Xen users - May 2007 - advanced bridging...

My situation:
Running centos5 on a machine directly connected to internet.
I have a paravirtualised centos5 core machine in domu1 with only 1 eth 
configured eth0 dy dhcp.

What I want:
to configure the dom0 bridge to simply route all traffic at ethernet 
level to dom1(firewall/router) and have dom1 then nat if out to my other 
domu''s and machines on my private 192.168 network using dhcpd
configured
on eth1 on the machine.

My difficulties:
setting up the dom0 bridging to do what i want ie xenbr0 to eth0 on 
domu1 and then xenbr1 to eth1 on domu1

I then intend to remove / lock dom0 down and only use the domu''s as
dhcp
configured servers.

There are a couple of URLs i''ve looked at
http://lists.xensource.com/archives/html/xen-users/2006-02/msg00602.html

etc but there aren''t any specific configuration information.
Can i get some pointers as to where to look, or even example configs?

thanks

Ronan

(ps if this is the 3rd like message of mine today i apologise, I can 
tell if the other two messages i send actually did...)


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Hi Ronan,

do you want to do something like this (see the image) ?

After reading a lot of stuff I made a wrapper of network-bridge, that I 
call network-bridge-wrapper, here is it:

#!/bin/sh
/etc/xen/scripts/network-bridge start bridge=xenbr0 vifnum=0
/usr/sbin/brctl addbr xenbr1
/sbin/ifconfig xenbr1 up

I changed the line in xend-config.sxp that calls, network-bridge to call 
network-bridge-wrapper ...

If you want I can post more info about this config (my domu config 
files, iptables, ebtables....). I''m using Debian, so... I hope scripts
in CentOS are so close to Debian.

Regards,

Marc


Ronan wrote:
> My situation:
> Running centos5 on a machine directly connected to internet.
> I have a paravirtualised centos5 core machine in domu1 with only 1 eth 
> configured eth0 dy dhcp.
>
> What I want:
> to configure the dom0 bridge to simply route all traffic at ethernet 
> level to dom1(firewall/router) and have dom1 then nat if out to my 
> other domu''s and machines on my private 192.168 network using
dhcpd
> configured on eth1 on the machine.
>
> My difficulties:
> setting up the dom0 bridging to do what i want ie xenbr0 to eth0 on 
> domu1 and then xenbr1 to eth1 on domu1
>
> I then intend to remove / lock dom0 down and only use the domu''s
as
> dhcp configured servers.
>
> There are a couple of URLs i''ve looked at
> http://lists.xensource.com/archives/html/xen-users/2006-02/msg00602.html
>
> etc but there aren''t any specific configuration information.
> Can i get some pointers as to where to look, or even example configs?
>
> thanks
>
> Ronan
>
> (ps if this is the 3rd like message of mine today i apologise, I can 
> tell if the other two messages i send actually did...)
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Marc
thats exactly what i require...
any of your config would be really helpful!

many thanks in advance!

Ronan
> Hi Ronan,
>
> do you want to do something like this (see the image) ?
>
> After reading a lot of stuff I made a wrapper of network-bridge, that 
> I call network-bridge-wrapper, here is it:
>
> #!/bin/sh
> /etc/xen/scripts/network-bridge start bridge=xenbr0 vifnum=0
> /usr/sbin/brctl addbr xenbr1
> /sbin/ifconfig xenbr1 up
>
> I changed the line in xend-config.sxp that calls, network-bridge to 
> call network-bridge-wrapper ...
>
> If you want I can post more info about this config (my domu config 
> files, iptables, ebtables....). I''m using Debian, so... I hope 
> scripts  in CentOS are so close to Debian.
>
> Regards,
>
> Marc
>
>
> Ronan wrote:
>> My situation:
>> Running centos5 on a machine directly connected to internet.
>> I have a paravirtualised centos5 core machine in domu1 with only 1 
>> eth configured eth0 dy dhcp.
>>
>> What I want:
>> to configure the dom0 bridge to simply route all traffic at ethernet 
>> level to dom1(firewall/router) and have dom1 then nat if out to my 
>> other domu''s and machines on my private 192.168 network using
dhcpd
>> configured on eth1 on the machine.
>>
>> My difficulties:
>> setting up the dom0 bridging to do what i want ie xenbr0 to eth0 on 
>> domu1 and then xenbr1 to eth1 on domu1
>>
>> I then intend to remove / lock dom0 down and only use the
domu''s as
>> dhcp configured servers.
>>
>> There are a couple of URLs i''ve looked at
>>
http://lists.xensource.com/archives/html/xen-users/2006-02/msg00602.html
>>
>> etc but there aren''t any specific configuration information.
>> Can i get some pointers as to where to look, or even example configs?
>>
>> thanks
>>
>> Ronan
>>
>> (ps if this is the 3rd like message of mine today i apologise, I can 
>> tell if the other two messages i send actually did...)
>>
>>
>> _______________________________________________
>> Xen-users mailing list
>> Xen-users@lists.xensource.com
>> http://lists.xensource.com/xen-users
>
>
> ------------------------------------------------------------------------
>

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Hi again,

this is the config of xen in my Debian Etch:

/etc/xen/xend-config

(network-script network-bridge-wrapper)
(vif-script vif-bridge)
(dom0-min-mem 196)
(dom0-cpus 0)
(vncpasswd '''')
---------------------------------------------------------------------------

/etc/xen/scripts/network-bridge-wrapper

/etc/xen/scripts/network-bridge start bridge=xenbr0 vifnum=0
/usr/sbin/brctl addbr xenbr1
/sbin/ifconfig xenbr1 up
----------------------------------------------------------------------------

the domu (Firewall)

/etc/xen/firewall-config.sxp


name="firewall"
kernel="/boot/vmlinuz-2.6.16.33-xenU-x86_64"
root="/dev/hda1"
cpu=3
memory=256
disk=[''file:/xen1/firewall.img,hda1,w'']

vif=[ 
''mac=00:16:3e:70:21:02,bridge=xenbr0,vifname=firewall.eth0'',''mac=00:16:3e:70:32:02,bridge=xenbr1,vifname=firewall.eth1''
]
dhcp="off"
ip="XX.XX.XX.XX"
netmask="255.255.255.0"
gateway="XX.XX.XX.XX"
hostname="firewall.domain.com"

extra="3"

on_poweroff = ''destroy''
on_reboot   = ''restart''
on_crash    = ''restart''
-------------------------------------------------------------------------------

in this domU (the firewall) I have a bridge between eth1 and eth0, you 
can do in CentOS way (inside the domain) ;)


here is the config file of a domu behind the FW:

/etc/xen/domu-config.sxp
name="domu"
kernel="/boot/vmlinuz-2.6.16.33-xenU-x86_64"
root="/dev/hda1"
cpu=3
memory=92
disk=[''file:/xen1/domu.img,hda1,w'']

vif=[ ''bridge=xenbrFW , vifname=domu.eth0'' ]
dhcp="off"
ip="XX.XX.XX.XX"
netmask="255.255.255.0"
gateway="XX.XX.XX.XX"
hostname="domu.domain.com"

extra="3"

on_poweroff = ''destroy''
on_reboot   = ''restart''
on_crash    = ''restart''
----------------------------------------------------------------------------------------------------


In the domU (firewall) I have the following iptables config:
#!/bin/sh
# /etc/network/if-pre-up.d/iptables-start

iptables=/sbin/iptables

$iptables -F

$iptables -P INPUT ACCEPT
$iptables -P FORWARD ACCEPT
$iptables -P OUTPUT ACCEPT

# Logs
#$iptables -A INPUT -j LOG   --log-prefix="IPTABLES-INPUT: "
#$iptables -A OUTPUT -j LOG  --log-prefix="IPTABLES-OUTPUT: "
#$iptables -A FORWARD -j LOG --log-prefix="IPTABLES-FORWARD: "

$iptables -A INPUT -i lo -j ACCEPT

# Traffic control
tc qdisc del dev eth0 parent root
tc qdisc add dev eth0 parent root handle 1:0 htb default 40
tc class add dev eth0 parent 1:0 classid 1:1 htb rate 10mbit
tc class add dev eth0 parent 1:1 classid 1:10 htb rate 512kbit
tc class add dev eth0 parent 1:1 classid 1:20 htb rate 1mbit
tc class add dev eth0 parent 1:1 classid 1:30 htb rate 2mbit
tc class add dev eth0 parent 1:1 classid 1:40 htb rate 5mbit

tc qdisc del dev eth1 parent root
tc qdisc add dev eth1 parent root handle 2:0 htb default 40
tc class add dev eth1 parent 2:0 classid 2:1 htb rate 10mbit
tc class add dev eth1 parent 2:1 classid 2:10 htb rate 512kbit
tc class add dev eth1 parent 2:1 classid 2:20 htb rate 1mbit
tc class add dev eth1 parent 2:1 classid 2:30 htb rate 2mbit
tc class add dev eth1 parent 2:1 classid 2:40 htb rate 5mbit

$iptables -t mangle -A POSTROUTING -d XX.XX.XX.XX -j CLASSIFY 
--set-class 2:20
$iptables -t mangle -A POSTROUTING -s XX.XX.XX.XX -j CLASSIFY 
--set-class 1:20


Sustitute XX.XX.XX.XX by your ip ''s ;)

There is an issue with the traffic control in one way, the rate is 
multiplied by 2, I don''t know the reason :(, I have tested this tc 
config with another box without XEN and it works great.

Don''t forget to do this:

echo "0" >/proc/sys/net/bridge/bridge-nf-call-iptables

see the post " iptables and state matches (established, related)" in 
this mail list. You can put it in your sysctl.conf.

