012 R2, currently there is a external virtual switch on which we have mapped the NIC and the box "Allow management operating system to share this network adapter." is checked, there is vlan configured.
There is secondary internal virtual switch for the communication between the host and the management virtual machine inside - the host itself has no address in a network, which is routed and has Internet - it has address only in a private net.

What worries you about the connectivity of the machines inside - I can't really get - "that's immediately opens a doorway to host itself!?"

Cheers, :D

Who is online

Users browsing this forum: No registered users and 7 guests