| |
|
 |
|
 |
|
|
|
| |
|
|
xen-users
Re: [Xen-users] Bridging between two subnets
Pratik Amin wrote:
I am currently trying to setup Xen in a very similar setup
to:http://www.debian-administration.org/articles/360.
We have a server provided by a dedicated server provider. We have 1
public IP in the subnet with a gateway, and a range of secondary
IP's (which are also public). I want the guest VM's to be able to
use these public ips, as far as I under they should be routing
through the host.
I wouldn't do it that way myself. And if I did, I wouldn't use a
dummy interface for the second IP.
The situation you have is ideal for a routed environment.
The simplest setup is that you assign your single IP to the public
interface (an ethernet port not linked with a bridge in Xen), and you
assign one of your second IP block to another interface which will
need to be a bridge. The bridge will only need to have a real
ethernet port associated with it if you want machines other than your
VMs to have access to that subnet.
So if you looked at your interfaces on Dom0, you would have :
eth0: a.b.c.d
eth1 (Xen bridge attached to peth1): w.x.y.z/29
Def route: a.b.e.f dev eth0
Personally, I would use the pciback-hide facility to pass the outside
interface natively through to a VM on which you would run a 2 port
firewall and NOT connect the Dom0 to the outside world at all. So
Dom0 only has one bridge which carries the IP block, while a single
DomU has one real interface (with the single public IP) and one
virtual interface connected to the Xen bridge.
On Dom0 you might only have eth0 (a xen bridge with peth0 attached)
with say a 192.168.1.x address - it doesn't need to have a public IP.
On DomU you'd have :
eth0: a.b.c.d
eth1 (Xen VIF): w.x.y.z/29
Def route: a.b.e.f dev eth0
Obviously, the port numbers may be different.
In both cases you just need to enable IP forwarding and traffic will
flow. However, securing the second setup is easier as you would have
a more static collection of interfaces that makes the iptables config
somewhat simpler.
If you want to do it with a single ethernet port, then it's quite simple.
Setup your Dom0 as a plain vanilla single interface machine with
bridging. If you insist on giving Dom0 public IPs, then you will need
to do something like this (you don't mention your Distro, but the
article is for Debian) :
/etc/network/interfaces
iface eth0 inet static
address a.b.c.d
netmask 255.255.0.0
gateway a.b.e.f
post-up ip addr add w.x.y.z dev eth0
pre-down ip addr delete w.x.y.z dev eth0
This will simply add the second Ip address when the interface comes
up, and drop it before it goes down. If using Shorewall, you'd need
to set "routeback" on the interface or packets aren't allowed to
egress through the same physical port they came in on. I'm not sure
if this means you would need to change rp_filter
(/proc/sys/net/ipv4/conf/eth0/rp_filter).
http://lartc.org/howto/lartc.kernel.html
Note that the packets are still routed by Dom0 (or DomU if you set
this up in a VM), the only difference is that you are using the same
physical connection for both subnets.
PS - please use plain text so people don't have to spend time weeding
out crap like
"<http://www.debian-administration.org/articles/360>http://www.debian-administration.org/articles/360";
when they reply !
--
Simon Hobson
Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
| |
|
Home