WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Bridging between two subnets

Pratik Amin wrote:

I am currently trying to setup Xen in a very similar setup to:http://www.debian-administration.org/articles/360.

We have a server provided by a dedicated server provider. We have 1 public IP in the subnet with a gateway, and a range of secondary IP's (which are also public). I want the guest VM's to be able to use these public ips, as far as I under they should be routing through the host.

I wouldn't do it that way myself. And if I did, I wouldn't use a dummy interface for the second IP.

The situation you have is ideal for a routed environment.

The simplest setup is that you assign your single IP to the public interface (an ethernet port not linked with a bridge in Xen), and you assign one of your second IP block to another interface which will need to be a bridge. The bridge will only need to have a real ethernet port associated with it if you want machines other than your VMs to have access to that subnet.
So if you looked at your interfaces on Dom0, you would have :
eth0: a.b.c.d
eth1 (Xen bridge attached to peth1): w.x.y.z/29
Def route: a.b.e.f dev eth0

Personally, I would use the pciback-hide facility to pass the outside interface natively through to a VM on which you would run a 2 port firewall and NOT connect the Dom0 to the outside world at all. So Dom0 only has one bridge which carries the IP block, while a single DomU has one real interface (with the single public IP) and one virtual interface connected to the Xen bridge. On Dom0 you might only have eth0 (a xen bridge with peth0 attached) with say a 192.168.1.x address - it doesn't need to have a public IP. On DomU you'd have :
eth0: a.b.c.d
eth1 (Xen VIF): w.x.y.z/29
Def route: a.b.e.f dev eth0

Obviously, the port numbers may be different.
In both cases you just need to enable IP forwarding and traffic will flow. However, securing the second setup is easier as you would have a more static collection of interfaces that makes the iptables config somewhat simpler.


If you want to do it with a single ethernet port, then it's quite simple.
Setup your Dom0 as a plain vanilla single interface machine with bridging. If you insist on giving Dom0 public IPs, then you will need to do something like this (you don't mention your Distro, but the article is for Debian) :

/etc/network/interfaces
iface eth0 inet static
  address a.b.c.d
  netmask 255.255.0.0
  gateway a.b.e.f
  post-up ip addr add w.x.y.z dev eth0
  pre-down ip addr delete w.x.y.z dev eth0

This will simply add the second Ip address when the interface comes up, and drop it before it goes down. If using Shorewall, you'd need to set "routeback" on the interface or packets aren't allowed to egress through the same physical port they came in on. I'm not sure if this means you would need to change rp_filter (/proc/sys/net/ipv4/conf/eth0/rp_filter).
http://lartc.org/howto/lartc.kernel.html

Note that the packets are still routed by Dom0 (or DomU if you set this up in a VM), the only difference is that you are using the same physical connection for both subnets.


PS - please use plain text so people don't have to spend time weeding out crap like "<http://www.debian-administration.org/articles/360>http://www.debian-administration.org/articles/360"; when they reply !

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>