So... that''s all (I hope :) ) if you need anything else.... tell me

Regards,

Marc


Ronan wrote:
> Marc
> thats exactly what i require...
> any of your config would be really helpful!
>
> many thanks in advance!
>
> Ronan
>> Hi Ronan,
>>
>> do you want to do something like this (see the image) ?
>>
>> After reading a lot of stuff I made a wrapper of network-bridge, that 
>> I call network-bridge-wrapper, here is it:
>>
>> #!/bin/sh
>> /etc/xen/scripts/network-bridge start bridge=xenbr0 vifnum=0
>> /usr/sbin/brctl addbr xenbr1
>> /sbin/ifconfig xenbr1 up
>>
>> I changed the line in xend-config.sxp that calls, network-bridge to 
>> call network-bridge-wrapper ...
>>
>> If you want I can post more info about this config (my domu config 
>> files, iptables, ebtables....). I''m using Debian, so... I hope
>> scripts  in CentOS are so close to Debian.
>>
>> Regards,
>>
>> Marc
>>
>>
>> Ronan wrote:
>>> My situation:
>>> Running centos5 on a machine directly connected to internet.
>>> I have a paravirtualised centos5 core machine in domu1 with only 1 
>>> eth configured eth0 dy dhcp.
>>>
>>> What I want:
>>> to configure the dom0 bridge to simply route all traffic at
ethernet
>>> level to dom1(firewall/router) and have dom1 then nat if out to my 
>>> other domu''s and machines on my private 192.168 network
using dhcpd
>>> configured on eth1 on the machine.
>>>
>>> My difficulties:
>>> setting up the dom0 bridging to do what i want ie xenbr0 to eth0 on
>>> domu1 and then xenbr1 to eth1 on domu1
>>>
>>> I then intend to remove / lock dom0 down and only use the
domu''s as
>>> dhcp configured servers.
>>>
>>> There are a couple of URLs i''ve looked at
>>>
http://lists.xensource.com/archives/html/xen-users/2006-02/msg00602.html
>>>
>>>
>>> etc but there aren''t any specific configuration
information.
>>> Can i get some pointers as to where to look, or even example
configs?
>>>
>>> thanks
>>>
>>> Ronan
>>>
>>> (ps if this is the 3rd like message of mine today i apologise, I
can
>>> tell if the other two messages i send actually did...)
>>>
>>>
>>> _______________________________________________
>>> Xen-users mailing list
>>> Xen-users@lists.xensource.com
>>> http://lists.xensource.com/xen-users
>>
>>
>>
------------------------------------------------------------------------
>>
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

If you don''t have a machine with more than 2 CPU''s change the
following
in the domU config files :

cpu=3

for

cpu=0

I have a pretty cool pair of  Intel Xeon 5120 :p

Regards,

Marc


Marc Patino Gómez wrote:
> Hi again,
>
> this is the config of xen in my Debian Etch:
>
> /etc/xen/xend-config
>
> (network-script network-bridge-wrapper)
> (vif-script vif-bridge)
> (dom0-min-mem 196)
> (dom0-cpus 0)
> (vncpasswd '''')
> ---------------------------------------------------------------------------
>
>
> /etc/xen/scripts/network-bridge-wrapper
>
> /etc/xen/scripts/network-bridge start bridge=xenbr0 vifnum=0
> /usr/sbin/brctl addbr xenbr1
> /sbin/ifconfig xenbr1 up
>
----------------------------------------------------------------------------
>
>
> the domu (Firewall)
>
> /etc/xen/firewall-config.sxp
>
>
> name="firewall"
> kernel="/boot/vmlinuz-2.6.16.33-xenU-x86_64"
> root="/dev/hda1"
> cpu=3
> memory=256
> disk=[''file:/xen1/firewall.img,hda1,w'']
>
> vif=[ 
>
''mac=00:16:3e:70:21:02,bridge=xenbr0,vifname=firewall.eth0'',''mac=00:16:3e:70:32:02,bridge=xenbr1,vifname=firewall.eth1''
> ]
> dhcp="off"
> ip="XX.XX.XX.XX"
> netmask="255.255.255.0"
> gateway="XX.XX.XX.XX"
> hostname="firewall.domain.com"
>
> extra="3"
>
> on_poweroff = ''destroy''
> on_reboot   = ''restart''
> on_crash    = ''restart''
>
-------------------------------------------------------------------------------
>
>
> in this domU (the firewall) I have a bridge between eth1 and eth0, you 
> can do in CentOS way (inside the domain) ;)
>
>
> here is the config file of a domu behind the FW:
>
> /etc/xen/domu-config.sxp
> name="domu"
> kernel="/boot/vmlinuz-2.6.16.33-xenU-x86_64"
> root="/dev/hda1"
> cpu=3
> memory=92
> disk=[''file:/xen1/domu.img,hda1,w'']
>
> vif=[ ''bridge=xenbrFW , vifname=domu.eth0'' ]
> dhcp="off"
> ip="XX.XX.XX.XX"
> netmask="255.255.255.0"
> gateway="XX.XX.XX.XX"
> hostname="domu.domain.com"
>
> extra="3"
>
> on_poweroff = ''destroy''
> on_reboot   = ''restart''
> on_crash    = ''restart''
>
----------------------------------------------------------------------------------------------------
>
>
>
> In the domU (firewall) I have the following iptables config:
> #!/bin/sh
> # /etc/network/if-pre-up.d/iptables-start
>
> iptables=/sbin/iptables
>
> $iptables -F
>
> $iptables -P INPUT ACCEPT
> $iptables -P FORWARD ACCEPT
> $iptables -P OUTPUT ACCEPT
>
> # Logs
> #$iptables -A INPUT -j LOG   --log-prefix="IPTABLES-INPUT: "
> #$iptables -A OUTPUT -j LOG  --log-prefix="IPTABLES-OUTPUT: "
> #$iptables -A FORWARD -j LOG --log-prefix="IPTABLES-FORWARD: "
>
> $iptables -A INPUT -i lo -j ACCEPT
>
> # Traffic control
> tc qdisc del dev eth0 parent root
> tc qdisc add dev eth0 parent root handle 1:0 htb default 40
> tc class add dev eth0 parent 1:0 classid 1:1 htb rate 10mbit
> tc class add dev eth0 parent 1:1 classid 1:10 htb rate 512kbit
> tc class add dev eth0 parent 1:1 classid 1:20 htb rate 1mbit
> tc class add dev eth0 parent 1:1 classid 1:30 htb rate 2mbit
> tc class add dev eth0 parent 1:1 classid 1:40 htb rate 5mbit
>
> tc qdisc del dev eth1 parent root
> tc qdisc add dev eth1 parent root handle 2:0 htb default 40
> tc class add dev eth1 parent 2:0 classid 2:1 htb rate 10mbit
> tc class add dev eth1 parent 2:1 classid 2:10 htb rate 512kbit
> tc class add dev eth1 parent 2:1 classid 2:20 htb rate 1mbit
> tc class add dev eth1 parent 2:1 classid 2:30 htb rate 2mbit
> tc class add dev eth1 parent 2:1 classid 2:40 htb rate 5mbit
>
> $iptables -t mangle -A POSTROUTING -d XX.XX.XX.XX -j CLASSIFY 
> --set-class 2:20
> $iptables -t mangle -A POSTROUTING -s XX.XX.XX.XX -j CLASSIFY 
> --set-class 1:20
>
>
> Sustitute XX.XX.XX.XX by your ip ''s ;)
>
> There is an issue with the traffic control in one way, the rate is 
> multiplied by 2, I don''t know the reason :(, I have tested this tc
> config with another box without XEN and it works great.
>
> Don''t forget to do this:
>
> echo "0" >/proc/sys/net/bridge/bridge-nf-call-iptables
>
> see the post " iptables and state matches (established, related)"
in
> this mail list. You can put it in your sysctl.conf.
>
> So... that''s all (I hope :) ) if you need anything else.... tell
me
>
> Regards,
>
> Marc
>
>
> Ronan wrote:
>> Marc
>> thats exactly what i require...
>> any of your config would be really helpful!
>>
>> many thanks in advance!
>>
>> Ronan
>>> Hi Ronan,
>>>
>>> do you want to do something like this (see the image) ?
>>>
>>> After reading a lot of stuff I made a wrapper of network-bridge, 
>>> that I call network-bridge-wrapper, here is it:
>>>
>>> #!/bin/sh
>>> /etc/xen/scripts/network-bridge start bridge=xenbr0 vifnum=0
>>> /usr/sbin/brctl addbr xenbr1
>>> /sbin/ifconfig xenbr1 up
>>>
>>> I changed the line in xend-config.sxp that calls, network-bridge to
>>> call network-bridge-wrapper ...
>>>
>>> If you want I can post more info about this config (my domu config 
>>> files, iptables, ebtables....). I''m using Debian, so... I
hope
>>> scripts  in CentOS are so close to Debian.
>>>
>>> Regards,
>>>
>>> Marc
>>>
>>>
>>> Ronan wrote:
>>>> My situation:
>>>> Running centos5 on a machine directly connected to internet.
>>>> I have a paravirtualised centos5 core machine in domu1 with
only 1
>>>> eth configured eth0 dy dhcp.
>>>>
>>>> What I want:
>>>> to configure the dom0 bridge to simply route all traffic at 
>>>> ethernet level to dom1(firewall/router) and have dom1 then nat
if
>>>> out to my other domu''s and machines on my private
192.168 network
>>>> using dhcpd configured on eth1 on the machine.
>>>>
>>>> My difficulties:
>>>> setting up the dom0 bridging to do what i want ie xenbr0 to
eth0 on
>>>> domu1 and then xenbr1 to eth1 on domu1
>>>>
>>>> I then intend to remove / lock dom0 down and only use the
domu''s as
>>>> dhcp configured servers.
>>>>
>>>> There are a couple of URLs i''ve looked at
>>>>
http://lists.xensource.com/archives/html/xen-users/2006-02/msg00602.html
>>>>
>>>>
>>>> etc but there aren''t any specific configuration
information.
>>>> Can i get some pointers as to where to look, or even example
configs?
>>>>
>>>> thanks
>>>>
>>>> Ronan
>>>>
>>>> (ps if this is the 3rd like message of mine today i apologise,
I
>>>> can tell if the other two messages i send actually did...)
>>>>
>>>>
>>>> _______________________________________________
>>>> Xen-users mailing list
>>>> Xen-users@lists.xensource.com
>>>> http://lists.xensource.com/xen-users
>>>
>>>
>>>
------------------------------------------------------------------------
>>>
>>>
>>
>>
>> _______________________________________________
>> Xen-users mailing list
>> Xen-users@lists.xensource.com
>> http://lists.xensource.com/xen-users
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Hi Marc,

I saw your recommendation and would like to ask your help in binding  
my DomU network interface to the physical eth1
I have 2 physical interfaces on my host: eth0 (connected to Internet)  
and eth1 (connected to my home 10. network)
I need to be able to have all my DomU to be connected to the eth1 (of  
whatever its virtual representation may be)
Any ideas?

Best regards,

-Eugene
On May 3, 2007, at 10:22 AM, Marc Patino Gómez wrote:
> Hi Ronan,
>
> do you want to do something like this (see the image) ?
>
> After reading a lot of stuff I made a wrapper of network-bridge,  
> that I call network-bridge-wrapper, here is it:
>
> #!/bin/sh
> /etc/xen/scripts/network-bridge start bridge=xenbr0 vifnum=0
> /usr/sbin/brctl addbr xenbr1
> /sbin/ifconfig xenbr1 up
>
> I changed the line in xend-config.sxp that calls, network-bridge to  
> call network-bridge-wrapper ...
>
> If you want I can post more info about this config (my domu config  
> files, iptables, ebtables....). I''m using Debian, so... I hope  
> scripts  in CentOS are so close to Debian.
>
> Regards,
>
> Marc
>
>
> Ronan wrote:
>> My situation:
>> Running centos5 on a machine directly connected to internet.
>> I have a paravirtualised centos5 core machine in domu1 with only 1  
>> eth configured eth0 dy dhcp.
>>
>> What I want:
>> to configure the dom0 bridge to simply route all traffic at  
>> ethernet level to dom1(firewall/router) and have dom1 then nat if  
>> out to my other domu''s and machines on my private 192.168
network
>> using dhcpd configured on eth1 on the machine.
>>
>> My difficulties:
>> setting up the dom0 bridging to do what i want ie xenbr0 to eth0  
>> on domu1 and then xenbr1 to eth1 on domu1
>>
>> I then intend to remove / lock dom0 down and only use the
domu''s
>> as dhcp configured servers.
>>
>> There are a couple of URLs i''ve looked at
>> http://lists.xensource.com/archives/html/xen-users/2006-02/ 
>> msg00602.html
>>
>> etc but there aren''t any specific configuration information.
>> Can i get some pointers as to where to look, or even example configs?
>>
>> thanks
>>
>> Ronan
>>
>> (ps if this is the 3rd like message of mine today i apologise, I  
>> can tell if the other two messages i send actually did...)
>>
>>
>> _______________________________________________
>> Xen-users mailing list
>> Xen-users@lists.xensource.com
>> http://lists.xensource.com/xen-users
>
> <xen.png>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Hi Marc,

1	Yes, my DomU''s will be in my private network (10.XX.XX.XX)
2	I''m not worried about the FW at this time, just need to be able to  
connect to all my DomU''s over 10. network
3	Her is what I need:

Dom0 has 2 physical NIC;s - eth0 and eth1
my default xenbr0 is bound to eth0, which is on the public network  
(Internet)
The eth1 of the Dom0 is connected to my 10. private network
DomU should be on the 10. provate network as well as any other  
unprivileged domains.

