[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Routed Network with Xen

Rakesh Chawda wrote:

Main Server IP: (eg.)
Gateway for Main IP:
Additional IP: (Different Subnet)
Gateway for additional IPs: not required, as they are "statically bound to MAC address --stated by DC"

The additional IPs to be used only on Dom0 to avoid different MAC addr. Hence, xen bridge network is out of question. I have added these IPs using alias adapters eth0:1, eth0:2, etc.

So, I am using xen routed network scripts, where virbr0 gets IP, and becomes the gateway for the DomUs. The DomUs now have IPs in the range of

OK, this setup isn't that dissimilar to one of my customer sites. In effect, your "gateway" has one IP address for it's outside interface, and you have a subnet routed via that gateway. In your case, they'll have put some router in based on MAC address, in my case it's a PPP link (ADSL service).

I can think of two techniques you may wish to consider.

First off, take a look at http://shorewall.net/ProxyARP.htm - allow some time as I suspect you may struggle to get your head around it. Obviously this is written from the perspective of using Shorewall to set it all up, but the concepts should be portable.

Secondly (and I think, a lot easier), you should be able to do it very simply with a "two interface" setup. Configure your Dom0 with one ordinary interface connected to your ISP's service. This will have the IP and it **NOT** connected to a bridge. Create a bridge, but do not add a physical NIC to it (unless you need other internal machines to have access). Give this an IP address of Now give your DomUs IPs in the rest of the subnet (ie through, connect their VIF to the bridge defined in the step above, and have them use as their default gateway.

With this setup, Dom0 acts as a router. Inbound packets will arrive on it's external NIC, it will route them, and spit them out via the bridge - at which point the Xen networking code will pick up the packet and pass it to the DomU via it's VIF. Similarly, outbound packets from the DomU will get stuffed into the bridge by the Xen network code, they will then be picked up by Dom0 and routed to the outside world. Note that for both inbound and outbound packets, one of the MAC addresses (Dest for inbound, source for outbound) will be that of the DomU physical NIC.

As a refinement, you can run either of these methods in it's own DomU. Use PCI passthrough to pass the physical NIC through to the DomU as one NIC, and give it a VIF as a second NIC on your internal network (Dom0 bridge). You now have a neatly segregated virtual box that can act as router and firewall - without having to bother about iptables rules on Dom0. This is the setup I run at home.

Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.