Re: [Xen-users] Complex networking scenario

[Grant McWilliams <grantmasterflash@xxxxxxxxx>]

On Thu, Nov 22, 2012 at 11:28 AM, paul@xxxxxxxxxxxxxxxxxxxx <paul@xxxxxxxxxxxxxxxxxxxx> wrote:

Hi everyone,

Â

I'm new to Xen having been steered into a project at work as the resident Linux user. I'm trying to set up some networking and I'm finding it very taxing (it's way more in-depth iptables and networking that I'm used to). I'd really be grateful if someone could help me please.

Â

There are 3 VMs: an HVM WIndows server 2008 R2 guest with the PV drivers installed and 2 Ubuntu 10.04 PV installs.

Â

The Networks:

Â

A - 10.1.2.0/24 - The company network (on physical eth0)

B - 172.16.2.0/24 - Physical network connected to a hardware data receiver product. (physical eth1)

C - 192.168.99.0/23 - Private LAN in Xenland used to connect the VMs together and to the host.

D - Xenbr0 (192.168.99.1/24) - The default gateway for the VMs on the private LAN.

E - Physical interface eth2 - Bridged into xenbr0 to provide physical maintenance access into the guests' world from a laptop.

Â

What I'm trying to achieve:

Â

1. Each guest should have a single network connection onto the virtual 192.168 (C) LAN.
2. I have a single IP address available on network A so I need to NAT all the 192.168 addresses of the VMs so they can all get access to the company LAN.
3. I have a single IP address available on network B so I need to NAT all the VMs so they can access the data receiver.
4. The data receiver produces a multicast stream. I need the VMs to be able to subscribe to it with IGMP and the multicast UDP to make its way across the host and onto the C network to them when subscribed (or all the time if that's much easier)
5. I do NOT want the multicast to leak out onto LAN A or machines on LAN A to be able to subscribe.
6. All packets from the VMs not addressed on the 192.168 or 172 networks need to be forwarded through the host to the company LAN (with ESTABLISHED and RELATED returns allowed)
7. Port 80 incoming on physical eth0 (LAN A) is redirected through the host to the webserver on one of the VMs (192.168.99.20:80)

Â

From my research, I believe that the stock Ubuntu server kernel on the host won't forward multicast on its own and I need some software agent to handle the subscriptions and passing of the UDP multicast data. IGMPProxy, XORP or pimd seem to "do the right thing" but I'm not sure which to choose or how to set them up (particularly in the case of XORP which seems very flexible and to have a lot of learning curve)

Â

I think my head is about to explode.

Â

Thank you in advance,

Paul.

I think it's going to look something like this. I put my rules in a script so I can do multiple things. You didn't say if your eth0 was on a bridge or not so I'll give you my setup for xenbr0 (company network) and xenbr1 (VM network) and you can play with it. I'm forwarding port 80 to an internal VM. Since I don't have time to rewrite it for your setup I'd suggest replacing my xenbr0 with eth0. Â You should only then need to worry about your data receiver. I'd write more but it's Thanksgiving...

#!/bin/sh

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -FÂ

iptables -t nat -F Â

iptables -t nat  Â-A POSTROUTING -o xenbr0 -j MASQUERADE

iptables -t filter -A FORWARD -i xenbr0 -o xenbr1 -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -t filter -A FORWARD -i xenbr1 -o xenbr0 -j ACCEPT

iptables -t filter -A INPUT -i xenbr1 -j ACCEPT

### Port Forwarding ###

iptables -t nat -A PREROUTING -p tcp -i xenbr0 --dport 80 Â-j DNAT --to 192.168.0.100:80Â

Grant McWilliams
http://grantmcwilliams.com/

Some people, when confronted with a problem, think "I know, I'll use Windows."Â
Now they have two problems.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users