Dom0 :	  xenbr0->eth0->public Internet
Dom0:			  eth1->10.0.1.4 private network (this way I could connect to  
Dom0 from my other 				  computers on the 10.0 network)
DomU (1)	       eth0(or what-ever is being assigned)->10.0.1.5
DomU(2)		eth0(or what-ever is being assigned)->10.0.1.6

Please, let me know if more information can be provided.
Thank you for helping me!

-Eugene
On May 3, 2007, at 11:37 AM, Marc Patino Gómez wrote:
> Hi Yevgeniy,
>
> I ''m sure to understand this scenario, some questions:
>
> 1- your domU''s will be in your private network (10.XX.XX.XX) ?
> 2- You want your xen box to be a FW of your private net?
> 3- Can you post some kind of scheme of your future network ;)
>
> Regards,
>
> Yevgeniy Goldberg wrote:
>> Hi Marc,
>>
>> I saw your recommendation and would like to ask your help in  
>> binding my DomU network interface to the physical eth1
>> I have 2 physical interfaces on my host: eth0 (connected to  
>> Internet) and eth1 (connected to my home 10. network)
>> I need to be able to have all my DomU to be connected to the eth1  
>> (of whatever its virtual representation may be)
>> Any ideas?
>>
>> Best regards,
>>
>> -Eugene
>> On May 3, 2007, at 10:22 AM, Marc Patino Gómez wrote:
>>
>>> Hi Ronan,
>>>
>>> do you want to do something like this (see the image) ?
>>>
>>> After reading a lot of stuff I made a wrapper of network-bridge,  
>>> that I call network-bridge-wrapper, here is it:
>>>
>>> #!/bin/sh
>>> /etc/xen/scripts/network-bridge start bridge=xenbr0 vifnum=0
>>> /usr/sbin/brctl addbr xenbr1
>>> /sbin/ifconfig xenbr1 up
>>>
>>> I changed the line in xend-config.sxp that calls, network-bridge  
>>> to call network-bridge-wrapper ...
>>>
>>> If you want I can post more info about this config (my domu  
>>> config files, iptables, ebtables....). I''m using Debian,
so... I
>>> hope scripts  in CentOS are so close to Debian.
>>>
>>> Regards,
>>>
>>> Marc
>>>
>>>
>>> Ronan wrote:
>>>> My situation:
>>>> Running centos5 on a machine directly connected to internet.
>>>> I have a paravirtualised centos5 core machine in domu1 with
only
>>>> 1 eth configured eth0 dy dhcp.
>>>>
>>>> What I want:
>>>> to configure the dom0 bridge to simply route all traffic at  
>>>> ethernet level to dom1(firewall/router) and have dom1 then nat
>>>> if out to my other domu''s and machines on my private
192.168
>>>> network using dhcpd configured on eth1 on the machine.
>>>>
>>>> My difficulties:
>>>> setting up the dom0 bridging to do what i want ie xenbr0 to
eth0
>>>> on domu1 and then xenbr1 to eth1 on domu1
>>>>
>>>> I then intend to remove / lock dom0 down and only use the
domu''s
>>>> as dhcp configured servers.
>>>>
>>>> There are a couple of URLs i''ve looked at
>>>> http://lists.xensource.com/archives/html/xen-users/2006-02/ 
>>>> msg00602.html
>>>>
>>>> etc but there aren''t any specific configuration
information.
>>>> Can i get some pointers as to where to look, or even example  
>>>> configs?
>>>>
>>>> thanks
>>>>
>>>> Ronan
>>>>
>>>> (ps if this is the 3rd like message of mine today i apologise,
I
>>>> can tell if the other two messages i send actually did...)
>>>>
>>>>
>>>> _______________________________________________
>>>> Xen-users mailing list
>>>> Xen-users@lists.xensource.com
>>>> http://lists.xensource.com/xen-users
>>>
>>> <xen.png>
>>> _______________________________________________
>>> Xen-users mailing list
>>> Xen-users@lists.xensource.com
>>> http://lists.xensource.com/xen-users
>>
>>
>> _______________________________________________
>> Xen-users mailing list
>> Xen-users@lists.xensource.com
>> http://lists.xensource.com/xen-users
>

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

ok i now have a domu with 2 (apparent)ethernet interfaces, which is a
good start.
How do i now get all ethernet frames to be passed to eth0 on my firewall
domu ?
I then will be setting the firewall up with a caching DNS , NAT, and
dhcp on its eth1 to serve all the rest of my domU''s usig nprivate
192.168.

Question though., how should i configure an IP for use by dom0??

Thanks
R
> Marc Patino Gómez wrote:
>> Hi again,
>>
>> this is the config of xen in my Debian Etch:
>>
>> /etc/xen/xend-config
>>
>> (network-script network-bridge-wrapper)
>> (vif-script vif-bridge)
>> (dom0-min-mem 196)
>> (dom0-cpus 0)
>> (vncpasswd '''')
>>
---------------------------------------------------------------------------
>>
>>
>> /etc/xen/scripts/network-bridge-wrapper
>>
>> /etc/xen/scripts/network-bridge start bridge=xenbr0 vifnum=0
>> /usr/sbin/brctl addbr xenbr1
>> /sbin/ifconfig xenbr1 up
>>
----------------------------------------------------------------------------
>>
>>
>> the domu (Firewall)
>>
>> /etc/xen/firewall-config.sxp
>>
>>
>> name="firewall"
>> kernel="/boot/vmlinuz-2.6.16.33-xenU-x86_64"
>> root="/dev/hda1"
>> cpu=3
>> memory=256
>> disk=[''file:/xen1/firewall.img,hda1,w'']
>>
>> vif=[ 
>>
''mac=00:16:3e:70:21:02,bridge=xenbr0,vifname=firewall.eth0'',''mac=00:16:3e:70:32:02,bridge=xenbr1,vifname=firewall.eth1''
>> ]
>> dhcp="off"
>> ip="XX.XX.XX.XX"
>> netmask="255.255.255.0"
>> gateway="XX.XX.XX.XX"
>> hostname="firewall.domain.com"
>>
>> extra="3"
>>
>> on_poweroff = ''destroy''
>> on_reboot   = ''restart''
>> on_crash    = ''restart''
>>
-------------------------------------------------------------------------------
>>
>>
>> in this domU (the firewall) I have a bridge between eth1 and eth0, 
>> you can do in CentOS way (inside the domain) ;)
>>
>>
>> here is the config file of a domu behind the FW:
>>
>> /etc/xen/domu-config.sxp
>> name="domu"
>> kernel="/boot/vmlinuz-2.6.16.33-xenU-x86_64"
>> root="/dev/hda1"
>> cpu=3
>> memory=92
>> disk=[''file:/xen1/domu.img,hda1,w'']
>>
>> vif=[ ''bridge=xenbrFW , vifname=domu.eth0'' ]
>> dhcp="off"
>> ip="XX.XX.XX.XX"
>> netmask="255.255.255.0"
>> gateway="XX.XX.XX.XX"
>> hostname="domu.domain.com"
>>
>> extra="3"
>>
>> on_poweroff = ''destroy''
>> on_reboot   = ''restart''
>> on_crash    = ''restart''
>>
----------------------------------------------------------------------------------------------------
>>
>>
>>
>> In the domU (firewall) I have the following iptables config:
>> #!/bin/sh
>> # /etc/network/if-pre-up.d/iptables-start
>>
>> iptables=/sbin/iptables
>>
>> $iptables -F
>>
>> $iptables -P INPUT ACCEPT
>> $iptables -P FORWARD ACCEPT
>> $iptables -P OUTPUT ACCEPT
>>
>> # Logs
>> #$iptables -A INPUT -j LOG   --log-prefix="IPTABLES-INPUT: "
>> #$iptables -A OUTPUT -j LOG  --log-prefix="IPTABLES-OUTPUT: "
>> #$iptables -A FORWARD -j LOG --log-prefix="IPTABLES-FORWARD:
"
>>
>> $iptables -A INPUT -i lo -j ACCEPT
>>
>> # Traffic control
>> tc qdisc del dev eth0 parent root
>> tc qdisc add dev eth0 parent root handle 1:0 htb default 40
>> tc class add dev eth0 parent 1:0 classid 1:1 htb rate 10mbit
>> tc class add dev eth0 parent 1:1 classid 1:10 htb rate 512kbit
>> tc class add dev eth0 parent 1:1 classid 1:20 htb rate 1mbit
>> tc class add dev eth0 parent 1:1 classid 1:30 htb rate 2mbit
>> tc class add dev eth0 parent 1:1 classid 1:40 htb rate 5mbit
>>
>> tc qdisc del dev eth1 parent root
>> tc qdisc add dev eth1 parent root handle 2:0 htb default 40
>> tc class add dev eth1 parent 2:0 classid 2:1 htb rate 10mbit
>> tc class add dev eth1 parent 2:1 classid 2:10 htb rate 512kbit
>> tc class add dev eth1 parent 2:1 classid 2:20 htb rate 1mbit
>> tc class add dev eth1 parent 2:1 classid 2:30 htb rate 2mbit
>> tc class add dev eth1 parent 2:1 classid 2:40 htb rate 5mbit
>>
>> $iptables -t mangle -A POSTROUTING -d XX.XX.XX.XX -j CLASSIFY 
>> --set-class 2:20
>> $iptables -t mangle -A POSTROUTING -s XX.XX.XX.XX -j CLASSIFY 
>> --set-class 1:20
>>
>>
>> Sustitute XX.XX.XX.XX by your ip ''s ;)
>>
>> There is an issue with the traffic control in one way, the rate is 
>> multiplied by 2, I don''t know the reason :(, I have tested
this tc
>> config with another box without XEN and it works great.
>>
>> Don''t forget to do this:
>>
>> echo "0" >/proc/sys/net/bridge/bridge-nf-call-iptables
>>
>> see the post " iptables and state matches (established,
related)" in
>> this mail list. You can put it in your sysctl.conf.
>>
>> So... that''s all (I hope :) ) if you need anything else....
tell me
>>
>> Regards,
>>
>> Marc
>>
>>
>> Ronan wrote:
>>> Marc
>>> thats exactly what i require...
>>> any of your config would be really helpful!
>>>
>>> many thanks in advance!
>>>
>>> Ronan
>>>> Hi Ronan,
>>>>
>>>> do you want to do something like this (see the image) ?
>>>>
>>>> After reading a lot of stuff I made a wrapper of
network-bridge,
>>>> that I call network-bridge-wrapper, here is it:
>>>>
>>>> #!/bin/sh
>>>> /etc/xen/scripts/network-bridge start bridge=xenbr0 vifnum=0
>>>> /usr/sbin/brctl addbr xenbr1
>>>> /sbin/ifconfig xenbr1 up
>>>>
>>>> I changed the line in xend-config.sxp that calls,
network-bridge to
>>>> call network-bridge-wrapper ...
>>>>
>>>> If you want I can post more info about this config (my domu
config
>>>> files, iptables, ebtables....). I''m using Debian,
so... I hope
>>>> scripts  in CentOS are so close to Debian.
>>>>
>>>> Regards,
>>>>
>>>> Marc
>>>>
>>>>
>>>> Ronan wrote:
>>>>> My situation:
>>>>> Running centos5 on a machine directly connected to
internet.
>>>>> I have a paravirtualised centos5 core machine in domu1 with
only 1
>>>>> eth configured eth0 dy dhcp.
>>>>>
>>>>> What I want:
>>>>> to configure the dom0 bridge to simply route all traffic at
>>>>> ethernet level to dom1(firewall/router) and have dom1 then
nat if
>>>>> out to my other domu''s and machines on my private
192.168 network
>>>>> using dhcpd configured on eth1 on the machine.
>>>>>
>>>>> My difficulties:
>>>>> setting up the dom0 bridging to do what i want ie xenbr0 to
eth0
>>>>> on domu1 and then xenbr1 to eth1 on domu1
>>>>>
>>>>> I then intend to remove / lock dom0 down and only use the
domu''s
>>>>> as dhcp configured servers.
>>>>>
>>>>> There are a couple of URLs i''ve looked at
>>>>>
http://lists.xensource.com/archives/html/xen-users/2006-02/msg00602.html
>>>>>
>>>>>
>>>>> etc but there aren''t any specific configuration
information.
>>>>> Can i get some pointers as to where to look, or even
example configs?
>>>>>
>>>>> thanks
>>>>>
>>>>> Ronan
>>>>>
>>>>> (ps if this is the 3rd like message of mine today i
apologise, I
>>>>> can tell if the other two messages i send actually did...)
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Xen-users mailing list
>>>>> Xen-users@lists.xensource.com
>>>>> http://lists.xensource.com/xen-users
>>>>
>>>>
>>>>
------------------------------------------------------------------------
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> Xen-users mailing list
>>> Xen-users@lists.xensource.com
>>> http://lists.xensource.com/xen-users
>>
>>
>> _______________________________________________
>> Xen-users mailing list
>> Xen-users@lists.xensource.com
>> http://lists.xensource.com/xen-users
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Hi Yevgeniy,

