[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Routed Network with Xen

OK, this setup isn't that dissimilar to one of my customer sites. In effect, your "gateway" has one IP address for it's outside interface, and you have a subnet routed via that gateway. In your case, they'll have put some router in based on MAC address, in my case it's a PPP link (ADSL service).

I can think of two techniques you may wish to consider.


First off, take a look at http://shorewall.net/ProxyARP.htm - allow some time as I suspect you may struggle to get your head around it. Obviously this is written from the perspective of using Shorewall to set it all up, but the concepts should be portable.


Secondly (and I think, a lot easier), you should be able to do it very simply with a "two interface" setup.
Configure your Dom0 with one ordinary interface connected to your ISP's service. This will have the IP 1.1.1.5 and it **NOT** connected to a bridge.
Create a bridge, but do not add a physical NIC to it (unless you need other internal machines to have access). Give this an IP address of 1.1.2.1/28.
Now give your DomUs IPs in the rest of the 1.1.2.0/28 subnet (ie 1.1.2.2 through 1.1.2.14), connect their VIF to the bridge defined in the step above, and have them use 1.1.2.1 as their default gateway.

With this setup, Dom0 acts as a router. Inbound packets will arrive on it's external NIC, it will route them, and spit them out via the bridge - at which point the Xen networking code will pick up the packet and pass it to the DomU via it's VIF.
Similarly, outbound packets from the DomU will get stuffed into the bridge by the Xen network code, they will then be picked up by Dom0 and routed to the outside world.
Note that for both inbound and outbound packets, one of the MAC addresses (Dest for inbound, source for outbound) will be that of the DomU physical NIC.

What you are suggesting is routed network, but without NAT. I am using it currently, as there is virbr0 (created by Xen vif-route scripts), but the additional IPs are bound on Dom0, and not DomU.

The output of brctl show
------------------------
virbr0     Â8000.feffffffffff    yes       vif8.0
                            vif7.0
                            vif6.0
                            vif5.0
                            vif4.0
                            vif3.0
                            vif2.0
                            vif1.0
------------------------
Also, you suggested binding the additional IPs to DomUs, which I had tried, but the DomUs never gotÂconnectedÂto the internet, as they did not find any gateway. The DC suggests binding the IPs straight away on the parent node, and they will get the gateway automatically due to their statically bound nature. Refer this link, as I feelÂI may be missing something from the it.Â


I think there is some confusion regarding the gateway, as the setup seems to be getting complicated. Below is the ifcfg-eth0 of the server (where x is the same number):

----------------------
DEVICE=eth0
BOOTPROTO=static
BROADCAST=176.9.x.159
HWADDR=a:a:a:a:a:a
IPADDR=176.9.x.145
NETMASK=255.255.255.255
SCOPE="peer 176.9.x.129"
----------------------Â

Â
As a refinement, you can run either of these methods in it's own DomU. Use PCI passthrough to pass the physical NIC through to the DomU as one NIC, and give it a VIF as a second NIC on your internal network (Dom0 bridge). You now have a neatly segregated virtual box that can act as router and firewall - without having to bother about iptables rules on Dom0. This is the setup I run at home.

This sounds interesting, but I'll have to dig deeper into it.
Will there be any performance increase, if I shift away from NAT? Even little CPU power cannot be wasted here, as this will become a heavily loaded server.
Â


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

Thanks Simon, and any suggestions Felix??
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.