|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Complex networking scenario
Hello, Paul. Not that complex, btw, don't let yourself to intimidate. El 22/11/12 15:01, Simon Hobson escribió: Very suitable in production environments as well. No matter if NAT is involved or not, it depends more on the rest of the network (can it route packets in a right way or not).paul@xxxxxxxxxxxxxxxxxxxx wrote:2. I have a single IP address available on network A so I need to NAT all the 192.168 addresses of the VMs so they can all get access to the company LAN.Ah, I've never setup up NAT in this situation ! At home I've created a virtual router in it's own VM, and that does the NAT in a two interface setup. Deploy a dedicated router VM with interfaces in all needed networks, and it's setup will be no different than any other software router. There are a lot of documentation, reference, tutorials and even ready-to-use appliances to do that. Attempting to do routing on Dom0 will be more "low level", but with much more details to take care of. Does not worth it. No really, not always. NAT is sometimes useful even on a pure private network, even if there are plenty of private addresses to assign. Depend on topology and demarcation points, the latest is very important.Is there any reason you can't have multiple addresses ? it would make things a LOT simpler for you ? It's not as if private addresses are scarse. If you can have one IP per VM then you don't need the NAT and you simply bridge stuff together. My suggestion for you is to draw, literally, the network topology you desire, even if it's too simple. It will clear many things and it's an excellent exercise. I doubt someone here will do for you whatever has to be done, but if you make yourself a plan you can get more specific feedback, just as the one you are getting now. While this, some ideas:A - Get 2 addresses on 10.1.2.0/24 for your box. Use one on your router VM, it will be the primary gateway between your networks. Use the other as Dom0 auxiliar address, it shall listen only to SSH on it. In case you lock yourself out of the router VM due to a failure or a mistake, Dom0 will allow you to re-take control of your box. B - It's OK to dedicate a single physical interface to THE external provider. But if their's number sometime grows, it's usable to plug them to a L2 administrable switch, isolated on different VLAN's, and have access to all of them via the same physical eth1. C - Why 192.168.99.0/23 and not 192.168.99.0/24 ? /24 is easer to manage.E - Consider bridging eth2, if it's available and not a security issue, to the network you called Xenland. Excellent for troubleshooting and future scalability. 3. Make the same router VM to have interface on network A, network B and network C. The routing configuration is trivial. 5. A "normal restrictive" filter will prevent any accidental leak. DROP everything via iptables -P, unless specifically allowed. 6. Trivial on router VM, you will even not need any extra routing rules, just normal IP interfaces setup if default gateway on one of them and allow IPv4 forward. 7. Consider port forwarding (DNAT in iptables land) on router VM, or a reverse proxy like Nginx. A reverse proxy is much cleaner and give you more access control. -- Alexandre Kouznetsov _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxx http://lists.xen.org/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |