Managing Network Interfaces

Introduction to Network Interfaces
----------------------------

Each virtual system managed by Cloudmin has at least one network interface / IP address, which the system's hostname typically resolved to in DNS. On the virtual machine this usually appears as `eth0` - how it appears on the host system differs depending on the type of virtualization being used.

It is possible for virtual system to have multiple network interfaces. For Xen and KVM instances on host systems with more than one bridge, the virtual machines can have one `ethN` interface per bridge. Typically each is connected to a different physical network or VLAN on the host system.

Cloudmin lets you add extra IP addresses to a virtual system, although these will usually be virtual interfaces like `eth0:5`. This is useful if you want a VPS to host multiple SSL-protected websites, each of which needs its own IP address.

System owners can be either completely denied access to page for managing network interfaces, or limited in how many IP addresses they can use across all their virtual machines. This can be done either at the plan level, or on an owner-by-owner basis.

Cloudmin can fully manage network interfaces on any system running Webmin, or with a Debian-based or Redhat-based Linux distribution installed. It can even manage interfaces on a down system, assuming it is running Debian, Ubuntu, RHEL, Fedora or CentOS. This allows you to fix networking errors even if a system is in-accessible, by first shutting it down and then using Cloudmin to edit interfaces.

On systems running Windows, BSD or an un-supported Linux distribution without Webmin, Cloudmin cannot manage the IP addresses assigned to network interfaces - instead, these must be set within the virtual system. However, it can configure the MAC address and network bridges assigned to each interface.

Adding a Virtual Network Interface
-----------------------------

To create a new network interface, the steps to follow are :

1. Select the system from the left menu, open the *System Configuration* category and click on *Network Interfaces*.
2. Underneath the list of existing interfaces, click the *Add a virtual interface* link.
3. Either enter an IP for the new interface from the *IP address* menu, or select *Allocate automatically* to have Cloudmin pick one from the allocation range you have specified for its host system.
4. Change the netmask if needed - but typically the default will work fine.
5. Click the *Create* button.

The new IP address should be immediately activated and pingable, and will be added to both the networking configuration files on the virtual system, and any virtualization config files on the host system.

Adding a Real Network Interface
---------------------------

Xen and KVM virtual systems also support creation of non-virtual interfaces, which appear like `eth1` on the virtual machine. If the host system has multiple network bridges you can select which bridge each new real interface is connected to - it is also possible to have multiple real interfaces bridged to the same real interface on the host.

To create a new real network interface, the steps to follow are :

1. Select the system from the left menu, open the *System Configuration* category and click on *Network Interfaces*.
2. Underneath the list of existing interfaces, click the *Add a real interface* link.
3. The *Network interface name* field can generally be left un-changed, as Cloudmin will pick the next free `ethN` device on the virtual system.
4. If the virtual system has more than one bridge, select the one you want from the *Network bridge on host* menu.
5. Either enter an IP for the new interface from the *IP address* menu, or select *Allocate automatically* to have Cloudmin pick one from the allocation range you have specified for its host system.
6. Change the netmask if needed - but typically the default will work fine.
7. Click the *Create* button.

The new IP address should be immediately activated and pingable, and will be added to both the networking configuration files on the virtual system, and any virtualization config files on the host system.

Editing and Deleting Interfaces
-------------------------

To change or remove an interface, do the following :

1. Select the system from the left menu, open the *System Configuration* category and click on *Network Interfaces*.
2. Click on the address for the interface you want to manage.
3. If it is a virtual interface (like `eth0:5`) or a real interface other than the first, you can click the *Delete* button to remove it.
4. Otherwise, change any of its details such as the IP, netmask or MAC address, and click *Save*.

Again, all changes will be activated immediately with the exception of a change in the MAC address. That will only take effect when the virtual system is shut down and started up again. Only Xen and KVM systems can have their MAC addresses changed, and only for non-virtual interfaces.