What do you think about the following scheme? I think is quite simple, I 
would prefer another scheme a little bit more complex to isolate more. 
Anyway you can put FW rules at dom0.

If it this scheme is quite good for you I can post some config files.

Regards,

Marc

Yevgeniy Goldberg wrote:
> Hi Marc,
>
> 1    Yes, my DomU''s will be in my private network (10.XX.XX.XX)
> 2    I''m not worried about the FW at this time, just need to be
able
> to connect to all my DomU''s over 10. network
> 3    Her is what I need:
>
> Dom0 has 2 physical NIC;s - eth0 and eth1
> my default xenbr0 is bound to eth0, which is on the public network 
> (Internet)
> The eth1 of the Dom0 is connected to my 10. private network
> DomU should be on the 10. provate network as well as any other 
> unprivileged domains.
>
> Dom0 :      xenbr0->eth0->public Internet
> Dom0:              eth1->10.0.1.4 private network (this way I could 
> connect to Dom0 from my other                   computers on the 10.0 
> network)
> DomU (1)           eth0(or what-ever is being assigned)->10.0.1.5
> DomU(2)        eth0(or what-ever is being assigned)->10.0.1.6
>
> Please, let me know if more information can be provided.
> Thank you for helping me!
>
> -Eugene
> On May 3, 2007, at 11:37 AM, Marc Patino Gómez wrote:
>
>> Hi Yevgeniy,
>>
>> I ''m sure to understand this scenario, some questions:
>>
>> 1- your domU''s will be in your private network (10.XX.XX.XX) ?
>> 2- You want your xen box to be a FW of your private net?
>> 3- Can you post some kind of scheme of your future network ;)
>>
>> Regards,
>>
>> Yevgeniy Goldberg wrote:
>>> Hi Marc,
>>>
>>> I saw your recommendation and would like to ask your help in
binding
>>> my DomU network interface to the physical eth1
>>> I have 2 physical interfaces on my host: eth0 (connected to 
>>> Internet) and eth1 (connected to my home 10. network)
>>> I need to be able to have all my DomU to be connected to the eth1 
>>> (of whatever its virtual representation may be)
>>> Any ideas?
>>>
>>> Best regards,
>>>
>>> -Eugene
>>> On May 3, 2007, at 10:22 AM, Marc Patino Gómez wrote:
>>>
>>>> Hi Ronan,
>>>>
>>>> do you want to do something like this (see the image) ?
>>>>
>>>> After reading a lot of stuff I made a wrapper of
network-bridge,
>>>> that I call network-bridge-wrapper, here is it:
>>>>
>>>> #!/bin/sh
>>>> /etc/xen/scripts/network-bridge start bridge=xenbr0 vifnum=0
>>>> /usr/sbin/brctl addbr xenbr1
>>>> /sbin/ifconfig xenbr1 up
>>>>
>>>> I changed the line in xend-config.sxp that calls,
network-bridge to
>>>> call network-bridge-wrapper ...
>>>>
>>>> If you want I can post more info about this config (my domu
config
>>>> files, iptables, ebtables....). I''m using Debian,
so... I hope
>>>> scripts  in CentOS are so close to Debian.
>>>>
>>>> Regards,
>>>>
>>>> Marc
>>>>
>>>>
>>>> Ronan wrote:
>>>>> My situation:
>>>>> Running centos5 on a machine directly connected to
internet.
>>>>> I have a paravirtualised centos5 core machine in domu1 with
only 1
>>>>> eth configured eth0 dy dhcp.
>>>>>
>>>>> What I want:
>>>>> to configure the dom0 bridge to simply route all traffic at
>>>>> ethernet level to dom1(firewall/router) and have dom1 then
nat if
>>>>> out to my other domu''s and machines on my private
192.168 network
>>>>> using dhcpd configured on eth1 on the machine.
>>>>>
>>>>> My difficulties:
>>>>> setting up the dom0 bridging to do what i want ie xenbr0 to
eth0
>>>>> on domu1 and then xenbr1 to eth1 on domu1
>>>>>
>>>>> I then intend to remove / lock dom0 down and only use the
domu''s
>>>>> as dhcp configured servers.
>>>>>
>>>>> There are a couple of URLs i''ve looked at
>>>>>
http://lists.xensource.com/archives/html/xen-users/2006-02/msg00602.html
>>>>>
>>>>>
>>>>> etc but there aren''t any specific configuration
information.
>>>>> Can i get some pointers as to where to look, or even
example configs?
>>>>>
>>>>> thanks
>>>>>
>>>>> Ronan
>>>>>
>>>>> (ps if this is the 3rd like message of mine today i
apologise, I
>>>>> can tell if the other two messages i send actually did...)
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Xen-users mailing list
>>>>> Xen-users@lists.xensource.com
>>>>> http://lists.xensource.com/xen-users
>>>>
>>>> <xen.png>
>>>> _______________________________________________
>>>> Xen-users mailing list
>>>> Xen-users@lists.xensource.com
>>>> http://lists.xensource.com/xen-users
>>>
>>>
>>> _______________________________________________
>>> Xen-users mailing list
>>> Xen-users@lists.xensource.com
>>> http://lists.xensource.com/xen-users
>>
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Hi,


Ronan wrote:
> ok i now have a domu with 2 (apparent)ethernet interfaces, which is a
> good start.
Great!! You can make a bridge with these interfaces, in  debian way you 
can  put something like that in the /etc/network/interfaces:

auto br0
iface br0 inet static
        address 192.168.92.3
        netmask 255.255.255.224
        gateway 192.168.92.1
        bridge_ports eth0 eth1
        bridge_maxwait 0

see CentOS howto make a bridge, or make it manually with "brctl":

# brctl addbr br0
# brctl addif br0 eth0
# brctl addif br0 eth0
# ifconfig br0 up

> How do i now get all ethernet frames to be passed to eth0 on my firewall
> domu ?
Bridge br0 (on domU FW) will solve it
> I then will be setting the firewall up with a caching DNS , NAT, and
> dhcp on its eth1 to serve all the rest of my domU''s usig nprivate 
> 192.168.
>
> Question though., how should i configure an IP for use by dom0??
I don''t understand what you want :(
>
> Thanks
> R
>
Regards,

Marc
>> Marc Patino Gómez wrote:
>>> Hi again,
>>>
>>> this is the config of xen in my Debian Etch:
>>>
>>> /etc/xen/xend-config
>>>
>>> (network-script network-bridge-wrapper)
>>> (vif-script vif-bridge)
>>> (dom0-min-mem 196)
>>> (dom0-cpus 0)
>>> (vncpasswd '''')
>>>
---------------------------------------------------------------------------
>>>
>>>
>>> /etc/xen/scripts/network-bridge-wrapper
>>>
>>> /etc/xen/scripts/network-bridge start bridge=xenbr0 vifnum=0
>>> /usr/sbin/brctl addbr xenbr1
>>> /sbin/ifconfig xenbr1 up
>>>
----------------------------------------------------------------------------
>>>
>>>
>>> the domu (Firewall)
>>>
>>> /etc/xen/firewall-config.sxp
>>>
>>>
>>> name="firewall"
>>> kernel="/boot/vmlinuz-2.6.16.33-xenU-x86_64"
>>> root="/dev/hda1"
>>> cpu=3
>>> memory=256
>>> disk=[''file:/xen1/firewall.img,hda1,w'']
>>>
>>> vif=[ 
>>>
''mac=00:16:3e:70:21:02,bridge=xenbr0,vifname=firewall.eth0'',''mac=00:16:3e:70:32:02,bridge=xenbr1,vifname=firewall.eth1''
>>> ]
>>> dhcp="off"
>>> ip="XX.XX.XX.XX"
>>> netmask="255.255.255.0"
>>> gateway="XX.XX.XX.XX"
>>> hostname="firewall.domain.com"
>>>
>>> extra="3"
>>>
>>> on_poweroff = ''destroy''
>>> on_reboot   = ''restart''
>>> on_crash    = ''restart''
>>>
-------------------------------------------------------------------------------
>>>
>>>
>>> in this domU (the firewall) I have a bridge between eth1 and eth0, 
>>> you can do in CentOS way (inside the domain) ;)
>>>
>>>
>>> here is the config file of a domu behind the FW:
>>>
>>> /etc/xen/domu-config.sxp
>>> name="domu"
>>> kernel="/boot/vmlinuz-2.6.16.33-xenU-x86_64"
>>> root="/dev/hda1"
>>> cpu=3
>>> memory=92
>>> disk=[''file:/xen1/domu.img,hda1,w'']
>>>
>>> vif=[ ''bridge=xenbrFW , vifname=domu.eth0'' ]
>>> dhcp="off"
>>> ip="XX.XX.XX.XX"
>>> netmask="255.255.255.0"
>>> gateway="XX.XX.XX.XX"
>>> hostname="domu.domain.com"
>>>
>>> extra="3"
>>>
>>> on_poweroff = ''destroy''
>>> on_reboot   = ''restart''
>>> on_crash    = ''restart''
>>>
----------------------------------------------------------------------------------------------------
>>>
>>>
>>>
>>> In the domU (firewall) I have the following iptables config:
>>> #!/bin/sh
>>> # /etc/network/if-pre-up.d/iptables-start
>>>
>>> iptables=/sbin/iptables
>>>
>>> $iptables -F
>>>
>>> $iptables -P INPUT ACCEPT
>>> $iptables -P FORWARD ACCEPT
>>> $iptables -P OUTPUT ACCEPT
>>>
>>> # Logs
>>> #$iptables -A INPUT -j LOG   --log-prefix="IPTABLES-INPUT:
"
>>> #$iptables -A OUTPUT -j LOG  --log-prefix="IPTABLES-OUTPUT:
"
>>> #$iptables -A FORWARD -j LOG --log-prefix="IPTABLES-FORWARD:
"
>>>
>>> $iptables -A INPUT -i lo -j ACCEPT
>>>
>>> # Traffic control
>>> tc qdisc del dev eth0 parent root
>>> tc qdisc add dev eth0 parent root handle 1:0 htb default 40
>>> tc class add dev eth0 parent 1:0 classid 1:1 htb rate 10mbit
>>> tc class add dev eth0 parent 1:1 classid 1:10 htb rate 512kbit
>>> tc class add dev eth0 parent 1:1 classid 1:20 htb rate 1mbit
>>> tc class add dev eth0 parent 1:1 classid 1:30 htb rate 2mbit
>>> tc class add dev eth0 parent 1:1 classid 1:40 htb rate 5mbit
>>>
>>> tc qdisc del dev eth1 parent root
>>> tc qdisc add dev eth1 parent root handle 2:0 htb default 40
>>> tc class add dev eth1 parent 2:0 classid 2:1 htb rate 10mbit
>>> tc class add dev eth1 parent 2:1 classid 2:10 htb rate 512kbit
>>> tc class add dev eth1 parent 2:1 classid 2:20 htb rate 1mbit
>>> tc class add dev eth1 parent 2:1 classid 2:30 htb rate 2mbit
>>> tc class add dev eth1 parent 2:1 classid 2:40 htb rate 5mbit
>>>
>>> $iptables -t mangle -A POSTROUTING -d XX.XX.XX.XX -j CLASSIFY 
>>> --set-class 2:20
>>> $iptables -t mangle -A POSTROUTING -s XX.XX.XX.XX -j CLASSIFY 
>>> --set-class 1:20
>>>
>>>
>>> Sustitute XX.XX.XX.XX by your ip ''s ;)
>>>
>>> There is an issue with the traffic control in one way, the rate is 
>>> multiplied by 2, I don''t know the reason :(, I have tested
this tc
>>> config with another box without XEN and it works great.
>>>
>>> Don''t forget to do this:
>>>
>>> echo "0" >/proc/sys/net/bridge/bridge-nf-call-iptables
>>>
>>> see the post " iptables and state matches (established,
related)" in
>>> this mail list. You can put it in your sysctl.conf.
>>>
>>> So... that''s all (I hope :) ) if you need anything
else.... tell me
>>>
>>> Regards,
>>>
>>> Marc
>>>
>>>
>>> Ronan wrote:
>>>> Marc
>>>> thats exactly what i require...
>>>> any of your config would be really helpful!
>>>>
>>>> many thanks in advance!
>>>>
>>>> Ronan
>>>>> Hi Ronan,
>>>>>
>>>>> do you want to do something like this (see the image) ?
>>>>>
>>>>> After reading a lot of stuff I made a wrapper of
network-bridge,
>>>>> that I call network-bridge-wrapper, here is it:
>>>>>
>>>>> #!/bin/sh
>>>>> /etc/xen/scripts/network-bridge start bridge=xenbr0
vifnum=0
>>>>> /usr/sbin/brctl addbr xenbr1
>>>>> /sbin/ifconfig xenbr1 up
>>>>>
>>>>> I changed the line in xend-config.sxp that calls,
network-bridge
>>>>> to call network-bridge-wrapper ...
>>>>>
>>>>> If you want I can post more info about this config (my domu
config
>>>>> files, iptables, ebtables....). I''m using Debian,
so... I hope
>>>>> scripts  in CentOS are so close to Debian.
>>>>>
>>>>> Regards,
>>>>>
>>>>> Marc
>>>>>
>>>>>
>>>>> Ronan wrote:
>>>>>> My situation:
>>>>>> Running centos5 on a machine directly connected to
internet.
>>>>>> I have a paravirtualised centos5 core machine in domu1
with only
>>>>>> 1 eth configured eth0 dy dhcp.
>>>>>>
>>>>>> What I want:
>>>>>> to configure the dom0 bridge to simply route all
traffic at
>>>>>> ethernet level to dom1(firewall/router) and have dom1
then nat if
>>>>>> out to my other domu''s and machines on my
private 192.168 network
>>>>>> using dhcpd configured on eth1 on the machine.
>>>>>>
>>>>>> My difficulties:
>>>>>> setting up the dom0 bridging to do what i want ie
xenbr0 to eth0
>>>>>> on domu1 and then xenbr1 to eth1 on domu1
>>>>>>
>>>>>> I then intend to remove / lock dom0 down and only use
the domu''s
>>>>>> as dhcp configured servers.
>>>>>>
>>>>>> There are a couple of URLs i''ve looked at
>>>>>>
http://lists.xensource.com/archives/html/xen-users/2006-02/msg00602.html
>>>>>>
>>>>>>
>>>>>> etc but there aren''t any specific
configuration information.
>>>>>> Can i get some pointers as to where to look, or even
example
>>>>>> configs?
>>>>>>
>>>>>> thanks
>>>>>>
>>>>>> Ronan
>>>>>>
>>>>>> (ps if this is the 3rd like message of mine today i
apologise, I
>>>>>> can tell if the other two messages i send actually
did...)
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Xen-users mailing list
>>>>>> Xen-users@lists.xensource.com
>>>>>> http://lists.xensource.com/xen-users
>>>>>
>>>>>
>>>>>
------------------------------------------------------------------------
>>>>>
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Xen-users mailing list
>>>> Xen-users@lists.xensource.com
>>>> http://lists.xensource.com/xen-users
>>>
>>>
>>> _______________________________________________
>>> Xen-users mailing list
>>> Xen-users@lists.xensource.com
>>> http://lists.xensource.com/xen-users
>>
>>
>> _______________________________________________
>> Xen-users mailing list
>> Xen-users@lists.xensource.com
>> http://lists.xensource.com/xen-users
>
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Sorry, I made a mistake , to create the bridge:

# brctl addbr br0
# brctl addif br0 eth0
# brctl addif br0 eth1
# ifconfig br0 up

after this, you can verify it:

