WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] firewall xenU woes (help would be appreciated)

from [Adam Tworkowski] [Permanent Link][Original]
To: Marcus Brown <marcusbrutus@xxxxxxxxxxxxxxxx>
Subject: Re: [Xen-users] firewall xenU woes (help would be appreciated)
From: Adam Tworkowski <adam@xxxxxxxxxxxxxx>
Date: Sun, 28 Aug 2005 18:26:46 -0400
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Sun, 28 Aug 2005 22:25:19 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4312AA14.1010305@xxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <1125245716.28499.42.camel@xxxxxxxxxxxxxxxxxxxxx> <4312AA14.1010305@xxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx 
Hi Marcus,

I have the dummy module loaded on dom0 and several dummy interfaces
which show up with ifconfig.  They are configured as follows:

auto dummy0
iface dummy0 inet static
        address 192.168.254.1
        netmask 255.255.255.248
        network 192.168.254.0
        broadcast 192.168.254.7
        gateway 192.168.254.6
        post-up brctl addbr xen-br0 || true
        post-up brctl addif xen-br0 dummy0 || true
        post-up brctl delif xen-br0 dummy0 || true

Additional bridges configured in same manner.

Without intervention dom0 boots with 4 dummy interfaces
(dummy0,dummy1,etc.) and xen-br0.  This is apparent from ifconfig.
The additional bridges, however, do not load w/o intervention.  I have
to use the brctl command as per the above /etc/network/interfaces.

In /etc/xen/scripts/network I have the bridges mapped to the dummy
devices as so:

bridge=${bridge:-xen-br0}
netdev=${netdev:-dummy0}
bridge=${bridge:-xen-br1}
netdev=${netdev:-dummy1}
...

It is worth noting that the routing table shows something like the
following (having only brought up xen-br0 and xen-br1):

192.168.254.16 0.0.0.0       255.255.255.248 dummy2
192.168.254.24 0.0.0.0       255.255.255.248 dummy3
192.168.254.0  0.0.0.0       255.255.255.248 xen-br0
192.168.254.8  0.0.0.0       255.255.255.248 xen-br1
0.0.0.0        192.168.254.6 0.0.0.0         xen-br0

Does this look sound?

Also note that /proc/net/dev only shows network activity for dummy0 and
xen-br0 -- none for xen-br1 even though I have pinged the associated
address and attempt to have domU1 use xen-br1 (vif = 'backend=fw,
brige=xen-br1' ].

What else do you need from me to help troubleshoot?  

Adam    

On Mon, 2005-08-29 at 02:24 -0400, Marcus Brown wrote:
> Hi Adam,
> 
> Perhaps you could try loading the dummy modules in dom0 instead?
> Then attach your dom0 bridges to the dummy interfaces by replacing
> the netdev argument for "eth0" in /etc/xen/scripts/network with "dummy",
> and create auto scripts for the dummy interfaces that create bridges.
> 
> Sorry to be so brief ... just caught me before going to bed.
>     (Trying to work on a quote :) )
> If you get stuck perhaps you could provide more detail?
> 
> Regards,
> 
> Marcus.
> 
> 
> Adam Tworkowski wrote:
> 
> >Hi,
> >
> >Could someone please help me out with networking my firewall on xenU
> >configuration.  I have combed the list archives for posts on similar
> >configurations and getting bridging working properly but I am stuck and
> >generally confused.  I am trying to achieve the scenario below (ascii
> >borrowed from previous thread).
> >
> >               +------------------------+
> >               | physical machine, dom0 |
> >               |   +---------------+    |
> >-- Internet -------+ Firewall domU +--------- Intranet
> >               |   +------+--------+    |
> >               |          |             |
> >               |          |   DMZ       |
> >               |    +-----+------+      |
> >               |    |            |      |
> >               | +--+--+      +--+--+   |
> >               | |domU1|      |domU2|   |
> >               | +-----+      +-----+   |
> >               +------------------------+
> >
> >So far:
> >
> >- physical ethernet device (will be two later) hidden from dom0 (no issue) 
> >- domU (fw) using ethernet device -- has access to internet on eth0 (no 
> >issue)
> >
> >- domU1 and domU2 can only see domU when using bridge=xen-br0 although it 
> >appears that only on of the two can be active as if both are pinging domU 
> >there is much
> >packet.  Using vif = ['mac=xx.xx..., bridge=xen-br0'"].
> >
> >Should domU1 and domU2 should be using xen-br0 at all or should this only be 
> >for domU and the former be using xen-br1 and xen-br2 respectively.
> >
> >- I have attempted to have domU1 use vif = ['backend=fw'] without success
> >
> >- I have also attempted to created xen-br1,xen-br2 and have the non-fw domUs 
> >use these: vif = ['bridge=xen-br1']
> >
> >- Having searched the list, I have attempted to create dummy0, dummy1,etc. 
> >on the domU as suggested.  
> >
> >
> >I am hoping that someone can lay out what they have done to get this 
> >working.  My suspicion is that my bridging is not working correctly on dom0.
> >
> >Question:  what devices should be showing from 'ifconfig' on respective 
> >nodes (dom0, domU, domU1...)?  
> >
> >xen0 shows multiple vifs, xen-br0-4.
> >xenU shows eth0 - should it show vifs?
> >xenU1,2 shows eth0.  Should it show more? vifs?  
> > 
> >Maybe someone can share the output of their ifconfigs to compare.
> >
> >All my instance are running on Debian Sarge.
> >
> >Thanks in advance!
> >
> >
> >
> >
> >
> >
> >
> >
> >_______________________________________________
> >Xen-users mailing list
> >Xen-users@xxxxxxxxxxxxxxxxxxx
> >http://lists.xensource.com/xen-users
> >  
> >
> 
> 
> 



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  CONGRATULATIONS!!!, arielsbertis
Next by Date:  Re: [Xen-users] Why using X11 on local machine, Mark Williamson
Previous by Thread:  Re: [Xen-users] firewall xenU woes (help would be appreciated), Marcus Brown
Next by Thread:  Re: [Xen-users] firewall xenU woes (help would be appreciated), Marcus Brown
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy