[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] Re: Network isolation - PCI passthrough question

To: xen-users@xxxxxxxxxxxxxxxxxxx
From: Mike Fröhner <mikefroehner@xxxxxx>
Date: Mon, 20 Dec 2010 17:10:23 +0100
Delivery-date: Mon, 20 Dec 2010 08:12:17 -0800
List-id: Xen user discussion <xen-users.lists.xensource.com>

Am 20.12.2010 15:55, schrieb Jean Baptiste FAVRE:

Le 20/12/2010 15:47, Mike Fröhner a écrit :

Am 20.12.2010 15:08, schrieb Jean Baptiste FAVRE:

Hello,
I thinking about using PCI passthrough to dedicated a domU as firewall.

I understand PCI passthrough concept. When done, my domU will see
network card and the dom0 won't any more. So I'll be able to filter all
trafic from outside, since it will go through network domU.

Then, how will I be able to connect other domU (and maybe dom0) to the
network domU ?

In a normal way, creating domU makes dom0 creating vif interfaces and
bridge (in my configuration) it. But once netowkr will be isolated in a
specific domU, dom0 won't be able to interact with it, will it ?


How many network cards do you have in this computer? I think you'll need
minimal 2 nics. One for dom0 and domU (vif) to communicate and one for
PCI passthrough. As you understood right, dom0 won't see the PCI
passthrought nic.


Any link/help/explanation appreciated.

Regards,
JB


Hello,

For now, I have 2 nics within a bond interface.
What I would like to achieve is to have a dedicated domU acting as
firewall for all other domU like in Qubes-os project
(http://qubes-os.org/Home.html).
That means, I want to passthrough both nics to one domU called "netDomU"
and connect all "regular" domU networks to "netDomU".

But since dom0 won't see any network card, how can I create vif interfaces ?


If I understood right u want to simulate an office with different appVMs?

I think I got a solution for you:

The vif doesn't need a bridge from a real nic. You could also use abridge on the lo-device for domU vifs.

There would be just one Problem. The dom0 wont be directly accessiblebecause it does not have an ip address. Perhaps it is possible to createanother bridge for communication to the firewall (if it is a router).


This is really crazy stuff :)

Regards,
Mike


Regards,
JB




_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

Follow-Ups:
- Re: [Xen-users] Re: Network isolation - PCI passthrough question
  - From: Jean Baptiste FAVRE

References:
- [Xen-users] Network isolation - PCI passthrough question
  - From: Jean Baptiste FAVRE
- [Xen-users] Re: Network isolation - PCI passthrough question
  - From: Mike Fröhner
- Re: [Xen-users] Re: Network isolation - PCI passthrough question
  - From: Jean Baptiste FAVRE

Prev by Date: Re: [Xen-users] Re: Network isolation - PCI passthrough question
Next by Date: Re: [Xen-users] Re: Network isolation - PCI passthrough question
Previous by thread: Re: [Xen-users] Re: Network isolation - PCI passthrough question
Next by thread: Re: [Xen-users] Re: Network isolation - PCI passthrough question
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.