# brctl show

Marc Patino Gómez wrote:
> Hi,
>
>
> Ronan wrote:
>> ok i now have a domu with 2 (apparent)ethernet interfaces, which is a
>> good start.
> Great!! You can make a bridge with these interfaces, in  debian way 
> you can  put something like that in the /etc/network/interfaces:
>
> auto br0
> iface br0 inet static
>        address 192.168.92.3
>        netmask 255.255.255.224
>        gateway 192.168.92.1
>        bridge_ports eth0 eth1
>        bridge_maxwait 0
>
> see CentOS howto make a bridge, or make it manually with "brctl":
>
> # brctl addbr br0
> # brctl addif br0 eth0
> # brctl addif br0 eth0
> # ifconfig br0 up
>
>
>> How do i now get all ethernet frames to be passed to eth0 on my
firewall
>> domu ?
>
> Bridge br0 (on domU FW) will solve it
>> I then will be setting the firewall up with a caching DNS , NAT, and
>> dhcp on its eth1 to serve all the rest of my domU''s usig
nprivate
>> 192.168.
>>
>> Question though., how should i configure an IP for use by dom0??
> I don''t understand what you want :(
>>
>> Thanks
>> R
>>
> Regards,
>
> Marc
>
>>> Marc Patino Gómez wrote:
>>>> Hi again,
>>>>
>>>> this is the config of xen in my Debian Etch:
>>>>
>>>> /etc/xen/xend-config
>>>>
>>>> (network-script network-bridge-wrapper)
>>>> (vif-script vif-bridge)
>>>> (dom0-min-mem 196)
>>>> (dom0-cpus 0)
>>>> (vncpasswd '''')
>>>>
---------------------------------------------------------------------------
>>>>
>>>>
>>>> /etc/xen/scripts/network-bridge-wrapper
>>>>
>>>> /etc/xen/scripts/network-bridge start bridge=xenbr0 vifnum=0
>>>> /usr/sbin/brctl addbr xenbr1
>>>> /sbin/ifconfig xenbr1 up
>>>>
----------------------------------------------------------------------------
>>>>
>>>>
>>>> the domu (Firewall)
>>>>
>>>> /etc/xen/firewall-config.sxp
>>>>
>>>>
>>>> name="firewall"
>>>> kernel="/boot/vmlinuz-2.6.16.33-xenU-x86_64"
>>>> root="/dev/hda1"
>>>> cpu=3
>>>> memory=256
>>>> disk=[''file:/xen1/firewall.img,hda1,w'']
>>>>
>>>> vif=[ 
>>>>
''mac=00:16:3e:70:21:02,bridge=xenbr0,vifname=firewall.eth0'',''mac=00:16:3e:70:32:02,bridge=xenbr1,vifname=firewall.eth1''
>>>> ]
>>>> dhcp="off"
>>>> ip="XX.XX.XX.XX"
>>>> netmask="255.255.255.0"
>>>> gateway="XX.XX.XX.XX"
>>>> hostname="firewall.domain.com"
>>>>
>>>> extra="3"
>>>>
>>>> on_poweroff = ''destroy''
>>>> on_reboot   = ''restart''
>>>> on_crash    = ''restart''
>>>>
-------------------------------------------------------------------------------
>>>>
>>>>
>>>> in this domU (the firewall) I have a bridge between eth1 and
eth0,
>>>> you can do in CentOS way (inside the domain) ;)
>>>>
>>>>
>>>> here is the config file of a domu behind the FW:
>>>>
>>>> /etc/xen/domu-config.sxp
>>>> name="domu"
>>>> kernel="/boot/vmlinuz-2.6.16.33-xenU-x86_64"
>>>> root="/dev/hda1"
>>>> cpu=3
>>>> memory=92
>>>> disk=[''file:/xen1/domu.img,hda1,w'']
>>>>
>>>> vif=[ ''bridge=xenbrFW , vifname=domu.eth0'' ]
>>>> dhcp="off"
>>>> ip="XX.XX.XX.XX"
>>>> netmask="255.255.255.0"
>>>> gateway="XX.XX.XX.XX"
>>>> hostname="domu.domain.com"
>>>>
>>>> extra="3"
>>>>
>>>> on_poweroff = ''destroy''
>>>> on_reboot   = ''restart''
>>>> on_crash    = ''restart''
>>>>
----------------------------------------------------------------------------------------------------
>>>>
>>>>
>>>>
>>>> In the domU (firewall) I have the following iptables config:
>>>> #!/bin/sh
>>>> # /etc/network/if-pre-up.d/iptables-start
>>>>
>>>> iptables=/sbin/iptables
>>>>
>>>> $iptables -F
>>>>
>>>> $iptables -P INPUT ACCEPT
>>>> $iptables -P FORWARD ACCEPT
>>>> $iptables -P OUTPUT ACCEPT
>>>>
>>>> # Logs
>>>> #$iptables -A INPUT -j LOG   --log-prefix="IPTABLES-INPUT:
"
>>>> #$iptables -A OUTPUT -j LOG 
--log-prefix="IPTABLES-OUTPUT: "
>>>> #$iptables -A FORWARD -j LOG
--log-prefix="IPTABLES-FORWARD: "
>>>>
>>>> $iptables -A INPUT -i lo -j ACCEPT
>>>>
>>>> # Traffic control
>>>> tc qdisc del dev eth0 parent root
>>>> tc qdisc add dev eth0 parent root handle 1:0 htb default 40
>>>> tc class add dev eth0 parent 1:0 classid 1:1 htb rate 10mbit
>>>> tc class add dev eth0 parent 1:1 classid 1:10 htb rate 512kbit
>>>> tc class add dev eth0 parent 1:1 classid 1:20 htb rate 1mbit
>>>> tc class add dev eth0 parent 1:1 classid 1:30 htb rate 2mbit
>>>> tc class add dev eth0 parent 1:1 classid 1:40 htb rate 5mbit
>>>>
>>>> tc qdisc del dev eth1 parent root
>>>> tc qdisc add dev eth1 parent root handle 2:0 htb default 40
>>>> tc class add dev eth1 parent 2:0 classid 2:1 htb rate 10mbit
>>>> tc class add dev eth1 parent 2:1 classid 2:10 htb rate 512kbit
>>>> tc class add dev eth1 parent 2:1 classid 2:20 htb rate 1mbit
>>>> tc class add dev eth1 parent 2:1 classid 2:30 htb rate 2mbit
>>>> tc class add dev eth1 parent 2:1 classid 2:40 htb rate 5mbit
>>>>
>>>> $iptables -t mangle -A POSTROUTING -d XX.XX.XX.XX -j CLASSIFY 
>>>> --set-class 2:20
>>>> $iptables -t mangle -A POSTROUTING -s XX.XX.XX.XX -j CLASSIFY 
>>>> --set-class 1:20
>>>>
>>>>
>>>> Sustitute XX.XX.XX.XX by your ip ''s ;)
>>>>
>>>> There is an issue with the traffic control in one way, the rate
is
>>>> multiplied by 2, I don''t know the reason :(, I have
tested this tc
>>>> config with another box without XEN and it works great.
>>>>
>>>> Don''t forget to do this:
>>>>
>>>> echo "0"
>/proc/sys/net/bridge/bridge-nf-call-iptables
>>>>
>>>> see the post " iptables and state matches (established,
related)"
>>>> in this mail list. You can put it in your sysctl.conf.
>>>>
>>>> So... that''s all (I hope :) ) if you need anything
else.... tell me
>>>>
>>>> Regards,
>>>>
>>>> Marc
>>>>
>>>>
>>>> Ronan wrote:
>>>>> Marc
>>>>> thats exactly what i require...
>>>>> any of your config would be really helpful!
>>>>>
>>>>> many thanks in advance!
>>>>>
>>>>> Ronan
>>>>>> Hi Ronan,
>>>>>>
>>>>>> do you want to do something like this (see the image) ?
>>>>>>
>>>>>> After reading a lot of stuff I made a wrapper of
network-bridge,
>>>>>> that I call network-bridge-wrapper, here is it:
>>>>>>
>>>>>> #!/bin/sh
>>>>>> /etc/xen/scripts/network-bridge start bridge=xenbr0
vifnum=0
>>>>>> /usr/sbin/brctl addbr xenbr1
>>>>>> /sbin/ifconfig xenbr1 up
>>>>>>
>>>>>> I changed the line in xend-config.sxp that calls,
network-bridge
>>>>>> to call network-bridge-wrapper ...
>>>>>>
>>>>>> If you want I can post more info about this config (my
domu
>>>>>> config files, iptables, ebtables....). I''m
using Debian, so... I
>>>>>> hope scripts  in CentOS are so close to Debian.
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Marc
>>>>>>
>>>>>>
>>>>>> Ronan wrote:
>>>>>>> My situation:
>>>>>>> Running centos5 on a machine directly connected to
internet.
>>>>>>> I have a paravirtualised centos5 core machine in
domu1 with only
>>>>>>> 1 eth configured eth0 dy dhcp.
>>>>>>>
>>>>>>> What I want:
>>>>>>> to configure the dom0 bridge to simply route all
traffic at
>>>>>>> ethernet level to dom1(firewall/router) and have
dom1 then nat
>>>>>>> if out to my other domu''s and machines on
my private 192.168
>>>>>>> network using dhcpd configured on eth1 on the
machine.
>>>>>>>
>>>>>>> My difficulties:
>>>>>>> setting up the dom0 bridging to do what i want ie
xenbr0 to eth0
>>>>>>> on domu1 and then xenbr1 to eth1 on domu1
>>>>>>>
>>>>>>> I then intend to remove / lock dom0 down and only
use the domu''s
>>>>>>> as dhcp configured servers.
>>>>>>>
>>>>>>> There are a couple of URLs i''ve looked at
>>>>>>>
http://lists.xensource.com/archives/html/xen-users/2006-02/msg00602.html
>>>>>>>
>>>>>>>
>>>>>>> etc but there aren''t any specific
configuration information.
>>>>>>> Can i get some pointers as to where to look, or
even example
>>>>>>> configs?
>>>>>>>
>>>>>>> thanks
>>>>>>>
>>>>>>> Ronan
>>>>>>>
>>>>>>> (ps if this is the 3rd like message of mine today i
apologise, I
>>>>>>> can tell if the other two messages i send actually
did...)
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Xen-users mailing list
>>>>>>> Xen-users@lists.xensource.com
>>>>>>> http://lists.xensource.com/xen-users
>>>>>>
>>>>>>
>>>>>>
------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Xen-users mailing list
>>>>> Xen-users@lists.xensource.com
>>>>> http://lists.xensource.com/xen-users
>>>>
>>>>
>>>> _______________________________________________
>>>> Xen-users mailing list
>>>> Xen-users@lists.xensource.com
>>>> http://lists.xensource.com/xen-users
>>>
>>>
>>> _______________________________________________
>>> Xen-users mailing list
>>> Xen-users@lists.xensource.com
>>> http://lists.xensource.com/xen-users
>>
>>
>>
>> _______________________________________________
>> Xen-users mailing list
>> Xen-users@lists.xensource.com
>> http://lists.xensource.com/xen-users
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Ok so for clarity, do i create this bridge in domu (FW) and then dom0 
will then know that all internet traffic hitting peth0 from my ISP is to 
be routed to domu FW and its there i need to set up nat and dhcpd etc?

thanks

Ronan
> Sorry, I made a mistake , to create the bridge:
> 
> # brctl addbr br0
> # brctl addif br0 eth0
> # brctl addif br0 eth1
> # ifconfig br0 up
> 
> after this, you can verify it:
> 
> # brctl show
> 
> Marc Patino Gómez wrote:
>> Hi,
>>
>>
>> Ronan wrote:
>>> ok i now have a domu with 2 (apparent)ethernet interfaces, which is
a
>>> good start.
>> Great!! You can make a bridge with these interfaces, in  debian way 
>> you can  put something like that in the /etc/network/interfaces:
>>
>> auto br0
>> iface br0 inet static
>>        address 192.168.92.3
>>        netmask 255.255.255.224
>>        gateway 192.168.92.1
>>        bridge_ports eth0 eth1
>>        bridge_maxwait 0
>>
>> see CentOS howto make a bridge, or make it manually with
"brctl":
>>
>> # brctl addbr br0
>> # brctl addif br0 eth0
>> # brctl addif br0 eth0
>> # ifconfig br0 up
>>
>>
>>> How do i now get all ethernet frames to be passed to eth0 on my
firewall
>>> domu ?
>>
>> Bridge br0 (on domU FW) will solve it
>>> I then will be setting the firewall up with a caching DNS , NAT,
and
>>> dhcp on its eth1 to serve all the rest of my domU''s usig
nprivate
>>> 192.168.
>>>
>>> Question though., how should i configure an IP for use by dom0??
>> I don''t understand what you want :(
>>>
>>> Thanks
>>> R
>>>
>> Regards,
>>
>> Marc
>>
>>>> Marc Patino Gómez wrote:
>>>>> Hi again,
>>>>>
>>>>> this is the config of xen in my Debian Etch:
>>>>>
>>>>> /etc/xen/xend-config
>>>>>
>>>>> (network-script network-bridge-wrapper)
>>>>> (vif-script vif-bridge)
>>>>> (dom0-min-mem 196)
>>>>> (dom0-cpus 0)
>>>>> (vncpasswd '''')
>>>>>
---------------------------------------------------------------------------
>>>>>
>>>>>
>>>>> /etc/xen/scripts/network-bridge-wrapper
>>>>>
>>>>> /etc/xen/scripts/network-bridge start bridge=xenbr0
vifnum=0
>>>>> /usr/sbin/brctl addbr xenbr1
>>>>> /sbin/ifconfig xenbr1 up
>>>>>
----------------------------------------------------------------------------
>>>>>
>>>>>
>>>>> the domu (Firewall)
>>>>>
>>>>> /etc/xen/firewall-config.sxp
>>>>>
>>>>>
>>>>> name="firewall"
>>>>> kernel="/boot/vmlinuz-2.6.16.33-xenU-x86_64"
>>>>> root="/dev/hda1"
>>>>> cpu=3
>>>>> memory=256
>>>>> disk=[''file:/xen1/firewall.img,hda1,w'']
>>>>>
>>>>> vif=[ 
>>>>>
''mac=00:16:3e:70:21:02,bridge=xenbr0,vifname=firewall.eth0'',''mac=00:16:3e:70:32:02,bridge=xenbr1,vifname=firewall.eth1''
>>>>> ]
>>>>> dhcp="off"
>>>>> ip="XX.XX.XX.XX"
>>>>> netmask="255.255.255.0"
>>>>> gateway="XX.XX.XX.XX"
>>>>> hostname="firewall.domain.com"
>>>>>
>>>>> extra="3"
>>>>>
>>>>> on_poweroff = ''destroy''
>>>>> on_reboot   = ''restart''
>>>>> on_crash    = ''restart''
>>>>>
-------------------------------------------------------------------------------
>>>>>
>>>>>
>>>>> in this domU (the firewall) I have a bridge between eth1
and eth0,
>>>>> you can do in CentOS way (inside the domain) ;)
>>>>>
>>>>>
>>>>> here is the config file of a domu behind the FW:
>>>>>
>>>>> /etc/xen/domu-config.sxp
>>>>> name="domu"
>>>>> kernel="/boot/vmlinuz-2.6.16.33-xenU-x86_64"
>>>>> root="/dev/hda1"
>>>>> cpu=3
>>>>> memory=92
>>>>> disk=[''file:/xen1/domu.img,hda1,w'']
>>>>>
>>>>> vif=[ ''bridge=xenbrFW ,
vifname=domu.eth0'' ]
>>>>> dhcp="off"
>>>>> ip="XX.XX.XX.XX"
>>>>> netmask="255.255.255.0"
>>>>> gateway="XX.XX.XX.XX"
>>>>> hostname="domu.domain.com"
>>>>>
>>>>> extra="3"
>>>>>
>>>>> on_poweroff = ''destroy''
>>>>> on_reboot   = ''restart''
>>>>> on_crash    = ''restart''
>>>>>
----------------------------------------------------------------------------------------------------
>>>>>
>>>>>
>>>>>
>>>>> In the domU (firewall) I have the following iptables
config:
>>>>> #!/bin/sh
>>>>> # /etc/network/if-pre-up.d/iptables-start
>>>>>
>>>>> iptables=/sbin/iptables
>>>>>
>>>>> $iptables -F
>>>>>
>>>>> $iptables -P INPUT ACCEPT
>>>>> $iptables -P FORWARD ACCEPT
>>>>> $iptables -P OUTPUT ACCEPT
>>>>>
>>>>> # Logs
>>>>> #$iptables -A INPUT -j LOG  
--log-prefix="IPTABLES-INPUT: "
>>>>> #$iptables -A OUTPUT -j LOG 
--log-prefix="IPTABLES-OUTPUT: "
>>>>> #$iptables -A FORWARD -j LOG
--log-prefix="IPTABLES-FORWARD: "
>>>>>
>>>>> $iptables -A INPUT -i lo -j ACCEPT
>>>>>
>>>>> # Traffic control
>>>>> tc qdisc del dev eth0 parent root
>>>>> tc qdisc add dev eth0 parent root handle 1:0 htb default 40
>>>>> tc class add dev eth0 parent 1:0 classid 1:1 htb rate
10mbit
>>>>> tc class add dev eth0 parent 1:1 classid 1:10 htb rate
512kbit
>>>>> tc class add dev eth0 parent 1:1 classid 1:20 htb rate
1mbit
>>>>> tc class add dev eth0 parent 1:1 classid 1:30 htb rate
2mbit
>>>>> tc class add dev eth0 parent 1:1 classid 1:40 htb rate
5mbit
>>>>>
>>>>> tc qdisc del dev eth1 parent root
>>>>> tc qdisc add dev eth1 parent root handle 2:0 htb default 40
>>>>> tc class add dev eth1 parent 2:0 classid 2:1 htb rate
10mbit
>>>>> tc class add dev eth1 parent 2:1 classid 2:10 htb rate
512kbit
>>>>> tc class add dev eth1 parent 2:1 classid 2:20 htb rate
1mbit
>>>>> tc class add dev eth1 parent 2:1 classid 2:30 htb rate
2mbit
>>>>> tc class add dev eth1 parent 2:1 classid 2:40 htb rate
5mbit
>>>>>
>>>>> $iptables -t mangle -A POSTROUTING -d XX.XX.XX.XX -j
CLASSIFY
>>>>> --set-class 2:20
>>>>> $iptables -t mangle -A POSTROUTING -s XX.XX.XX.XX -j
CLASSIFY
>>>>> --set-class 1:20
>>>>>
>>>>>
>>>>> Sustitute XX.XX.XX.XX by your ip ''s ;)
>>>>>
>>>>> There is an issue with the traffic control in one way, the
rate is
>>>>> multiplied by 2, I don''t know the reason :(, I
have tested this tc
>>>>> config with another box without XEN and it works great.
>>>>>
>>>>> Don''t forget to do this:
>>>>>
>>>>> echo "0"
>/proc/sys/net/bridge/bridge-nf-call-iptables
>>>>>
>>>>> see the post " iptables and state matches
(established, related)"
>>>>> in this mail list. You can put it in your sysctl.conf.
>>>>>
>>>>> So... that''s all (I hope :) ) if you need anything
else.... tell me
>>>>>
>>>>> Regards,
>>>>>
>>>>> Marc
>>>>>
>>>>>
>>>>> Ronan wrote:
>>>>>> Marc
>>>>>> thats exactly what i require...
>>>>>> any of your config would be really helpful!
>>>>>>
>>>>>> many thanks in advance!
>>>>>>
>>>>>> Ronan
>>>>>>> Hi Ronan,
>>>>>>>
>>>>>>> do you want to do something like this (see the
image) ?
>>>>>>>
>>>>>>> After reading a lot of stuff I made a wrapper of
network-bridge,
>>>>>>> that I call network-bridge-wrapper, here is it:
>>>>>>>
>>>>>>> #!/bin/sh
>>>>>>> /etc/xen/scripts/network-bridge start bridge=xenbr0
vifnum=0
>>>>>>> /usr/sbin/brctl addbr xenbr1
>>>>>>> /sbin/ifconfig xenbr1 up
>>>>>>>
>>>>>>> I changed the line in xend-config.sxp that calls,
network-bridge
>>>>>>> to call network-bridge-wrapper ...
>>>>>>>
>>>>>>> If you want I can post more info about this config
(my domu
>>>>>>> config files, iptables, ebtables....). I''m
using Debian, so... I
>>>>>>> hope scripts  in CentOS are so close to Debian.
>>>>>>>
>>>>>>> Regards,
>>>>>>>
>>>>>>> Marc
>>>>>>>
>>>>>>>
>>>>>>> Ronan wrote:
>>>>>>>> My situation:
>>>>>>>> Running centos5 on a machine directly connected
to internet.
>>>>>>>> I have a paravirtualised centos5 core machine
in domu1 with only
>>>>>>>> 1 eth configured eth0 dy dhcp.
>>>>>>>>
>>>>>>>> What I want:
>>>>>>>> to configure the dom0 bridge to simply route
all traffic at
>>>>>>>> ethernet level to dom1(firewall/router) and
have dom1 then nat
>>>>>>>> if out to my other domu''s and machines
on my private 192.168
>>>>>>>> network using dhcpd configured on eth1 on the
machine.
>>>>>>>>
>>>>>>>> My difficulties:
>>>>>>>> setting up the dom0 bridging to do what i want
ie xenbr0 to eth0
>>>>>>>> on domu1 and then xenbr1 to eth1 on domu1
>>>>>>>>
>>>>>>>> I then intend to remove / lock dom0 down and
only use the domu''s
>>>>>>>> as dhcp configured servers.
>>>>>>>>
>>>>>>>> There are a couple of URLs i''ve looked
at
>>>>>>>>
http://lists.xensource.com/archives/html/xen-users/2006-02/msg00602.html
>>>>>>>>
>>>>>>>>
>>>>>>>> etc but there aren''t any specific
configuration information.
>>>>>>>> Can i get some pointers as to where to look, or
even example
>>>>>>>> configs?
>>>>>>>>
>>>>>>>> thanks
>>>>>>>>
>>>>>>>> Ronan
>>>>>>>>
>>>>>>>> (ps if this is the 3rd like message of mine
today i apologise, I
>>>>>>>> can tell if the other two messages i send
actually did...)
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Xen-users mailing list
>>>>>>>> Xen-users@lists.xensource.com
>>>>>>>> http://lists.xensource.com/xen-users
>>>>>>>
>>>>>>>
>>>>>>>
------------------------------------------------------------------------
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Xen-users mailing list
>>>>>> Xen-users@lists.xensource.com
>>>>>> http://lists.xensource.com/xen-users
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Xen-users mailing list
>>>>> Xen-users@lists.xensource.com
>>>>> http://lists.xensource.com/xen-users
>>>>
>>>>
>>>> _______________________________________________
>>>> Xen-users mailing list
>>>> Xen-users@lists.xensource.com
>>>> http://lists.xensource.com/xen-users
>>>
>>>
>>>
>>> _______________________________________________
>>> Xen-users mailing list
>>> Xen-users@lists.xensource.com
>>> http://lists.xensource.com/xen-users
>>
>>
>> _______________________________________________
>> Xen-users mailing list
>> Xen-users@lists.xensource.com
>> http://lists.xensource.com/xen-users
> 

-- 
Regards

Ronan McGlue

==================Analyst / Programmer
Queens University Belfast


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Marc,

I think this design should work well for me.
Please, post the config file that implement it.
Thanks a lot for helping me!


