[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Firewall in domU, networking in XEN



Hello Slawek,

I recently setup a Xen machine with a PFSense Router.

I tested two NIC's with passthrough and saw no change in intranet file transfer speeds, so personally I wouldn't recommend that.


For the configuration you described in your first email, with a single NIC entering the machine, and two separated internal networks for Virtual Machine groups, you will need three if not four bridged connections in Dom0.


I was using Debian and created my bridges in the /etc/networking/interfaces file.  If you are working with the same, yours would look like this:



auto lo xenbr0 xenbr1 xenbr2
iface lo inet loopback
iface eth0 inet manual
iface xenbr0 inet manual
bridge_ports eth0
iface xenbr1 inet manual
iface xenbr2 inet manual

Your chain of connections would be similar to:

ISP Modem to eth0
eth0 Bridged to xenbr0
xenbr0 bridged to WAN on DomU1
xenbr1 bridged to LAN1 on DomU1
xenbr2 bridged to LAN2 on DomU1
xenbr1 bridged to DomU2
xenbr2 bridged to DomU3

If you want to add more services to either bridge, you just add "bridge=xenbr#" in your network configuration files for any new HVM's.

In the configuration I provided, Dom0 does not have a connection, if you want to give it an address on either network, change "manual" to "static" or "dhcp" (static is controlled but requires additional lines).


My setup has Two NIC's with a switch, but only one internal network.  My interfaces is as follows:

auto lo xenbr0 xenbr1
iface lo inet loopback
iface eth0 inet manual
iface eth1 inet manual
iface xenbr0 inet manual
bridge_ports eth0
iface xenbr1 inet static
bridge_ports eth1
address 10.0.0.2
netmask 255.255.255.224
gateway 10.0.0.1

Note that I ran into a problem on Debian where the DNS file on the machine (not interfaces, but I can't remember it off hand and am at work) did not update the gateway, so I had to manually update it, or add more lines to interfaces.

There may be more you will want to do on the eth0 bridge to secure it, but I am not a security specialist just a tech enthusiast.

Hope that helps,

~Casey

On Mon, May 7, 2012 at 10:58 AM, Simon Hobson <linux@xxxxxxxxxxxxxxxx> wrote:
S½awek Kosowski wrote:
I need to clarify the ethernet interface setting.
I found this link: http://old-list-archives.xen.org/archives/html/xen-users/2006-02/msg00602.html

Since I will have only one NIC at dom0 that I will passthrough to domU1, which interface do I choose for dom0 to be bridged with domU1 ?

None at all. You can have a bridge with no physical NICs assigned to it.


I enclose the drawing in the attachment.
If I make a PCI passthrough for eth device, is it assigned to vif1.0 in domU1 ?
I understand that I make the bridges in domU0 ?

That would be Dom0, not DomU0.
If you passthrough the NIC to the firewall DomU then it will appear as ETH<n> in DomU - there will be no VIF associated with it.

On your drawing, delete "peth0" in Dom0 (it's in the wrong place anyway BTW*), so "net" connects directly to eth0 in Dom1. Dom0 will have an IP address on br0 - ie br0 will be it's interface when you do "ifconfig".


This is completely different to the technique in the post you link to.
If you delete peth1 from the diagram in that post then you'll have more or less what you want - br1 and br2 are the internal bridges, and you connect virtual machines (including Dom0) to whichever you want. Again, for Dom0 you just give it an IP address on br<n> and it will work.

Both methods will work, which you use is largely a matter of preference.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.