[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Networking trouble with routed /29



On Wed, Mar 14, 2007 at 11:08:49PM -0400, Russell Horn wrote:
> 
> My dom0 is connected to the outside world via eth1
> 
> I have a distinct /29 allocated to me which is routed to my eth1 IP
> xxx.yyy.82.76
> 
<snip/>
> I have set up a dummy0 interface as follows:
>
>        inet addr:xxx.yyy.93.105  Bcast:xxx.yyy.93.111 Mask:255.255.255.248
>


Hi Russell

The following is a configuration that should work on Debian Etch (and
probably on Sarge, and on Ubuntu also). If you're running some other
distro you might like to read through this stuff anyway and see if you
can adapt it to your needs. The key is that your distribution should
support the creation of briges in their network startup scripts. You
don't even actually need to use their startup scripts as you can just
create a brige yourself using "brctl addbr xbr0". Anyway, read on and
see what you think.

To make this simple for people who find this in the future, we will
assume that your hosting provider gave you the block 10.0.0.0 with a
netmask of 255.255.255.248 - in other words, they gave you 10.0.0.0/29. 
We'll also assume that the external ip that they gave you was 
172.16.82.76/24 with a gateway of 172.16.82.1 - but these external 
addresses don't matter for our purposes, they're just for illustration.

First you set up /etc/network/interfaces to create an anonymous bridge
(ie a bridge that doesn't presently have anything attached to it). We'll
call our bridge xbr0. Your interfaces config file should look like:

    # /etc/network/interfaces

    auto lo
    iface lo inet loopback

    # no config for eth0 yet

    auto eth1
    iface eth1 inet static 
        address 172.16.82.76
        netmask 255.255.255.0
        gateway 172.16.82.1

    auto xbr0
    iface xbr0 inet manual
        bridge_ports none
        up ip addr add 10.0.0.1/29 dev ${IFACE}

Now bring up the bridge by doing "ifup xbr0" and check the output 
of ifconfig to see that it's UP.

Okay, since we'll be routing you'll need to set up your Dom0 to 
forward traffic. Do this by:

    echo 1 > /proc/sys/net/ipv4/ip_forward

To make this setting permenant across reboots, edit /etc/sysctl.conf 
and make sure it contains:

    net.ipv4.conf.default.forwarding=1

Now change your /etc/xen/xend-config.sxp to look like:

    (network-script network-dummy)
    (vif-script vif-bridge)

No, this isn't a typo! :-) For those of you from non-debian distro's,
the network-dummy script does nothing, it just contains "exit 0".

You don't need anything special in your domain configuration files, the
following is fine:

    vif = [ '' ]

Okay, let's just check the state of the bridge before we start any
DomUs. You should see something like:

    $ brctl show
    bridge name     bridge id               STP enabled     interfaces
    xbr0            8000.000000000000       no

Notice the way it has no interfaces at the moment. Let's start a domain
and then look at the bridge again:

    # xm create yabba.cfg
    # brctl show
    bridge name     bridge id               STP enabled     interfaces
    xbr0            8000.feffffffffff       no              vif1.0

Now configure your DomU as you normally would, eg:
  
    ifconfig eth0 10.0.0.2 netmask 255.255.255.248

Then try and ping it, etc. If traffic isn't getting through, check the
firewall on Dom0. You're mostly interested in the FORWARD chain, and you
can watch it in real time to see if it's dropping packets using:

    # watch iptables -vnL

    or for just the FORWARD chain

    # watch iptables -vnL FORWARD

So, in summary, the xen vif-bridge script will add your DomU interfaces
to a bridge that *you* configured if such a bridge exists. Also, you
don't need a dummy interface because you have given an address to the
bridge itself.

Personally, I don't use a configuration like this because there are more
secure alternatives. The downside to this configuration from a security
point of view is that the DomU decides what address it wants to have.
This allows for spoofing of addresses on your bridge. However, the
main alternative is to use pure routing and this can be much more
complicated to set up - assuming you want your DomUs to be able to talk
to one another. I'm just a bit of a control freak, that's all.

Let us know how you get on. Also, if you run into difficulties just
shout as I may have overlooked a step here.

jez

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.