Re: [Xen-users] NAT and networks of domUs

> > 1.) Can somebody confirm that the above ist true? If yes, I would suggest
> > adding that diagram to the existing Xen docs.
> Maybe the diagram is correct for the xenoserver project, but it's not
> for xen-{2|unstable}. Virtual interfaces (pp* in the diagram, vif* on my
> host) and eth0 appear in dom0. I do not know what the "virtual firewall
> router" in the middle shall be if not dom0 (which is below).

It's a Xen 1.x-era diagram.  If you imagine the whole Virtual Firewall Router 
box being inside dom0 *as well* (i.e. Xen doesn't really have anything to do 
with the network) then that's pretty close to what Xen 2.0 and above looks 

It'd be nice to have more figures for the documentation - it'd help make 
things clearer.  Nobody has got around to doing it yet, but any contributions 
would be very welcome!


> > 2.) Has somebody on the list a working configuration with domUs on a
> > private network, which is/are NATted to the internet via a public IP in
> > dom0?
> I did this with vmware and UML which is quiet similar. Should be easy.
> > When I
> > tried to assemble an iptables configuration for this setup, iptables
> > seemed to not recognize xens vif-interfaces.
> Maybe you still let xend setup bridging eth0? It's possible to do this
> with bridging (then use iptables with "--physdev-{in|out}" instead of "-
> i" and "-o"), but you probably want to do it with _routing_. That means
> you may bridge all the virtual VM-devices together, but _not_ eth0. Try
> this:
>   * Shutdown all domUs, stop xend
>   * Set up an empty bridge-device with private ip using you distro
>     sysconfig or by hand:
>       brctl addbr mybr0
>       ip addr add dev mybr0
>       ip link set mybr0 up
>   * Configure xend (/etc/xen/xend-config.sxp) for not setting up
>     xen-br0 on startup, but nevertheless adding virtual interfaces
>     to your bridge:
>       (network-script     network-route)
>       (vif-script         vif-bridge)
>       (vif-bridge         mybr0)
>   * start xend, boot your VMs, tell them to use IPs in,
>     default gw being Now all doms should be able to ping
>     each other within
>   * in dom0:
>       sysctl -w net.ipv4.ip_forward=1  # (if not allready done by xend)
>       iptables -t nat -A POSTROUTING -j MASQUERADE \
>         -o eth0 -s
> What have i forgotten?
> > Which Xen version/flavour is
> > necessary to get such a setup up and running?
> All you find on the xen download page.
> /nils.
