WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Routing with Xen-Bridge

To: "G.Wendebourg" <gw-hh@xxxxxx>
Subject: Re: [Xen-users] Routing with Xen-Bridge
From: John Lenz <jlenz2@xxxxxxxxxxxxx>
Date: Mon, 16 Oct 2006 16:07:59 -0500
Cc: Xen Users <xen-users@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Mon, 16 Oct 2006 14:09:06 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <45326BD6.6090004@xxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <45320689.20409@xxxxxxxxx> <5602FBDB-ADFC-4728-AFC4-994649B29869@xxxxxxxxxxxxxx> <45326BD6.6090004@xxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 1.5.0.7 (X11/20060922)
On 10/15/06 12:11, G.Wendebourg wrote:
> Is there any example-configuration, how to set up networking with a
> bridge, when my xen-system is located behind a router to the inet?
> 
> I'm now having the router with 192.168.0.1.
> 
> On my Xen 3.0 i have the bridge installed and thus eth0 and xenintbr
> running with the added vif's.
> 
> Which configuration might assigned to the netdevices on the xen-system
> with the goal to enable the guests to make connections to the internet
> and also have a forwarding from outside to specific guests (relying on
> the port, thats  questioned from outside) ?
> 
> It seems to be a very standard solution, but I didn't find out, how to
> realize it, after trying several configurations on my guest-systems and
> the Dom-0.
> What has been working was the connect between Dom-0 and guest and after
> configuring masquerading also connect from guest to the internet.
> Also I found, that after altering the network of some guest it was
> stopping its work, even if setting to the initial config and rebooting.
> 

Yes, I posted a patch called network-private to the xen-users list a
week ago or so

http://lists.xensource.com/archives/html/xen-users/2006-09/msg00925.html

Note there is one line in the attachment that got wrapped... near the top

"mac=${mac:-$(awk 'BEGIN { printf "00:16:3e:%02x:%02x:%02x",
int(rand()*127),
int(rand()*255), int(rand()*255); }')}"

needs to be one line.

I am convinced that most of the more complicated xen networking issues
can be resolved using network-private.  It creates a private network,
and vif0 in dom0 is connected to it.

In your example, you use xen-private to create a private network between
the dom0 and domUs.  Then you can set dom0 up as a router same as any
other router forgetting about xen completly... use shorewall or do
something like

iptables -t nat -A PREROUTING -i eth0 -d ipaddr -p tcp --dport whatever
-j DNAT --to localaddr
iptables -t nat -A POSTROUTING -o eth0 -s localnetwork/24 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

and other rules in the FORWARD chain based on how you want to configure
security...

Also, since you set these rules independent of XEN, and the
configuration of the network is the SAME if xen is running or not
running, these rules in iptables are not affected so will just timeout
(or return "No route to host") if xen is not running.  Starting and
stopping doesn't change the network architecture.

John

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>