[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Xen4.4 HVM domains and routed setups

Alright, this looks pretty similar to my setup (i'm actually using two firewall-VMs spawning multiple seperate DMZs). But since I'm using vif-nat, you might just want to see what you can get out of it for your situation..

My basic idea was to not route everything precisly within the domU, but use vif-nat and some iptables magic to basically not give the virtual network cards IPs from the dom0 point of view and use conditional routing with multiple routing chains to basically tell the dom0 (if a package comes with destination adress a.b.c.d, put it into interface firewall1). For the domUs, this is transparent because they still got their IPs internally, you can restrict the movement quite a lot externally (massiv security plus cause for example dropping all packages when the webserver tries to communicate to the outside or preventing ddos before it hits a vm). If you want, I can explain this in more detail, but since you explicitly asked about the hvms, I try to concentrate on that:

I don't remember having much trouble with HVMs in a network scenario as long as you assign the IP internally (within windows) by hand.. the transfer of the IP from the domU config into windows seems not to be working. Besides that, my win domU config looks pretty much the same: vif = [Â 'mac=00:16:3E:0A:15:65, ip=192.168.9.5, vifname=work, model=e1000, bridge=xen1, script=vif-bridge' ]. This is from a bridged setup because this vm hangs in a secure zone which i have only bridged for convenience, but i'm pretty sure I had this working in my nat scenario at one time. Also make sure to have the PVHVM driver for windows installed. They help a great deal with performance and might as well with the network overall. Also, what device model are you using for your hvm? when using the non-traditional, you usually get a <vif-name> and a <vif-name>-emu interface within dom0. Maybe you get the traffic you are expecting on the vif-name actually on the vif-name-emu? tcpdump helps a great deal, here, to see what the devices are actually trying to do.

Also, as a backup plan when everything fails: Use a linux vm you already have for routing or firewall purposes, put one vif into bridge mode, and hook it up to a win-hvm in bridge mode on a seperate bridge. While this might not be the most beautiful solution, it works 100%.

I hope this helps a little. If you need some more details on something, just ask..






2014-05-26 20:50 GMT+02:00 Steffen Heil (Mailinglisten) <lists@xxxxxxxxxxxxxxx>:
Hi


> can you elaborate a bit more on what you actually want to do? Cause I guess you are trying to do something I've got working with a
> modified vif-nat setup and can be of help, but I would like to take the guesswork out of the equation first..

I have a server and I want to run several vms on it.
The server itself has one public ip (say 1.1.1.1) and a whole additional network (say 1.1.2.0/28) is routed to that server.

All my vms are running with a point-o-point setup, that is the vm knows it's own ip (say 1.1.2.5) and the hosts ip (1.1.1.1) and
routes every packet that is not for itself to the host.
The vif-route and network-route scripts are active and the configuration file has a line like the following:

vif = [ 'mac=00:16:3e:01:02:05,vifname=vm-fifth,ip=1.1.2.5' ] Â // works for linux pv

vif = [ "mac=00:16:3e:01:02:06,vifname=vm-sixth,ip=1.1.2.6,model=e1000" ]
 // used to work for hvm on modified 4.1, does not on unmodified 4.4

ip_forwading is enabled in the host.


That works for linux clients (there are actually two already running), but I cannot get it to work with my windows HVM guest.
Note that that worked with xen 4.1 and modified scripts and I still have that server running, so I can compare network settings but I
did not find the source of the problem.


What more details can I supply?


Regards,
 ÂSteffen





2014-05-26 18:47 GMT+02:00 Steffen Heil (Mailinglisten) <lists@xxxxxxxxxxxxxxx <mailto:lists@xxxxxxxxxxxxxxx> >:


    Hi


    I have a Xen 4.4 installation with Windows in a HVM domain and I need to use a routed setup.
    However the vif-route script does not work for HVM domains.

    So far I used an outdated Xen 4.1 installation with manually patched scripts that could do routed setups with HVM.
    But now I wanted to update and switch from xm to xl.

    Is there any way to make Xen work with HVM in a routed setup?
    Or do I have to revert to xm interface and try to adapt my patches to Xen 4.4?


    (On the IRC channel, someone recommended to use the scripts that are used by libvirt. So I downloaded the libvirt sources but I did
    not find any suitable replacement for vif-route.)

    BTW: I also have some linux pv machines that also need to work on the same host.


    Any hint is welcome.


    Regards,
     ÂSteffen


    _______________________________________________
    Xen-users mailing list
    Xen-users@xxxxxxxxxxxxx <mailto:Xen-users@xxxxxxxxxxxxx>
    http://lists.xen.org/xen-users




_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.