[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] firewall in domU

Tamás Pisch wrote:

I use Xen on two Debian server now. On one, I'm going to install a router/firewall in a domU (dedicated for this task). It seems, the best would be to hide the wan interface from dom0 with pci passthrough. Unfortunately, the two servers aren't identical. The older doesn't have vt-d support, ...

It works without vt-d (or iommu).

On my old amd-64 box I bott it with :
title Xen 3.2-1-amd64 / Debian 2.6.26-bpo.2-xen-amd64 - Ext Eth & DVB tuner hidden
root            (hd0,0)
kernel          /xen-3.2-1-amd64.gz dom0_mem=512M
module /vmlinuz-2.6.26-bpo.2-xen-amd64 root=/dev/sda3 ro console=tty0 pciback.hide=(01:07.0)(01:06.0)
module          /initrd.img-2.6.26-bpo.2-xen-amd64

Then in my firewall DomU I have :
in the config file.

That's all from Debian. Dom0 has Etch with xen 3.2.1, and as you can see above, kernel 2.6.26-xen from Backports. DomU is Squeeze running 2.6.26-xen from the standard repositories. DomU used to be an older version - I upgraded it recently for some IPv6 stuff I have been playing with.

I did try Squeeze & 2.6.32 on a new AMD-64 box (an HP Microserver) and the same setup worked, but I had some performance issues with MythTV as a guest and the tuner didn't seem to want to work with more than 4G RAM in the machine and a Xen kernel (works fine with 8G and a non-Xen kernel). Since I could get another Microserver for £140 after cashback, I decided to give MythTV it's own box and get a second for everything else.

In later versions, pciback.hide is now xen-pciback.hide. In my DomU I needed iommu=soft but not swiotlb=force.

Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.