[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] How to setup Xen for 3 bridges environment?


  • To: "Fernando Maior" <fernando.souto.maior@xxxxxxxxx>, "Xen-users" <xen-users@xxxxxxxxxxxxxxxxxxx>
  • From: "Hong @ gmail" <whtsang22@xxxxxxxxx>
  • Date: Sat, 28 Jan 2006 00:16:33 +0800
  • Delivery-date: Fri, 27 Jan 2006 16:53:32 +0000
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:from:to:references:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=MDDGo52H23ZS7BeRcH2LiMGnkt92/GFXyOFwIruabjx3SOqVmG4RQ5R/7Gx42M7osvLKGuu46tCoxN/Lt+Dk23HAxVu9onP/MBuMfTOc/gBE7yyaT0cR5mr3sRjE8p7Hi+U2evXpO4ZX6nBoHFvmJcYSk70Z4wB5c4vFR6Yr0Jg=
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

Hi Fernando Maior,

Thanks for your information. I have a quick look on the Wiki document, but find that it is a bit different from my current setup.
In my setup, I create 3 bridges in dom0 and dom0 also act as the firewall.
Following is the summary of my configuration:

1) I by-pass the Xen bridge.
- comment out the '(network-script network-bridge)' and '(vif-script vif-bridge)' in 'xend-config.sxp'
  - comment out the 'handle_iptable' in vif-bridge.

2) Create my own 3 bridges as follows:
  #
  # xbrwan0 (Wan bridge)
  #
  ip link set eth0 down
  ip addr flush eth0
  brctl addbr xbrwan0
  brctl stp xbrwan0 off
  brctl setfd xbrwan0 0
  ip addr add 192.168.21.11/24 dev xbrwan0 brd +   (the xbrwan0 bridge ip)
  ip addr add 192.168.21.15/24 dev xbrwan0 brd +  (NAT ip to 192.168.22.15)
  ip addr add 192.168.21.16/24 dev xbrwan0 brd +  (NAT ip to 192.168.22.16)
  sleep 2
  brctl addif xbrwan0 eth0
  ifconfig eth0 0.0.0.0 up
  ip link set xbrwan0 up
  #
  # xbrdmz0 (Dmz bridge)
  #
  brctl addbr xbrdmz0
  brctl stp xbrdmz0 off
  brctl setfd xbrdmz0 0
ifconfig xbrdmz0 192.168.22.11 netmask 255.255.255.0 up (the Dmz bridge ip)
  #
  # xbrlan0 (Lan bridge)
  #
  brctl addbr xbrlan0
  brctl stp xbrlan0 off
  brctl setfd xbrlan0 0
ifconfig xbrlan0 192.168.23.11 netmask 255.255.255.0 up (the Lan bridge ip)

3) Start two domU with ip 15 and 16
  xm create domU01  (ip 192.168.21.15)
  xm create domU02  (ip 192.168.21.16)

4) Create the NAT tables.
  #
  iptables -X
  iptables -F
  iptables -X -t nat
  iptables -F -t nat
iptables -t nat -A PREROUTING -i xbrwan0 -d 192.168.21.15 -j DNAT --to 192.168.22.15 iptables -t nat -A POSTROUTING -o xbrwan0 -s 192.168.22.15 -j SNAT --to 192.168.21.15 iptables -t nat -A PREROUTING -i xbrwan0 -d 192.168.21.16 -j DNAT --to 192.168.22.16 iptables -t nat -A POSTROUTING -o xbrwan0 -s 192.168.22.16 -j SNAT --to 192.168.21.16
  sysctl -w net.ipv4.ip_forward=1

In above setup, I ssh from Pc in Wan to domU01 and domU02.
If I didn't create the Wan bridge, instead using the eth0, I can ssh from PC in Wan to domU01 and domU02.

