[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Comparing approcahes firewall on a Xen server. Any experience or recommendations?

To: xen-users@xxxxxxxxxxxxx
From: Adam Goryachev <mailinglists@xxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 23 Apr 2015 02:05:29 +1000
Delivery-date: Wed, 22 Apr 2015 16:06:38 +0000
List-id: Xen user discussion <xen-users.lists.xen.org>

On 22/04/15 12:14, aleph2@xxxxxxxxxxx wrote:
> Hi Adam
>
> On 2015-04-22 01:26, Adam Goryachev wrote:
>>> I'd appreciate a little help in narrowing this down to the best
>>> approach, choosing simple where there's a choice.
>>
>> IMHO, use two physical ethernet ports on the dom0, and configure each
>> of them as a bridge (your dom0 Linux OS will be used for this).
>
> That's easy enough.  This approach, by NOT passing the interfaces
> through to the DomU with PCI-passthrough, can get bottlenecked at the
> bridge due to the DomU<->Dom0 traffic, no?
>
> I've seen it discussed, but don't have any sense for the numbers --
> load, throughput, etc.  I.e., is it something I should worry about?
>
That depends... what is your WAN bandwidth? I would guess it is less
than 100Mbps, which should have little impact assuming you are using any
reasonably modern CPU/network card etc...

The other factor is LAN traffic, but if you are sharing the LAN
interface for multiple domU, then you can't use PCI passthrough anyway.
Alsom PCI passthrough will add complexity that you probably don't need
right now.
>> Physically, you will connect one of them to your LAN and the other to
>> your WAN (router/modem/etc).
>>
>> The LAN port is bridged to xenbr0 and the wan port to xenbr1
>> In dom0, xenbr0 is configured with an IP address the same as any
>> normal server on your LAN (eg 192.168.1.12/24) and xenbr1 has no IP
>> address, and is not configured/used.
>> You configure to pass xenbr0 and xenbr1 to the domU as eth0 and eth1
>> Within domU you use eth0 as your normal LAN interface (eg
>> 192.168.1.1/24), and configure eth1 as your WAN interface (external IP
>> address, or PPPoE or whatever is needed). Configure your firewall the
>> same as if this was a physical server with two ethernet devices.
>> Nothing special at all.
>
> In this scenario, does the DomU need to be PV, HVM, or either?  I
> guess the answer depends on if the passed-through bridges need
> paravirt drivers?
>
> There are a number of HVM-only (or, at least not easily PV'd) firewall
> appliances which might be nice to use.  Wondering out loud about
> performance issues of firewall in DomU ...
>
I'm assuming you would use some sort of "modern" Linux OS for the domU,
and therefore use PV. Note by modern I mean a linux kernel of 3.2.x or
newer, which is actually rather old...

Regards,
Adam

-- 
Adam Goryachev
Website Managers
www.websitemanagers.com.au


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users

Follow-Ups:
- Re: [Xen-users] Comparing approcahes firewall on a Xen server. Any experience or recommendations?
  - From: aleph2

References:
- [Xen-users] Comparing approcahes firewall on a Xen server. Any experience or recommendations?
  - From: aleph2
- Re: [Xen-users] Comparing approcahes firewall on a Xen server. Any experience or recommendations?
  - From: Adam Goryachev
- Re: [Xen-users] Comparing approcahes firewall on a Xen server. Any experience or recommendations?
  - From: aleph2

Prev by Date: Re: [Xen-users] xen 4.3.3 -> 4.4.1 after dom0 upgrade : domU refuses to boot
Next by Date: Re: [Xen-users] Comparing approcahes firewall on a Xen server. Any experience or recommendations?
Previous by thread: Re: [Xen-users] Comparing approcahes firewall on a Xen server. Any experience or recommendations?
Next by thread: Re: [Xen-users] Comparing approcahes firewall on a Xen server. Any experience or recommendations?
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.