[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Firewall in domU, networking in XEN


  • To: xen-users@xxxxxxxxxxxxx
  • From: Slawomir Kosowski <slawek.k_xl@xxxxx>
  • Date: Thu, 24 May 2012 09:55:15 -0400
  • Delivery-date: Thu, 24 May 2012 07:57:02 +0000
  • List-id: Xen user discussion <xen-users.lists.xen.org>

S½awek Kosowski wrote:

1. I need to create a virtual interface in dom0 that will connect to ethint (giving an access to LOC). Should I create an alias to eth0 (eth0:1) ?

No. You already have access to int from Dom0 - that's what the address 192.168.1.x netmask 255.255.255.0 gateway 192.168.1.1 bit of the config does for you. The bridge itself becomes the interface in Dom0 - it should show as ethint in the output from ifconfig.

That works fine. So I understand that this is an interface configuration with possibility of bridging other ports, right ? (something like configured interface directly connected to switch where no other interfaces are connected)? This is not the configuration of bridge itself, since L2 bridge cannot have its own IP address (however, I know that I can assign an IP address in linux which does not make sense at this point) ?

2. I cannot configure ethdmz in the way that you've shown. It works fine if I assign IP as in case ethint

The docs I found says it should work - not a setup I've used personally. Perhaps someone else can confirm if I've got the syntax correct. Do you get an error message ? Just "nothing" ? Does the bridge appear (brctl show) ?

I get:
Don't seem to have all the variables for ethdmz/inet.
Failed to bring up ethdmz.
It's working fine when I change static to manual

bridge name    bridge id        STP enabled    interfaces
ethdmz        8000.000000000000    no   

3. How should I keep the configuration of eth0 if it won't have any IP (in dom0) - it will be bridged to domU1 ?

Should it be something like this:

auto eth0:0

iface eth0:0 inet manual

No, you just don't configure it at all. It will be bridged to a DomU and Dom0 will not have any access.

So I delete the default eth0 configuration from /etc/network/interfaces ?

Before starting any DomUs, brctl show should give something like : bridge name bridge id STP enabled interfaces ethext 8000.xxxxxxxxxxxx no eth0 ethint 8000.xxxxxxxxxxxx no ethdmz 8000.xxxxxxxxxxxx no

After starting the first DomU as your firewall device, you should see it change to something like : ethext 8000.xxxxxxxxxxxx no vifa.b eth0 ethint 8000.xxxxxxxxxxxx no vifa.c ethdmz 8000.xxxxxxxxxxxx no vifa.d

Not too sure about the "vifa.b" stuff, I give my DomUs explicit interface names, so I might see : ethext 8000.xxxxxxxxxxxx no fwext eth0 ethint 8000.xxxxxxxxxxxx no fwint ethdmz 8000.xxxxxxxxxxxx no fwdmz

Eg, in the config for my firewall DomU, I might have something like : vif = [ 'bridge=ethext,vifname=fwext', 'bridge=ethint,vifname=fwint', 'bridge=ethdmz,vifname=fwdmz' ]

I just like having meaningful names - makes things easier when you have a few VMs running. On the other hand, it causes some confusion when cloning a VM and I forget to change the names !


Sounds good, thanks !
Slawomir Kosowski
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.