=========================================================================
Following is the ifconfig and brctl show result.
[root@jssrv01 conf]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0D:0B:A7:2F:88
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:4710 errors:0 dropped:0 overruns:0 frame:0
         TX packets:4760 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000
         RX bytes:717399 (700.5 KiB)  TX bytes:469146 (458.1 KiB)
         Interrupt:5 Base address:0xe800

lo        Link encap:Local Loopback
         inet addr:127.0.0.1  Mask:255.0.0.0
         UP LOOPBACK RUNNING  MTU:16436  Metric:1
         RX packets:0 errors:0 dropped:0 overruns:0 frame:0
         TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

vif1.0    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:33 errors:0 dropped:0 overruns:0 frame:0
         TX packets:451 errors:0 dropped:22 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:2418 (2.3 KiB)  TX bytes:27310 (26.6 KiB)

vif2.0    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:53 errors:0 dropped:0 overruns:0 frame:0
         TX packets:434 errors:0 dropped:27 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:3740 (3.6 KiB)  TX bytes:25916 (25.3 KiB)

xbrdmz0   Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
         inet addr:192.168.22.11  Bcast:192.168.22.255  Mask:255.255.255.0
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:86 errors:0 dropped:0 overruns:0 frame:0
         TX packets:32 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:4954 (4.8 KiB)  TX bytes:2208 (2.1 KiB)

xbrlan0   Link encap:Ethernet  HWaddr 00:00:00:00:00:00
         inet addr:192.168.23.11  Bcast:192.168.23.255  Mask:255.255.255.0
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:0 errors:0 dropped:0 overruns:0 frame:0
         TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

xbrwan0   Link encap:Ethernet  HWaddr 00:0D:0B:A7:2F:88
         inet addr:192.168.21.11  Bcast:192.168.21.255  Mask:255.255.255.0
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:4709 errors:0 dropped:0 overruns:0 frame:0
         TX packets:4049 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:646686 (631.5 KiB)  TX bytes:416226 (406.4 KiB)

and brctl show result:
[root@jssrv01 conf]# brctl show
bridge name     bridge id               STP enabled     interfaces
xbrdmz0         8000.feffffffffff       no                     vif1.0
vif2.0
xbrlan0         8000.feffffffffff       no                     vif3.0
xbrwan0         8000.000d0ba72f88       no             eth0

Thanks


----- Original Message ----- From: "Fernando Maior" <fernando.souto.maior@xxxxxxxxx> To: "Hong @ gmail" <whtsang22@xxxxxxxxx>; "Xen-users" <xen-users@xxxxxxxxxxxxxxxxxxx>
Sent: Friday, January 27, 2006 7:28 PM
Subject: Re: [Xen-users] How to setup Xen for 3 bridges environment?


Hong,

Did you have a look at Xen wiki documentation? You may
compare http://wiki.xensource.com/xenwiki/XenNetworkingSuse
to your experience and try something like that.

On 1/26/06, Hong @ gmail <whtsang22@xxxxxxxxx> wrote:

Hello,

I am new to Xen and is trying a confugration that simulates a firewall
environment.
My target environment is to setup three bridges: one for Wan (xen-br0), one
for DMZ (xbrdmz) and one for Lan (xbrlan)
The three subnet are as follows:
Wan: 192.168.21.0/24
Dmz: 192.168.22.0/24
Lan:   192.168.23.0/24

I use xen3.0 and FC4 for both dom0 and domU.
My machine currently has one Nic, eth0, and I ensalve it into the Wan bridge
xen-br0.

Dom0 has the IP address 192.168.21.11. I have two domU in DMZ with IP
192.168.22.15, 192.168.22.16).
I use NAT 192.168.21.15 -> 192.168.22.15 and 192.168.21.16 -> 192.168.22.16
so that the PC from Wan can access the PC.
Most of the things work fine. I can ping dom0 and the two domU and vice
versa. I can ssh from dom0 and domU and vice versa and I can ssh from PC on
Wan to dom0.
The only problem is that I cannot ssh from PC on Wan to domU.

I have tried another setup. If I don't use the Wan bridge ( xen-br0 ) and
just use the eth0 and the Dmz bridge (xbrdmz), everything works perfectly.
(I can ssh from PC on Wan to domU also).

However, I still want to have the Wan bridge cause I can add some domU in
Wan subnet (so that I can say, add some IDS domU to Wan bridge).
I have searched the mailing list and find a similar case is:
http://lists.xensource.com/archives/html/xen-users/2005-06/msg00669.html

I have tried the NOTRACK option but still can help in my case.

Just wonder anyone has setup similar environment?
Thanks alot.


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users




--
Bye,
Fernando Maior
LPIC/1(31908)
LinuxCounter(391325)

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.