|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Complex networking scenario
paul@xxxxxxxxxxxxxxxxxxxx wrote: I'm new to Xen having been steered into a project at work as the resident Linux user. It's good fun isn't it :D I'm trying to set up some networking and I'm finding it very taxing (it's way more in-depth iptables and networking that I'm used to). Talk about in at the deep end ! There are 3 VMs: an HVM WIndows server 2008 R2 guest with the PV drivers installed and 2 Ubuntu 10.04 PV installs.The Networks: A - 10.1.2.0/24 - The company network (on physical eth0)B - 172.16.2.0/24 - Physical network connected to a hardware data receiver product. (physical eth1) C - 192.168.99.0/23 - Private LAN in Xenland used to connect the VMs together and to the host. D - Xenbr0 (192.168.99.1/24) - The default gateway for the VMs on the private LAN. E - Physical interface eth2 - Bridged into xenbr0 to provide physical maintenance access into the guests' world from a laptop.What I'm trying to achieve:1. Each guest should have a single network connection onto the virtual 192.168 (C) LAN. OK, that bit is easy - just create the bridge in /etc/network/interfaces. I prefer to give meaningful names to things (eg ethint), so you'd have something like (from memory) : auto ethint interface ethint bridge-ports eth2 address 192.168.99.1 netmask 255.255.254.0 2. I have a single IP address available on network A so I need to NAT all the 192.168 addresses of the VMs so they can all get access to the company LAN. Ah, I've never setup up NAT in this situation ! At home I've created a virtual router in it's own VM, and that does the NAT in a two interface setup. Is there any reason you can't have multiple addresses ? it would make things a LOT simpler for you ? It's not as if private addresses are scarse. If you can have one IP per VM then you don't need the NAT and you simply bridge stuff together. 3. I have a single IP address available on network B so I need to NAT all the VMs so they can access the data receiver. Ditto, why the single address ? 4. The data receiver produces a multicast stream. I need the VMs to be able to subscribe to it with IGMP and the multicast UDP to make its way across the host and onto the C network to them when subscribed (or all the time if that's much easier) Dunno - never worked with multicast, other than at a very primitive level. 5. I do NOT want the multicast to leak out onto LAN A or machines on LAN A to be able to subscribe. No problem, unless you link them in some way then they will remain separate. 6. All packets from the VMs not addressed on the 192.168 or 172 networks need to be forwarded through the host to the company LAN (with ESTABLISHED and RELATED returns allowed) 7. Port 80 incoming on physical eth0 (LAN A) is redirected through the host to the webserver on one of the VMs (192.168.99.20:80) That's a matter of setting the default gateway and routing properly (the default connected net routes will be OK). Plus the SNAT for outbound NAT, and DNAT for the inbound port 80. The NAT is stateful and will handle the returns automagically. I think my head is about to explode. I know how you feel, I've just had to revisit traffic shaping and accounting as I'm updating my edge routers - things have moved on a bit and I've been having fun getting my head around packet marking and matching (I use Shorewall BTW - highly recommended). -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxx http://lists.xen.org/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |