Re: [Xen-users] Xen 3.4.2 networking help
Alexander Zherdev wrote:
Few followup questions:
1. Which network mode is best for this configuration? bridge, route, nat?
Personally, since you have a bunch of public IPs then I would suggest
avoiding NAT. By definition, NAT == Broken and it causes all sorts of
If you configure your Dom0 with a bridge, then each DomU can use a
public IP directly.
2. On my box, when I specified the IP in the vif section, it didn't
prevent anything nor did it assign that IP. I am booting into
Windows 2003 and 2008 DomU.
I'm not sure what, if anything, is done by setting an IP in the DomU
config ! I vaguely recall that there is a mechanism for a PV guest to
get this and use it when configuring the network.
What you will need to do is configure iptables and/or ebtables (which
I haven't personally used) to limit what traffic is permitted from
each DomU. Ideally you want to restrict traffic both by source IP
address and by source MAC address - have you seen what happens when a
device uses a MAC address that's already in use ?
The biggest issue with iptables and bridging is that you cannot
restrict traffic which is outbound from the machine with the bridge
(ie your Dom0) - you can restrict/control all inbound and forwarded
Unfortunately, to do this will mean running iptables/ebtables scripts
each time you start a guest and it's new VIFs are configured. I'm not
aware of any pre-existing scripts to do this.
There is a third way, and that is to have a monitoring script that
detects a machine using an address it's not assigned - and to shut it
down. Having your host shut down from under you is likely to get your
attention and teach you not to do it again !
I'm not sure why you need to restrict IP traffic between guests.
While it's unlikely, one guest may have need of contact with another,
just as it will almost certainly have need of contact with other
hosts on the internet. Unless you are running an external firewall to
protect them all (in which case the guest-guest traffic would be
unprotected), there's really no difference from them being separate
hosts on the big bad internet and each should be configured with it's
But really, apart from running a virtual network in Dom0, this is no
different from a network with multiple physical machines - ie it's a
general networking problem rather than a Xen problem.
Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
Xen-users mailing list