[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Bridging between two subnets
Pratik Amin wrote: I am currently trying to setup Xen in a very similar setup to:http://www.debian-administration.org/articles/360.We have a server provided by a dedicated server provider. We have 1 public IP in the subnet with a gateway, and a range of secondary IP's (which are also public). I want the guest VM's to be able to use these public ips, as far as I under they should be routing through the host. I wouldn't do it that way myself. And if I did, I wouldn't use a dummy interface for the second IP. The situation you have is ideal for a routed environment.The simplest setup is that you assign your single IP to the public interface (an ethernet port not linked with a bridge in Xen), and you assign one of your second IP block to another interface which will need to be a bridge. The bridge will only need to have a real ethernet port associated with it if you want machines other than your VMs to have access to that subnet. So if you looked at your interfaces on Dom0, you would have : eth0: a.b.c.d eth1 (Xen bridge attached to peth1): w.x.y.z/29 Def route: a.b.e.f dev eth0Personally, I would use the pciback-hide facility to pass the outside interface natively through to a VM on which you would run a 2 port firewall and NOT connect the Dom0 to the outside world at all. So Dom0 only has one bridge which carries the IP block, while a single DomU has one real interface (with the single public IP) and one virtual interface connected to the Xen bridge. On Dom0 you might only have eth0 (a xen bridge with peth0 attached) with say a 192.168.1.x address - it doesn't need to have a public IP. On DomU you'd have : eth0: a.b.c.d eth1 (Xen VIF): w.x.y.z/29 Def route: a.b.e.f dev eth0 Obviously, the port numbers may be different.In both cases you just need to enable IP forwarding and traffic will flow. However, securing the second setup is easier as you would have a more static collection of interfaces that makes the iptables config somewhat simpler. If you want to do it with a single ethernet port, then it's quite simple.Setup your Dom0 as a plain vanilla single interface machine with bridging. If you insist on giving Dom0 public IPs, then you will need to do something like this (you don't mention your Distro, but the article is for Debian) : /etc/network/interfaces iface eth0 inet static address a.b.c.d netmask 255.255.0.0 gateway a.b.e.f post-up ip addr add w.x.y.z dev eth0 pre-down ip addr delete w.x.y.z dev eth0This will simply add the second Ip address when the interface comes up, and drop it before it goes down. If using Shorewall, you'd need to set "routeback" on the interface or packets aren't allowed to egress through the same physical port they came in on. I'm not sure if this means you would need to change rp_filter (/proc/sys/net/ipv4/conf/eth0/rp_filter). http://lartc.org/howto/lartc.kernel.htmlNote that the packets are still routed by Dom0 (or DomU if you set this up in a VM), the only difference is that you are using the same physical connection for both subnets. PS - please use plain text so people don't have to spend time weeding out crap like "<http://www.debian-administration.org/articles/360>http://www.debian-administration.org/articles/360" when they reply ! -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |