WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Ideal(istic) Xen firewall design

Hi all,

Marcus Brown wrote:

> I've got a coloured version (hey it's therapy!) with more domUs,
> but here's an ASCII version of the current design:
> 
> OPTION C-v3.1
> =============
>                                                 Internet
>                                                     |
>                                                   eth1
>             
> ________________________________________|__________________________________________
>             |       
> ________________________________|__________________________________       |
>             |       |                                                         
>         |       |
>             |       |                            Firewall                     
>         |       |
> Local eth0 =|=======|                             (dom1)                      
>         |=======|= eth2 DMZ
>             |       
> |_________________________________________________________________|       |   
> (optional)
>             |          |                      |                    |          
>                 |
>             |        eth3                   eth4                 eth5         
>                 |
>             |          |   ________________   |   ______________   |   
> _______________        |
>             |          |   | Proxy Server |   |   | Web Server |   |   | iPaq 
> Server |        |
>             |          |   | (domU1)      |   |   | (domU2)    |   |   | 
> (dom2)      |========|= USB Host #1
>             |          |   |______________|   |   |____________|   |   
> |_____________|        | (for BT Dongle)
>             |          |  /                   |  /                 |  /       
>                 | ( and cradle )
>             |          | /                    | / _______________  | /        
>                 |
>             |          |/                     |/  | Mail Server |  |/         
>                 |
>             |          |                      |   | (domU3)     |  |          
>                 |
>             |          |                      |   |_____________|  |          
>                 |
>             |          |                      |  /                 |          
>                 |
>             |          |                      | /                  |          
>                 |
>             |          |                      |/                   |          
>                 |
>             |       xen-br0                  br1                  br1         
>                 |
>             |          |                      !                    !          
>                 |
>             |       
> ___|_______________________________________________________________       |
>             |       |                                                         
>         |       |
>             |       |                              dom0                       
>         |       |
>             
> |_______|_________________________________________________________________|_______|
> 

This setup works extremely well for my purposes.
I have, however, noticed network performance issues when scp'ing from dom0 to a 
client in the
local 'Green Zone'.
Rather than the 4MB/s I'd expect (PIIX4 ata33 IDE with software raid), I'm only 
getting 1.4MB/s :(
(screen shots here: http://marcusbrutus.cust.internode.on.net/Computers/C3-1 )

I appreciate there's a lot more calculation going on, but still ...

>Mike Tierney schrieb:
>>
>
>>>> But it is still tempting to just do away with the seperate firewall vm
>>>> and
>>>> do all the firewalling in Dom0!
>>>>
>>>>


With this in mind, I might be prepared to change my setup to something like 
this:

 OPTION C-v3.2
 =============
                                                 Internet
                                                     |
                                                   eth1
             
________________________________________|__________________________________________
             |       
________________________________|__________________________________       |
             |       |                                                          
       |       |
             |       |                            Firewall                      
       |       |
             |       |                             (dom1)                       
       |=======|= eth2 DMZ
             |       
|_________________________________________________________________|       |   
(optional)
             |          |                      |                    |           
               |
             |        eth3                   eth4                 eth5          
               |
             |          |   ________________   |   ______________   |   
_______________        |
             |          |   | Proxy Server |   |   | Web Server |   |   | iPaq 
Server |        |
             |          |   | (domU1)      |   |   | (domU2)    |   |   | 
(dom2)      |========|= USB Host #1
             |          |   |______________|   |   |____________|   |   
|_____________|        | (for BT Dongle)
             |          |  /                   |  /                 |  /        
               | ( and cradle )
             |          | /                    | / _______________  | /         
               |
             |          |/                     |/  | Mail Server |  |/          
               |
             |          |                      |   | (domU3)     |  |           
               |
             |          |                      |   |_____________|  |           
               |
             |          |                      |  /                 |           
               |
             |          |                      | /                  |           
               |
             |          |                      |/                   |           
               |
             |       xen-br0                  br1                  br1          
               |
             |          |                      !                    !           
               |
             |          |  
_____________________________________________________________       |
             |           \ |                                                    
       |       |
 Local eth0 =|============+|                        dom0                        
       |       |
             
|_____________|___________________________________________________________|_______|


However, as the bandwidth throughput issue would still remain for all the other 
domains, I'm not
sure if there's a real benefit.
I have a burner in this machine, with the hopes of using it for domain 
filesystem backups in the future.

Can I assume that this performance would be improved dramatically using a MP 
machine (or HT) ?

Are there other ways of improving this performance?

Appreciate your advice.

Marcus.


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users