|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Server with 2 NICs. DomU as Router
If eth0 only gets one IPv4 address, then you'll have to setup forwarding (using sysctl, /etc/network/interfaces, systemd-networkd, or something else) and NAT (using iptables or nftables). Otherwise if you have IPv6 or multiple addresses, you can avoid probably avoid NAT altogether. Additionally if this is to act as a gateway to a private sub-network, other applications like DNSMasq, a DHCPd, BIND, radvd, etc. might also be helpful. For that matter, however, you might look into using a ready-to-go distro for your DomU, such as IPCop or pfSense (as long as it supports Xen DomU). I don't want to turn this into a "how to setup a linux router" tutorial, so I'll leave the full explanation to the Internet. Moving onto your actual question, computers on the switch will always be able to ping each other, even if vif1/eth1 is not working. I suspect that forwarding is not enabled (sysctl net.ipv4.ip_forward) in the DomU, or the firewall is misconfigured either in the DomU or the Dom0, but I can't say for sure without seeing it (iptables -t {nat,filter} -Lv). Try pinging the address of the router DomU from one of the computers on the switch, and see if (on the Dom0 and DomU) the RX packets number increases using ifconfig and which firewall rules are being hit using "iptables -Lv". As an aside, personally I would opt for using the DomU as a driver domain in addition to being a router. If I understand correctly, as it is now, packets have to go from their source DomU or eth1, to the Dom0 (hardware driver), into the router DomU to be routed, then back to the Dom0 to be sent to the physical hardware and finally the internet. With a driver domain, packets originating from eth0 and eth1 will stay inside the router DomU and can be routed directly to the other interface without waking up the Dom0. You can also set the vif = [ "...,backend=routerDomU" ]option in your other DomUs to avoid waking up the Dom0 when packets routing packets to and from them. Driver domains are good for performance this way, and are good for security because the driver runs inside the less-privleged DomU instead of the Dom0 (and you can even air-gap the Dom0 completely if you wish). If you have an IOMMU/VT-d, the physical network card cannot access memory that does not belong to its own DomU even over DMA. See http://wiki.xenproject.org/wiki/Driver_Domain http://wiki.xenproject.org/wiki/DomU_Support_for_Xen<p>Quoting John Pearson <<a href="mailto:johnpearson555@xxxxxxxxx";>johnpearson555@xxxxxxxxx</a>>:</p><blockquote type="cite" style="border-left:2px solid blue;margin-left:2px;padding-left:12px;"><div dir="ltr"><div>I have a physical Server with two NICs eth0 and eth1. <br/></div><div><br/></div><div>I am running Xen 4.4.1 with Debian Jesse.</div><div><br/></div><div>eth0 is bridged to xenbr0 which receives it's IP address, dns etc through an upstream DHCP server on a Gateway.</div><div><br/></div><div>eth1 is bridged to xenbr1</div><div><br/></div><div>I am creating a Xen VM (DomU) with two virtual interfaces that are bridged to xenbr0 & xenbr1 respectively. </div><div><br/></div><div>I want to run a router + NAT configuration on that DomU. </div><div><br/></div><div>I have several computers connected to eth1 through a physical managed switch.</div><div><br/></div><div>I want computers connected to eth1 access the internet.</div><div><br/></div><div>I want other DomU VMs to also use DomU as a router and access the internet. </div><div><br/></div><div><br/></div><div>Gateway <-> eth0 <-> xenbr0 <-> vif0 </div><div><br/></div><div>eth1 <-> xenbr1 <-> vif1 <-> Switch <-> Computers</div><div><br/></div><div><br/></div><div>So far I've created the DomU and IPTables on it so that computers connected to the switch on eth1 are able to ping each other.</div><div><br/></div><div>I am unable to traverse from the computers connected to the switch on eth1 to the internet. </div><div><br/></div><div>How do I bridge the traffic from eth1 to eth0? </div><div>Do I need to setup forwarding or IPTables on Dom0? </div><div>How do I setup DomU as the router and Gateway for other DomU VMs?</div><div><br/></div><div>Thanks!</div></div></blockquote><br /><br /> ------------------------------------------------- ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!$24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options! _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxx http://lists.xen.org/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |