[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Should VMs' IP addresses be on the same subnet as the Dom0 and other boxes on our LAN?



gregk.xen@xxxxxxxxxxxxx wrote:

I've one question about assigning VM's IP addresses.  Basically, what
_should_ I do about assigning VM IP addresses?

Short answer - whatever is right for *your* network !
Xen just doesn't care, and it doesn't impose any restrictions. Think of the bridge in Dom0 as "just another switch" and you're near enough there.

What I have right now is pretty basic.

Internet
  |
  |
  |  X.X.X.X/29
Firewall+Router: 10.0.0.1
  |  10.0.0.1/24
  |
  |
Ethernet Switch
  |
  |---- my Desktop: eth0:10.0.0.2
  |
  |---- Server Dom0: eth0:10.0.0.3
             |
             |---- VM#1 (Mail Server): bridge:10.0.0.4

Mail sent from the outside to my network gets a NAT redirect to the Mail
Server @ 10.0.0.4.

Works great.

Yes, I'd expect it to. Most of us running home servers will have something similar.

My question is:

For security, or performance, or general Xen, reasons, should I change
that "VM#1 (Mail Server)" IP address to a different subnet.  Like
10.100.0.1/24?  And do some sort of routing somewhere?

Well there is an argument for not running public servers on the same network as your internal stuff - so that should someone compromise your public facing server, they still have another layer of security before they can get to your LAN. On the other hand, lots and lots of people (including myself) have a setup just like yours.

Instead of having mail traffic passthrough 'through' the Dom0 to the VM,
is it better to have a second, real Ethernet card assigned to the VM,
and do this instead:

Internet
  |
  |
  |  X.X.X.X/29
Firewall+Router: eth0: 10.0.0.1, 10.100.0.1
  |  10.0.0.1/24, 10.100.0.1/24
  |
Ethernet Switch
  |
  |-------------------------------------------------------------|
  |                                                             |
  |                                                             |
  |---- my Desktop: eth0:10.0.0.2                               |
  |                                                             |
  |---- Server Dom0: eth0:10.0.0.3                              |
             |                                                  |
             |---- VM#1 (Mail Server): bridge:10.0.0.4          |
                              |                                 |
                              |----: 'real' eth1:10.100.0.4 ----|

Unless your hardware has hardware IO Emulation then I don't think this would help at all - Dom0 still has to route the packets, just at the PCI emulation level instead of layer 2 network. Or that's my understanding anyway.

But I wouldn't bother - your mail server isn't going to be running up huge loads in Dom0. I've got servers running much larger IO loads and it's not an issue for me. For completeness though, it is true that Dom0 can be a bottleneck for network IO as I believe (from comments posted here) the packet handling code is single threaded. Unless your internet connection is rated in gigabits *and* you use it, then it's not going to be an issue for your mail server !

Now, given that you have 5 public IPs available, I'd be tempted to do something different for different reasons. This is just one of those "this is my preference things" - it's very subjective and a matter of preference.

I'd make a separate switch for your X.X.X.X/29 subnet and put my public facing servers there - no NAT to f**k up stuff. Yes, I have this think about NAT, and especially about people who think it's the best thing since sliced bread - NAT == broken. It does depend on how your internet, and the IPs, are provided. On our ADSL lines we use PPPoA and with the right modem can use PPPoE at our end - or as I've got, PPPoEoA !. Typically one of the public IPs is used for our end of the PPP link and "it just works" to use that same address on the ethernet side. If your internet is provided as an ethernet connection, then proxy ARP might be required.

So you'd still use NAT from your LAN to the internet, but your servers would be on public IPs in a DMZ.


Or, you can just use the public IPs as the mapped address for NAT and it still works for most stuff (mail included).


NB - At home the block you have labelled as Firewall+Router is a guest on my Xen host. I used to have a separate physical NIC given over to this with PCI passthrough, but at the moment I'm using a single NIC as my new box is very light on slots and I'm using PPPoE which means the modem itself can be on the LAN. At some point I'll probably pick myself up a small switch that can do VLANs and split them out again.

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.