[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] advanced bridging...



Ok so for clarity, do i create this bridge in domu (FW) and then dom0 will then know that all internet traffic hitting peth0 from my ISP is to be routed to domu FW and its there i need to set up nat and dhcpd etc?

thanks

Ronan
Sorry, I made a mistake , to create the bridge:

# brctl addbr br0
# brctl addif br0 eth0
# brctl addif br0 eth1
# ifconfig br0 up

after this, you can verify it:

# brctl show

Marc Patino Gómez wrote:
Hi,


Ronan wrote:
ok i now have a domu with 2 (apparent)ethernet interfaces, which is a
good start.
Great!! You can make a bridge with these interfaces, in debian way you can put something like that in the /etc/network/interfaces:

auto br0
iface br0 inet static
       address 192.168.92.3
       netmask 255.255.255.224
       gateway 192.168.92.1
       bridge_ports eth0 eth1
       bridge_maxwait 0

see CentOS howto make a bridge, or make it manually with "brctl":

# brctl addbr br0
# brctl addif br0 eth0
# brctl addif br0 eth0
# ifconfig br0 up


How do i now get all ethernet frames to be passed to eth0 on my firewall
domu ?

Bridge br0 (on domU FW) will solve it
I then will be setting the firewall up with a caching DNS , NAT, and
dhcp on its eth1 to serve all the rest of my domU's usig nprivate 192.168.

Question though., how should i configure an IP for use by dom0??
I don't understand what you want :(

Thanks
R

Regards,

Marc

Marc Patino Gómez wrote:
Hi again,

this is the config of xen in my Debian Etch:

/etc/xen/xend-config

(network-script network-bridge-wrapper)
(vif-script vif-bridge)
(dom0-min-mem 196)
(dom0-cpus 0)
(vncpasswd '')
---------------------------------------------------------------------------

/etc/xen/scripts/network-bridge-wrapper

/etc/xen/scripts/network-bridge start bridge=xenbr0 vifnum=0
/usr/sbin/brctl addbr xenbr1
/sbin/ifconfig xenbr1 up
----------------------------------------------------------------------------

the domu (Firewall)

/etc/xen/firewall-config.sxp


name="firewall"
kernel="/boot/vmlinuz-2.6.16.33-xenU-x86_64"
root="/dev/hda1"
cpu=3
memory=256
disk=['file:/xen1/firewall.img,hda1,w']

vif=[ 'mac=00:16:3e:70:21:02,bridge=xenbr0,vifname=firewall.eth0','mac=00:16:3e:70:32:02,bridge=xenbr1,vifname=firewall.eth1' ]
dhcp="off"
ip="XX.XX.XX.XX"
netmask="255.255.255.0"
gateway="XX.XX.XX.XX"
hostname="firewall.domain.com"

extra="3"

on_poweroff = 'destroy'
on_reboot   = 'restart'
on_crash    = 'restart'
-------------------------------------------------------------------------------

in this domU (the firewall) I have a bridge between eth1 and eth0, you can do in CentOS way (inside the domain) ;)


here is the config file of a domu behind the FW:

/etc/xen/domu-config.sxp
name="domu"
kernel="/boot/vmlinuz-2.6.16.33-xenU-x86_64"
root="/dev/hda1"
cpu=3
memory=92
disk=['file:/xen1/domu.img,hda1,w']

vif=[ 'bridge=xenbrFW , vifname=domu.eth0' ]
dhcp="off"
ip="XX.XX.XX.XX"
netmask="255.255.255.0"
gateway="XX.XX.XX.XX"
hostname="domu.domain.com"

extra="3"

on_poweroff = 'destroy'
on_reboot   = 'restart'
on_crash    = 'restart'
----------------------------------------------------------------------------------------------------


In the domU (firewall) I have the following iptables config:
#!/bin/sh
# /etc/network/if-pre-up.d/iptables-start

iptables=/sbin/iptables

$iptables -F

$iptables -P INPUT ACCEPT
$iptables -P FORWARD ACCEPT
$iptables -P OUTPUT ACCEPT

# Logs
#$iptables -A INPUT -j LOG   --log-prefix="IPTABLES-INPUT: "
#$iptables -A OUTPUT -j LOG  --log-prefix="IPTABLES-OUTPUT: "
#$iptables -A FORWARD -j LOG --log-prefix="IPTABLES-FORWARD: "

