This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] LAN configuration?

Hi Marcus

On Wed, 2005-09-14 at 10:35 +1000, Marcus Brown wrote:

> For the LAN interface, hide the NIC from dom0 and export it to the
> Firewall driver domain. For an internal DMZ create a bridge in dom0
> (possibly tied to a dummy interface) without an IP assigned to it
> and export it to the firewall. Any domUs you want your LAN to access
> just need to have this bridge specified in their xen config, and the
> appropriate firewall rules for routing between the LAN and DMZ.

How is a bridge like that exported to the firewall?  I know how to
export a physical device, but not a bridge.  Is it done via a 'vif =
[....]' statement in the firewall domain's configuration script? 

> You could use the Firewall driver domain as a network backend for your
> domUs, but this results in a new vif being issued in the Firewall for
> each domU created, and can cause problems with firewalls like Shorewall.
> Hence my preference for an 'untethered' bridge.

Yeah, I tried doing that (specifying "backend=fw01" in the domU's
config), but since I have LAN and DMZ domUs on the host server, I could
not find a way to specify which vif created on the firewall was to be in
the DMZ and which was to be in the LAN :-(


P.S.: Replies to the list as opposed to my personal address are
preferred, as this information may be quite useful for others. :-)

Xen-users mailing list

<Prev in Thread] Current Thread [Next in Thread>