Anyone else having Virtual MAC issues?

Well first off I'm trying to write an application to run in the background on my iPhone and force a VPN connection to stay active, that way I should be given an IP address I know and can trust inside the network.
I have a little 8 IP ripe block to use for our admins to allocate them IPs that will be allowed to do various things on the servers, it just so happens that i've been so busy with work that I haven't had a chance to check it all out and get it correctly configured.

I like your method too, though, and it could certainly add an extra element of security to the setup. As it stands now only RSA key access to SSH is allowed and the private keys are stored on each device. I assume that by the time any one can crack the passcode for the keys I will have noticed my/other admins device missing and will have had the key revoked server side.

Iain,

RE: ICMP pings and "IP address changes literally every few minutes"...

I'm not sure what IP's you are referring to (your RIPE/OVH Ip's for the server, or client IPs) I'm assuming you are reffering to Mobile phones IP.

Have a look at using IPSets, I use these with Shorewall which really is just a tool to manage IPTables.

I dynamically Allow/Disallow IP Addresses via the IPSets. In fact all source IPs are blocked. This means that access to my main applications is blocked. Wit the exception of a public authentication server, once a user has authenticated on the server the application updates the IPSet with the users IP address and passes the subsequent requests to the respective server.

Once the activity has stoped for a given period, or the user has actually logged out, the IP is then removed form the IPSets. So even if a user accessed the server on a public machine, after a 20 mins or so of inactivity, the IP of the public machine is removed.

On the mobile phone, I have a single URL which requires a PIN this then updates the IPSet, then the mobile can access any of the services on a selected server directly.

While I've had to create scripts to workout which IPs are to be allowed and handle the bash commands, they are really very simple and anyone with minimal development experience would be able write something that suited your needs.

I really like knowing that none of the services can be access by anyone and it's handled at the firewall, and then only once the user has authenticated are the selected ports opened, and only for that IP for a short period of time.

That being said, I only use the Mobile PIN auth when I can connect to my workstation from the mobil, which has been all of once or twice in vain. Normally, I connect via ssh to my workstation and then re-attach to a screen session which has other ssh sessions connected to the servers.

In fact I find using putty on my nokia so amazingly solid. Once I connect to my workstation and I then drove 200+ miles with the phone in my pocket, flipped it out and was still connected to the server (via the workstation). Drove back and it was still connected!

Maybe you should give that method ago. Especially, if you don't need to secure up additional Servers in the tinfiol hat method I've been doing!

hoka

I will respond to my ticket. I did attempt to create multiple NICs in a VM and it's possible that Xen didn't pass the second MAC address properly. However I didn't attempt this before, so if it's the same problem as before then there's definitely an issue and it's something I want to get sorted out.

IainK, Angy's answered your ticket. Looks like the problem has returned though, for the second time. A 9th invalid MAC on your switch port appears when there should only be 8, do you know what that's about?

I would have used a method like demonstrated in that guide however it presents a problem should I wish to ping the server from my cell phone. As the IP address changes literally every few minutes it's near impossible to keep up with it in iptables.

You can have the best of both worlds. just configure the firewall following the guide:

http://help.ovh.com/Firewall

Basically you'll be allowing our monitoring servers to ping your server. You can drop all the rest of the ICMP traffic.

I disabled monitoring because I had hardened the firewall on the server to stop ICMP packets and this caused the OVH monitoring to continually try and schedule interventions. However at some point I realised that having it pingable can help somewhat so removed that limitation from the firewall. Hadn't really remembered to re-enable the monitoring for the server, I'll do that now.

IainK, I'm chasing this, could you say why have you disabled monitoring on the server?

Well I can only hope that my ticket is dealt with tomorrow.

My last ticket in regards to IP problems took over a week to receive a response by which point I had moved IPs around and got 3 working on the server in question. Still have 5 or so IPs that I cannot use due to some routing problems. At least I assume so... If they where fixed I was not informed.

TBH as my problem has been resolved a good few weeks ago, ive no idea if the switch was showing or not when I had the issue.

It was swiftly resolved tho which is nice, OVH were extremely fast with this ticket.

If your problem is the same as mine then it's easy to identify. To reproduce:
1) Login to your manager at www.ovh.co.uk/managerv3
2) Select your server from the drop down menu at the top of the page
3) Click on 'Summary' in the 'Dedicated Servers' menu
4) Direct your gaze at the 'Interfaces' area particularly 'Switch:'

If yours looks like mine below then it's the same issue. [Note: this is not a new server, this is a server I have had for a long time and it's in RBX2, VMAC has been working fine for months; since it was released to customers.]



Given that I run nothing on the host box (Dom0) of this server not having the VMAC functionality really leaves me completely unable to use my IPs unless I use proxy arp. Then I run the risk of having my server disconnected as another member has due to load problems on vss-2-6k.

I think, by definition, this situation is "a catch 22". Run the risk of loosing new clients; or possibly loose current clients by enabling something that could have the whole server shut off.

I had problems with Virtual Macs until I raised a ticket and then the problem was swiftly resolved

Just what is the issue with Virtual Macs OVH?

If I add a RIPE block and assign them with Virtual Macs Im now wondering if they are going to work or not?

Is this issue related to RBX 3?

It is the same issue yes. I didn't expect any response last night, considering I called 5 minutes shy of closing and sent my ticket later, but I would have liked at least a response to my ticket by closing tonight.

I've checked with a few OVH account holders and none of them are having this issue so I find it rather worrying and extremely inconvenient that it only seems to be affecting me (or perhaps anyone else ordering a new IP block expecting rapid deployment too).

The Ticket ID is: 415981.

Other than this issue I have to say my experience with the Virtual MAC interface has been great. However if this can happen on a regular basis, with something as trivial as ordering additional IP addresses, then I really have to question how feasible this solution is for live production use.

This the issue you phoned about yesterday? Could you give me the ticket number so I can check up on it?

This is a joke. I buy more IPs and this breaks the functionality I wanted to use them with. Christ. It seems every delay I have to pass on to customers comes from some issue in OVH's service... I'm starting to wonder if I would make more money by spending more elsewhere. :/

Probably be waiting another week for anyone to even bother responding to my ticket (not the first time) *sigh*

No, all mine working correctly, and Im in the dreaded RBX-3

Just ordered a new RIPE IP Block for my server and found out that the switch isn't being reported in manager correctly. It was definitely fine a few days ago as I was using the Virtual MAC adding and removing MACs.
Under Dedicated Servers -> Summary; the following is shown:
Other than some things being X'd out the switch as shown is not reported correctly. Anyone else having this issue on their server(s)?