$iptables -A INPUT -i lo -j ACCEPT

# Traffic control
tc qdisc del dev eth0 parent root
tc qdisc add dev eth0 parent root handle 1:0 htb default 40
tc class add dev eth0 parent 1:0 classid 1:1 htb rate 10mbit
tc class add dev eth0 parent 1:1 classid 1:10 htb rate 512kbit
tc class add dev eth0 parent 1:1 classid 1:20 htb rate 1mbit
tc class add dev eth0 parent 1:1 classid 1:30 htb rate 2mbit
tc class add dev eth0 parent 1:1 classid 1:40 htb rate 5mbit

tc qdisc del dev eth1 parent root
tc qdisc add dev eth1 parent root handle 2:0 htb default 40
tc class add dev eth1 parent 2:0 classid 2:1 htb rate 10mbit
tc class add dev eth1 parent 2:1 classid 2:10 htb rate 512kbit
tc class add dev eth1 parent 2:1 classid 2:20 htb rate 1mbit
tc class add dev eth1 parent 2:1 classid 2:30 htb rate 2mbit
tc class add dev eth1 parent 2:1 classid 2:40 htb rate 5mbit

$iptables -t mangle -A POSTROUTING -d XX.XX.XX.XX -j CLASSIFY --set-class 2:20 $iptables -t mangle -A POSTROUTING -s XX.XX.XX.XX -j CLASSIFY --set-class 1:20


Sustitute XX.XX.XX.XX by your ip 's ;)

There is an issue with the traffic control in one way, the rate is multiplied by 2, I don't know the reason :(, I have tested this tc config with another box without XEN and it works great.

Don't forget to do this:

echo "0" >/proc/sys/net/bridge/bridge-nf-call-iptables

see the post " iptables and state matches (established, related)" in this mail list. You can put it in your sysctl.conf.

So... that's all (I hope :) ) if you need anything else.... tell me

Regards,

Marc


Ronan wrote:
Marc
thats exactly what i require...
any of your config would be really helpful!

many thanks in advance!

Ronan
Hi Ronan,

do you want to do something like this (see the image) ?

After reading a lot of stuff I made a wrapper of network-bridge, that I call network-bridge-wrapper, here is it:

#!/bin/sh
/etc/xen/scripts/network-bridge start bridge=xenbr0 vifnum=0
/usr/sbin/brctl addbr xenbr1
/sbin/ifconfig xenbr1 up

I changed the line in xend-config.sxp that calls, network-bridge to call network-bridge-wrapper ...

If you want I can post more info about this config (my domu config files, iptables, ebtables....). I'm using Debian, so... I hope scripts in CentOS are so close to Debian.

Regards,

Marc


Ronan wrote:
My situation:
Running centos5 on a machine directly connected to internet.
I have a paravirtualised centos5 core machine in domu1 with only 1 eth configured eth0 dy dhcp.

What I want:
to configure the dom0 bridge to simply route all traffic at ethernet level to dom1(firewall/router) and have dom1 then nat if out to my other domu's and machines on my private 192.168 network using dhcpd configured on eth1 on the machine.

My difficulties:
setting up the dom0 bridging to do what i want ie xenbr0 to eth0 on domu1 and then xenbr1 to eth1 on domu1

I then intend to remove / lock dom0 down and only use the domu's as dhcp configured servers.

There are a couple of URLs i've looked at
http://lists.xensource.com/archives/html/xen-users/2006-02/msg00602.html

etc but there aren't any specific configuration information.
Can i get some pointers as to where to look, or even example configs?

thanks

Ronan

(ps if this is the 3rd like message of mine today i apologise, I can tell if the other two messages i send actually did...)


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


------------------------------------------------------------------------



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users



--
Regards

Ronan McGlue

===================
Analyst / Programmer
Queens University Belfast


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.