Xen project Mailing List

On 20 June 2012 13:26, Casey DeLorme <cdelorme@xxxxxxxxx> wrote:

From what I read it was less about speeds and more about hardware compatibility, either it is supported by the routing package or it isn't (works/doesn't).

I had a discussion here, where someone mentioned a linux package that supposedly had some support for a limited set of Wireless N devices:

http://forum.pfsense.org/index.php/topic,42205.0.html

If you are worried about exposing murder to the www, then you might consider turning fraud into a firewall, and bridging to fraud and back to murder via lan, where the lanto share the connection with the wireless NIC. ÂTheÂis entirely virtual and bridgedÂÂonly downside here is you aren't protecting murder/incest from anyone accessing your local network.

If you go that route though, you can setup your interfaces like this (I substituted the wifi name with "wifi" since I don't know how those are seen by the interfaces file):

auto lo wan lan
iface lo inet loopback
iface eth0 inet manual
iface wan inet manual
bridged_ports eth0
iface lan inet dhcp
bridged_ports wifi

You would pass both "wan" and "lan" to fraud. Âfraud would have some firewall package and connect "wan" to "lan", and probably handle dhcp on "lan".

You could install the routing package on murder to broadcast the WAP, if it supports bridged mode you could let fraud handle the dhcp, otherwise you may have to add a dhcp server on murder as well.

Again that'll only work if you aren't overly concerned about local network security, and if your onboard wireless is supported by the routing package.

On Wed, Jun 20, 2012 at 12:15 AM, Adrian May <adrian.alexander.may@xxxxxxxxx> wrote:
Hi Guys,

Thanks for your help so far. My mainboard is Asus E45M1 which has an AMD Fusion E450 processor (AMD-V but probably not Vi), one ethernet port and an onboard wireless N. I chose that over the Atom cos the latter has no HW virtualisation at all.

One of my main goals is not to have a crappy wireless router in the house any more - I want to make my own so I don't have to put up with the bugs they deliberately build into those things to make companies pay $500 for the "professional" ones. Fraud is supposed to be the wireless router. Anyway, I only have one ethernet slot on the board.

Libel isn't an issue - it can already see eth0 on which the modem is waiting to connect pppoe clients to servers supplyingÂfixed or dynamicÂIP addresses. BTW, it'll also provide an OpenVPN for friends with paranoid governments (either that or another box called treason will) who might want to bring it down, hence the insistence that it's in no way connected to my domestic stuff.

Seems like I have to settle for murder bringing up the wireless cos there's no AMD-Vi. Does that mean I'll get wireless N speeds or still have to put up with G?

If murder sets up the wireless in /etc/network/interfaces, what next?Â

I could just forget all about fraud and let murder do its jobs, but then I'd have dom0 connected directly to the jungle, which is extremely uncomfortable - I have all my family photos on incest and if some spammer hacked murder he wouldn't even notice what he was bulldozing to make room for his spam list. Incest is the only thing I really need to protect.

I could just about tolerate murder having a life on the domestic wireless network, but I really did want to keep it off the internet. I also had a plan to put up an open wireless network for friends and neighbours, but murder and incest would have to be protected from it. Maybe it's just a case of being very careful with my iptables, but I'm not especially confident of my ability to make that tight. Some of those scripts on the internet are talking about weaknesses I never would have thought of.

Adrian.
ÂÂ

On 20 June 2012 07:44, Casey DeLorme <cdelorme@xxxxxxxxx> wrote:

Adrian,

Actually, what you are trying to achieve is not possible without IOMMU, as a vif is just a bridged virtual interface. ÂYour DomU needs direct access to the physical card, using PCI Passthrough. ÂFor this both your CPU and Motherboard must be IOMMU Compatible (VT-d for Intel, AMD-Vi for AMD).

I have a similar configuration at home involving a PFSense router, debian web server and multimedia virtual machine. ÂTo save you some time, you probably won't achieve Wireless N, this is because most routing packages do not yet support it. ÂAs of March there were only a handful of drivers, and the related chips were only featured in laptop wireless cards.

So you are facing two problems:

A. ÂDo you have IOMMU Compliant Hardware?

B. ÂIs Wireless G Okay?

Based on these machines:

murder (dom0)
libel (domu web server)
fraud (domu router)
incest (file server domu?)

These solutions are based on two assumptions:

A. ÂThat fraud is to provide iinternet access for the connection machines.
B. ÂThat libel and fraud will be using a routing device, but libel needs a static IP.

If not A then omit the WAN interface for fraud from the proposed solutions.

If not B then add one extra interface for a separated WAN for libel.

My proposed solution:

Using two physical NIC's you would bridge them using murder's interfaces file. ÂYou can tell murder to ignore these bridges so it remains a hermit and doesn't grab an IP.

The bridges could be WAN and LAN. ÂWAN can be passed to fraud and libel. ÂAssign a static IP in libel's interfaces file. ÂLet fraud receive a dynamic IP from WAN. ÂConnect the LAN bridge to fraud and to incest, and have the physical NIC connect to a Wireless N router.

Configure the Wireless N router to use bridged mode, and install a routing package in fraud, because interfaces probably won't do everything you need it to for intranet management.

Your Ideal Solution:

To achieve exactly what you want, you need IOMMU to let murder remain a hermit.

You will need at least one physical known compatible wireless G device and a routing package selected for fraud.

You will need one physical NIC for libel, another physical NIC for fraud.

You can pass one physical NIC to libel and assign a static IP using libel's interfaces file.

You can pass a physical NIC to fraud for WAN and let it pull a dynamic IP from another routing device. ÂYou can also pass the physical wireless G card to fraud, and install the selected routing package to setup your WAP.

For incest you can use another Wireless NIC to connect to fraud wirelessly, or you will need two more physical NIC's for fraud and for incest and a cable to connect the two.

I hope this helps get you started.

~Casey

On Tue, Jun 19, 2012 at 12:36 PM, Alexandre Kouznetsov <alk@xxxxxxxxxx> wrote:

Hello.

El 19/06/12 10:06, Adrian May escribiÃ:

But I can't see how I'm supposed to get the wireless NIC into xen at
all.

I believe Xen does not supports that low level interaction between a DomU and the hardware with some standard wrapper, like with wired Ethernet interface.

Check if your Motherboard supports IOMMU. Probably your best shot would be passthrugh the whole WiFi card into Fraud. That is hopefully low level enough.

http://wiki.xen.org/wiki/Xen_PCI_Passthrough

--
Alexandre Kouznetsov

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users

Re: [Xen-users] Making a WAP