Re: [Xen-users] Should VMs' IP addresses be on the same subnet as the Dom0 and other boxes on our LAN?

[Simon Hobson <linux@xxxxxxxxxxxxxxxx>]

gregk.xen@xxxxxxxxxxxxx wrote:

> I've one question about assigning VM's IP addresses.  Basically, what
> _should_ I do about assigning VM IP addresses?
Short answer - whatever is right for *your* network !
Xen just doesn't care, and it doesn't impose any restrictions. Think 
of the bridge in Dom0 as "just another switch" and you're near enough 
there.
> What I have right now is pretty basic.
>
> Internet
>   |
>   |
>   |  X.X.X.X/29
> Firewall+Router: 10.0.0.1
>   |  10.0.0.1/24
>   |
>   |
> Ethernet Switch
>   |
>   |---- my Desktop: eth0:10.0.0.2
>   |
>   |---- Server Dom0: eth0:10.0.0.3
>              |
>              |---- VM#1 (Mail Server): bridge:10.0.0.4
>
> Mail sent from the outside to my network gets a NAT redirect to the Mail
> Server @ 10.0.0.4.
>
> Works great.
Yes, I'd expect it to. Most of us running home servers will have 
something similar.
> My question is:
>
> For security, or performance, or general Xen, reasons, should I change
> that "VM#1 (Mail Server)" IP address to a different subnet.  Like
> 10.100.0.1/24?  And do some sort of routing somewhere?
Well there is an argument for not running public servers on the same 
network as your internal stuff - so that should someone compromise 
your public facing server, they still have another layer of security 
before they can get to your LAN. On the other hand, lots and lots of 
people (including myself) have a setup just like yours.
> Instead of having mail traffic passthrough 'through' the Dom0 to the VM,
> is it better to have a second, real Ethernet card assigned to the VM,
> and do this instead:
>
> Internet
>   |
>   |
>   |  X.X.X.X/29
> Firewall+Router: eth0: 10.0.0.1, 10.100.0.1
>   |  10.0.0.1/24, 10.100.0.1/24
>   |
> Ethernet Switch
>   |
>   |-------------------------------------------------------------|
>   |                                                             |
>   |                                                             |
>   |---- my Desktop: eth0:10.0.0.2                               |
>   |                                                             |
>   |---- Server Dom0: eth0:10.0.0.3                              |
>              |                                                  |
>              |---- VM#1 (Mail Server): bridge:10.0.0.4          |
>                               |                                 |
>                               |----: 'real' eth1:10.100.0.4 ----|
Unless your hardware has hardware IO Emulation then I don't think 
this would help at all - Dom0 still has to route the packets, just at 
the PCI emulation level instead of layer 2 network. Or that's my 
understanding anyway.
But I wouldn't bother - your mail server isn't going to be running up 
huge loads in Dom0. I've got servers running much larger IO loads and 
it's not an issue for me.
For completeness though, it is true that Dom0 can be a bottleneck for 
network IO as I believe (from comments posted here) the packet 
handling code is single threaded. Unless your internet connection is 
rated in gigabits *and* you use it, then it's not going to be an 
issue for your mail server !
Now, given that you have 5 public IPs available, I'd be tempted to do 
something different for different reasons. This is just one of those 
"this is my preference things" - it's very subjective and a matter of 
preference.
I'd make a separate switch for your X.X.X.X/29 subnet and put my 
public facing servers there - no NAT to f**k up stuff. Yes, I have 
this think about NAT, and especially about people who think it's the 
best thing since sliced bread - NAT == broken.
It does depend on how your internet, and the IPs, are provided. On 
our ADSL lines we use PPPoA and with the right modem can use PPPoE at 
our end - or as I've got, PPPoEoA !. Typically one of the public IPs 
is used for our end of the PPP link and "it just works" to use that 
same address on the ethernet side. If your internet is provided as an 
ethernet connection, then proxy ARP might be required.
So you'd still use NAT from your LAN to the internet, but your 
servers would be on public IPs in a DMZ.
Or, you can just use the public IPs as the mapped address for NAT and 
it still works for most stuff (mail included).
NB - At home the block you have labelled as Firewall+Router is a 
guest on my Xen host. I used to have a separate physical NIC given 
over to this with PCI passthrough, but at the moment I'm using a 
single NIC as my new box is very light on slots and I'm using PPPoE 
which means the modem itself can be on the LAN. At some point I'll 
probably pick myself up a small switch that can do VLANs and split 
them out again.
--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users