Changing the Default Gateway
-------------------------

Cloudmin can edit the default router on a running system with Webmin installed, or a down system with a support Linux distribution (Redhat or Debian based). The steps to do this are :

1. Select the system from the left menu, open the *System Configuration* category and click on *Network Interfaces*.
2. Below the list of interfaces is a *Default gateway options* form.
3. Change or clear the gateway in the *Gateway IP address* field.
4. Click *Save*.

Be careful doing this on a running virtual system though, as you may cut off access to the Cloudmin master.

If the virtual system supports IPv6, you can also set a default gateway for IPv6 routing using this same form.

DHCP and MAC Addresses
----------------------

Cloudmin can be configured to setup the DHCP server on your master system to supply virtual machines with IP addresses. This can be useful if you want to use system images for operating systems that Cloudmin cannot configure the network on directly, such as Windows or FreeBSD.

The steps to setup a DHCP server are as follows :

1. Make sure the ISC DHCPd software is installed. On Redhat or CentOS systems, this can be done with the command :
yum install dhcp
On Debian or Ubuntu, the command is :
apt-get install dhcp3-server
2. In Cloudmin, go to *Webmin* -> *Servers* -> *DHCP Server* , and add a subnet for the IP network that your virtual systems will be on.
3. Make any other configuration changes to the DHCPd settings that you want, such as on the *Edit Client Options* page. Here you can set default nameservers and gateways for your virtual systems.
4. Click the *Start Server* or *Apply Changes* button, and verify that DHCPd starts OK.
5. Go to *Cloudmin* -> *Cloudmin Settings* -> *Module Config* -> *DHCP settings*.
6. Change the *Add DHCPd host for virtual systems* option to *Yes*.
7. In the *Add DHCPd hosts to subnet* field, enter the IP address of the subnet that you added in step 2 above.
8. Click *Save*.
9. Create a new KVM or Xen virtual system, and ensure that it successfully adds a DHCP host entry during the creation process.

IPv6 Addresses
----------------------

When managing KVM, Xen or real systems running Linux with Cloudmin 5.6 or later, you can also enter IPv6 addresses for non-virtual network interfaces. However, only systems running Debian, Ubuntu, CentOS, Redhat or Fedora Linux are supported currently. IPv6 addresses can be added as follows :

1. Select the system from the left menu, open the *System Configuration* category and click on *Network Interfaces*.
2. Click on the address for the interface you want to add an IPv6 address to, such as `eth0`.
3. Enter an address such as `2001:db8:0:f101::77` and a netmask like `64` into the *IPv6 addresses* table. Make sure it is within a range that has been routed to your network.
4. Click the *Save* button.

Blocking IP Spoofing
-------------------------------
Even though Cloudmin assigns IP addresses to virtual systems, it is possible under some virtualization types for a user with `root` access to the system to bring up an additional network interface with an IP that hasn't been officially assigned. Or he could change the IP address or MAC address of the `eth0` interface. This could be used to evade bandwidth collection, and could cause IP clashes with other virtual or real systems.

Cloudmin version 6.5 and later can block this type of address spoofing by automatically setting up an EBtables firewall that only allows IP and MAC addresses assigned to the system. This requires that `ebtables` be installed on the host system, which fortunately is distributed as a standard package in most Linux distributions.

To enable firewalling of unassigned IPs for an existing system, do the following :

1. Select the system from the left menu, open the *Resources* category and click on *Resource Limits*.
2. Change the *IP addresses to allow* field to *Only those assigned by Cloudmin*, and click *Save*.

Blocking of un-assigned addresses will be activated immediate for running systems, and at the next boot for down systems. To undo this, select *All addresses* in step 2 instead. If the option is missing, double-check that the `ebtables` command is installed on the host system.

Firewalling can also be enabled at system creation time, via an option in the *Advanced options* section of the creation form. You can also enable it by default for new systems at *Cloudmin Settings* -> *Cloudmin Configuration* -> *KVM Settings* -> *Block spoofed IPs and MACs by default?* .