Re: [Xen-users] Firewall in domU, networking in XEN

[Casey DeLorme <cdelorme@xxxxxxxxx>]

Hello Slawek,

I recently setup a Xen machine with a PFSense Router.

I tested two NIC's with passthrough and saw no change in intranet file transfer speeds, so personally I wouldn't recommend that.

For the configuration you described in your first email, with a single NIC entering the machine, and two separated internal networks for Virtual Machine groups, you will need three if not four bridged connections in Dom0.

I was using Debian and created my bridges in the /etc/networking/interfaces file.  If you are working with the same, yours would look like this:

auto lo xenbr0 xenbr1 xenbr2

iface lo inet loopback

iface eth0 inet manual

iface xenbr0 inet manual

bridge_ports eth0

iface xenbr1 inet manual

iface xenbr2 inet manual

Your chain of connections would be similar to:

ISP Modem to eth0

eth0 Bridged to xenbr0

xenbr0 bridged to WAN on DomU1

xenbr1 bridged to LAN1 on DomU1

xenbr2 bridged to LAN2 on DomU1

xenbr1 bridged to DomU2

xenbr2 bridged to DomU3

If you want to add more services to either bridge, you just add "bridge=xenbr#" in your network configuration files for any new HVM's.

In the configuration I provided, Dom0 does not have a connection, if you want to give it an address on either network, change "manual" to "static" or "dhcp" (static is controlled but requires additional lines).

My setup has Two NIC's with a switch, but only one internal network.  My interfaces is as follows:

auto lo xenbr0 xenbr1

iface lo inet loopback

iface eth0 inet manual

iface eth1 inet manual

iface xenbr0 inet manual

bridge_ports eth0

iface xenbr1 inet static

bridge_ports eth1

address 10.0.0.2

netmask 255.255.255.224

gateway 10.0.0.1

Note that I ran into a problem on Debian where the DNS file on the machine (not interfaces, but I can't remember it off hand and am at work) did not update the gateway, so I had to manually update it, or add more lines to interfaces.

There may be more you will want to do on the eth0 bridge to secure it, but I am not a security specialist just a tech enthusiast.

Hope that helps,

~Casey

On Mon, May 7, 2012 at 10:58 AM, Simon Hobson <linux@xxxxxxxxxxxxxxxx> wrote:

S½awek Kosowski wrote:

I need to clarify the ethernet interface setting.
I found this link: http://old-list-archives.xen.org/archives/html/xen-users/2006-02/msg00602.html

Since I will have only one NIC at dom0 that I will passthrough to domU1, which interface do I choose for dom0 to be bridged with domU1 ?

None at all. You can have a bridge with no physical NICs assigned to it.

I enclose the drawing in the attachment.
If I make a PCI passthrough for eth device, is it assigned to vif1.0 in domU1 ?
I understand that I make the bridges in domU0 ?

That would be Dom0, not DomU0.
If you passthrough the NIC to the firewall DomU then it will appear as ETH<n> in DomU - there will be no VIF associated with it.

On your drawing, delete "peth0" in Dom0 (it's in the wrong place anyway BTW*), so "net" connects directly to eth0 in Dom1. Dom0 will have an IP address on br0 - ie br0 will be it's interface when you do "ifconfig".


This is completely different to the technique in the post you link to.
If you delete peth1 from the diagram in that post then you'll have more or less what you want - br1 and br2 are the internal bridges, and you connect virtual machines (including Dom0) to whichever you want. Again, for Dom0 you just give it an IP address on br<n> and it will work.

Both methods will work, which you use is largely a matter of preference.

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users