[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Server with 2 NICs. DomU as Router

On 05/18/2016 01:21 PM, John Pearson wrote:

I have it working with this setup:

eth0 connected to WAN

eth1 connected to LAN

domU running as router and devices connected to the server on eth1

I am able to NAT, route packets etc on domU for devices connected to
eth1 and internet/IP works.


Now I am trying to connect dom0 to domU also as client. I would like
dom0 traffic also forwarded domU. Running `brctl show` on dom0 shows this:
bridge name     bridge id                   STP enabled     interfaces
xenbr0          8000.xxxxxxxxxxxxx       no                     vif0

              eth0
xenbr1          8000.xxxxxxxxxxxxx       no                     vif1

              eth1


Since I would like dom0 also another client on domU, I thought creating
vlan on dom0 attached to eth1 and gateway as the router on domU would
help. Like so:
auto eth1.100
iface eth1.100 inet static
        vlan-raw-device eth1
        address 10.20.0.15
        netmask 255.255.255.0
        gateway 10.20.0.1

I also bridge eth1.100 to xenbr1 just like eth1:
auto xenbr1
iface xenbr1 inet manual
bridge_ports eth1 eth1.100

Now when I run `brctl show`, I get eth1.100 just as a another interface
bridged to xenbr1:
bridge name     bridge id                   STP enabled     interfaces
xenbr0          8000.xxxxxxxxxxxxx       no                     vif0

               eth0
xenbr1          8000.xxxxxxxxxxxxx        no                     vif1

               eth1

               eth1.100

Also running ip route shows eth1.100 as the default interafce for dom0,
but when I try to ping 10.20.0.1(router on domU) or try to ping the
outside world by pining 8.8.8.8, I just get timeouts and host unreachable.

How do I setup dom0 as a client to domU just as another interface on
xenbr1, the bridge, so I can route traffic from domU?


Hi John,
I do something similar. In domain0 set up as many bridges as you need. To remind me of what they are I give mine names like WAN, LAN, SND, etc. In my case my domain0 is attached to LAN using a tap device. domain0's IP is on the LAN, *not* on the tap, and domain0's default route is via LAN. Domain0 has no IPs on any of the other bridges.
In your router VM create a vif that is attached to the bridge your domain0's IP is on and in your interfaces file give that vif an IP on the same network as your domain0. That becomes your domain0's gateway IP. e.g. On domain0: ip r a default via ro.ut.er.IP dev LAN.
In domain0 setup your firewall to only accept EST,REL in iptable's filter's INPUT chain. For testing you may also want to allow ICMP. Xen will automatically add the vifs to the FORWARD chain.
With this setup there is no physical ethernet connection to domain0 and nobody can initiate a connection *to* it but it can get out as far as the router. From there everything is controlled by your router's firewall and routing table.
Try not to over think it. Once you have it working with a tap you can use "/sbin/ip" to create whatever type of interface you want or you can use a physical if you need a hardware connection. 

Hope that makes sense,
Mike Wright

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.