-Eugene
On May 4, 2007, at 2:18 AM, Marc Patino Gómez wrote:
> Hi Yevgeniy,
>
> What do you think about the following scheme? I think is quite  
> simple, I would prefer another scheme a little bit more complex to  
> isolate more. Anyway you can put FW rules at dom0.
>
> If it this scheme is quite good for you I can post some config files.
>
> Regards,
>
> Marc
>
> Yevgeniy Goldberg wrote:
>> Hi Marc,
>>
>> 1    Yes, my DomU''s will be in my private network
(10.XX.XX.XX)
>> 2    I''m not worried about the FW at this time, just need to
be
>> able to connect to all my DomU''s over 10. network
>> 3    Her is what I need:
>>
>> Dom0 has 2 physical NIC;s - eth0 and eth1
>> my default xenbr0 is bound to eth0, which is on the public network  
>> (Internet)
>> The eth1 of the Dom0 is connected to my 10. private network
>> DomU should be on the 10. provate network as well as any other  
>> unprivileged domains.
>>
>> Dom0 :      xenbr0->eth0->public Internet
>> Dom0:              eth1->10.0.1.4 private network (this way I  
>> could connect to Dom0 from my other                   computers on  
>> the 10.0 network)
>> DomU (1)           eth0(or what-ever is being assigned)->10.0.1.5
>> DomU(2)        eth0(or what-ever is being assigned)->10.0.1.6
>>
>> Please, let me know if more information can be provided.
>> Thank you for helping me!
>>
>> -Eugene
>> On May 3, 2007, at 11:37 AM, Marc Patino Gómez wrote:
>>
>>> Hi Yevgeniy,
>>>
>>> I ''m sure to understand this scenario, some questions:
>>>
>>> 1- your domU''s will be in your private network
(10.XX.XX.XX) ?
>>> 2- You want your xen box to be a FW of your private net?
>>> 3- Can you post some kind of scheme of your future network ;)
>>>
>>> Regards,
>>>
>>> Yevgeniy Goldberg wrote:
>>>> Hi Marc,
>>>>
>>>> I saw your recommendation and would like to ask your help in  
>>>> binding my DomU network interface to the physical eth1
>>>> I have 2 physical interfaces on my host: eth0 (connected to  
>>>> Internet) and eth1 (connected to my home 10. network)
>>>> I need to be able to have all my DomU to be connected to the  
>>>> eth1 (of whatever its virtual representation may be)
>>>> Any ideas?
>>>>
>>>> Best regards,
>>>>
>>>> -Eugene
>>>> On May 3, 2007, at 10:22 AM, Marc Patino Gómez wrote:
>>>>
>>>>> Hi Ronan,
>>>>>
>>>>> do you want to do something like this (see the image) ?
>>>>>
>>>>> After reading a lot of stuff I made a wrapper of network- 
>>>>> bridge, that I call network-bridge-wrapper, here is it:
>>>>>
>>>>> #!/bin/sh
>>>>> /etc/xen/scripts/network-bridge start bridge=xenbr0
vifnum=0
>>>>> /usr/sbin/brctl addbr xenbr1
>>>>> /sbin/ifconfig xenbr1 up
>>>>>
>>>>> I changed the line in xend-config.sxp that calls, network- 
>>>>> bridge to call network-bridge-wrapper ...
>>>>>
>>>>> If you want I can post more info about this config (my domu
>>>>> config files, iptables, ebtables....). I''m using
Debian, so...
>>>>> I hope scripts  in CentOS are so close to Debian.
>>>>>
>>>>> Regards,
>>>>>
>>>>> Marc
>>>>>
>>>>>
>>>>> Ronan wrote:
>>>>>> My situation:
>>>>>> Running centos5 on a machine directly connected to
internet.
>>>>>> I have a paravirtualised centos5 core machine in domu1
with
>>>>>> only 1 eth configured eth0 dy dhcp.
>>>>>>
>>>>>> What I want:
>>>>>> to configure the dom0 bridge to simply route all
traffic at
>>>>>> ethernet level to dom1(firewall/router) and have dom1
then nat
>>>>>> if out to my other domu''s and machines on my
private 192.168
>>>>>> network using dhcpd configured on eth1 on the machine.
>>>>>>
>>>>>> My difficulties:
>>>>>> setting up the dom0 bridging to do what i want ie
xenbr0 to
>>>>>> eth0 on domu1 and then xenbr1 to eth1 on domu1
>>>>>>
>>>>>> I then intend to remove / lock dom0 down and only use
the
>>>>>> domu''s as dhcp configured servers.
>>>>>>
>>>>>> There are a couple of URLs i''ve looked at
>>>>>>
http://lists.xensource.com/archives/html/xen-users/2006-02/
>>>>>> msg00602.html
>>>>>>
>>>>>> etc but there aren''t any specific
configuration information.
>>>>>> Can i get some pointers as to where to look, or even
example
>>>>>> configs?
>>>>>>
>>>>>> thanks
>>>>>>
>>>>>> Ronan
>>>>>>
>>>>>> (ps if this is the 3rd like message of mine today i
apologise,
>>>>>> I can tell if the other two messages i send actually
did...)
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Xen-users mailing list
>>>>>> Xen-users@lists.xensource.com
>>>>>> http://lists.xensource.com/xen-users
>>>>>
>>>>> <xen.png>
>>>>> _______________________________________________
>>>>> Xen-users mailing list
>>>>> Xen-users@lists.xensource.com
>>>>> http://lists.xensource.com/xen-users
>>>>
>>>>
>>>> _______________________________________________
>>>> Xen-users mailing list
>>>> Xen-users@lists.xensource.com
>>>> http://lists.xensource.com/xen-users
>>>
>>
>>
>> _______________________________________________
>> Xen-users mailing list
>> Xen-users@lists.xensource.com
>> http://lists.xensource.com/xen-users
>
> <xen2.png>

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Hi Yevgeniy,

For this config you must use network-bridge, so your xend-config.sxp  
must be:

(network-script network-bridge)
(vif-script vif-bridge)
(dom0-min-mem 192)
(dom0-cpus 0)

If you have eth0 and eth1 configured in your dom0, if you use Debian:

# vi /etc/network/interfaces

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address XX.XX.XX.XX
        netmask 255.255.255.0
        gateway XX.XX.XX.XX

auto eth1
iface eth1 inet static
        address 10.0.0.1
        netmask 255.255.255.0


When xend starts up will create 2 bridges

xenbr0 (with dom0 eth0 attached)
xenbr1 (with dom0 eth1 attached)

 domU config file /etc/xen/domu-config.sxp:

name="domu"
kernel="/boot/vmlinuz-2.6.16.33"
root="/dev/hda1"
cpu=0
memory=192
disk=[''file:/xen1/domu.img,hda1,w'']

vif=[ ''bridge=xenbr1, vifname=domu.eth0'' ]
dhcp="off"
ip="10.0.0.2"
netmask="255.255.255.0"
gateway="10.0.0.1"
hostname="domu.domain.com"

extra="3"

on_poweroff = ''destroy''
on_reboot   = ''restart''
on_crash    = ''restart''


Try this :) and tell me how it works. If something goes wrong, post me 
the output of an ifconfig, brctl show, xm list

I hope it will be useful,

Marc




Yevgeniy Goldberg wrote:
> Marc,
>
> I think this design should work well for me.
> Please, post the config file that implemIent it.
> Thanks a lot for helping me!
>
>
> -Eugene
> On May 4, 2007, at 2:18 AM, Marc Patino Gómez wrote:
>
>> Hi Yevgeniy,
>>
>> What do you think about the following scheme? I think is quite 
>> simple, I would prefer another scheme a little bit more complex to 
>> isolate more. Anyway you can put FW rules at dom0.
>>
>> If it this scheme is quite good for you I can post some config files.
>>
>> Regards,
>>
>> Marc
>>
>> Yevgeniy Goldberg wrote:
>>> Hi Marc,
>>>
>>> 1    Yes, my DomU''s will be in my private network
(10.XX.XX.XX)
>>> 2    I''m not worried about the FW at this time, just need
to be able
>>> to connect to all my DomU''s over 10. network
>>> 3    Her is what I need:
>>>
>>> Dom0 has 2 physical NIC;s - eth0 and eth1
>>> my default xenbr0 is bound to eth0, which is on the public network 
>>> (Internet)
>>> The eth1 of the Dom0 is connected to my 10. private network
>>> DomU should be on the 10. provate network as well as any other 
>>> unprivileged domains.
>>>
>>> Dom0 :      xenbr0->eth0->public Internet
>>> Dom0:              eth1->10.0.1.4 private network (this way I
could
>>> connect to Dom0 from my other                   computers on the 
>>> 10.0 network)
>>> DomU (1)           eth0(or what-ever is being
assigned)->10.0.1.5
>>> DomU(2)        eth0(or what-ever is being assigned)->10.0.1.6
>>>
>>> Please, let me know if more information can be provided.
>>> Thank you for helping me!
>>>
>>> -Eugene
>>> On May 3, 2007, at 11:37 AM, Marc Patino Gómez wrote:
>>>
>>>> Hi Yevgeniy,
>>>>
>>>> I ''m sure to understand this scenario, some questions:
>>>>
>>>> 1- your domU''s will be in your private network
(10.XX.XX.XX) ?
>>>> 2- You want your xen box to be a FW of your private net?
>>>> 3- Can you post some kind of scheme of your future network ;)
>>>>
>>>> Regards,
>>>>
>>>> Yevgeniy Goldberg wrote:
>>>>> Hi Marc,
>>>>>
>>>>> I saw your recommendation and would like to ask your help
in
>>>>> binding my DomU network interface to the physical eth1
>>>>> I have 2 physical interfaces on my host: eth0 (connected to
>>>>> Internet) and eth1 (connected to my home 10. network)
>>>>> I need to be able to have all my DomU to be connected to
the eth1
>>>>> (of whatever its virtual representation may be)
>>>>> Any ideas?
>>>>>
>>>>> Best regards,
>>>>>
>>>>> -Eugene
>>>>> On May 3, 2007, at 10:22 AM, Marc Patino Gómez wrote:
>>>>>
>>>>>> Hi Ronan,
>>>>>>
>>>>>> do you want to do something like this (see the image) ?
>>>>>>
>>>>>> After reading a lot of stuff I made a wrapper of
network-bridge,
>>>>>> that I call network-bridge-wrapper, here is it:
>>>>>>
>>>>>> #!/bin/sh
>>>>>> /etc/xen/scripts/network-bridge start bridge=xenbr0
vifnum=0
>>>>>> /usr/sbin/brctl addbr xenbr1
>>>>>> /sbin/ifconfig xenbr1 up
>>>>>>
>>>>>> I changed the line in xend-config.sxp that calls,
network-bridge
>>>>>> to call network-bridge-wrapper ...
>>>>>>
>>>>>> If you want I can post more info about this config (my
domu
>>>>>> config files, iptables, ebtables....). I''m
using Debian, so... I
>>>>>> hope scripts  in CentOS are so close to Debian.
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Marc
>>>>>>
>>>>>>
>>>>>> Ronan wrote:
>>>>>>> My situation:
>>>>>>> Running centos5 on a machine directly connected to
internet.
>>>>>>> I have a paravirtualised centos5 core machine in
domu1 with only
>>>>>>> 1 eth configured eth0 dy dhcp.
>>>>>>>
>>>>>>> What I want:
>>>>>>> to configure the dom0 bridge to simply route all
traffic at
>>>>>>> ethernet level to dom1(firewall/router) and have
dom1 then nat
>>>>>>> if out to my other domu''s and machines on
my private 192.168
>>>>>>> network using dhcpd configured on eth1 on the
machine.
>>>>>>>
>>>>>>> My difficulties:
>>>>>>> setting up the dom0 bridging to do what i want ie
xenbr0 to eth0
>>>>>>> on domu1 and then xenbr1 to eth1 on domu1
>>>>>>>
>>>>>>> I then intend to remove / lock dom0 down and only
use the domu''s
>>>>>>> as dhcp configured servers.
>>>>>>>
>>>>>>> There are a couple of URLs i''ve looked at
>>>>>>>
http://lists.xensource.com/archives/html/xen-users/2006-02/msg00602.html
>>>>>>>
>>>>>>>
>>>>>>> etc but there aren''t any specific
configuration information.
>>>>>>> Can i get some pointers as to where to look, or
even example
>>>>>>> configs?
>>>>>>>
>>>>>>> thanks
>>>>>>>
>>>>>>> Ronan
>>>>>>>
>>>>>>> (ps if this is the 3rd like message of mine today i
apologise, I
>>>>>>> can tell if the other two messages i send actually
did...)
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Xen-users mailing list
>>>>>>> Xen-users@lists.xensource.com
>>>>>>> http://lists.xensource.com/xen-users
>>>>>>
>>>>>> <xen.png>
>>>>>> _______________________________________________
>>>>>> Xen-users mailing list
>>>>>> Xen-users@lists.xensource.com
>>>>>> http://lists.xensource.com/xen-users
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Xen-users mailing list
>>>>> Xen-users@lists.xensource.com
>>>>> http://lists.xensource.com/xen-users
>>>>
>>>
>>>
>>> _______________________________________________
>>> Xen-users mailing list
>>> Xen-users@lists.xensource.com
>>> http://lists.xensource.com/xen-users
>>
>> <xen2.png>
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Hi Marc,

I have seen two network diagrams of you passing in the thread already and they 
both helped me understand the Xen networking a lot better.

The first diagram explained how to setup a Xen system with 1 physical NIC, 
where one domU acts as a firewall for the other domU''s. In this
scenario,
dom0 is connected to the bridge that links to the unsafe net (the
"outside"
network for the domU firewall).

The second diagram explained who to setup a Xen system with 2 physical NICs, 
dom0 acts as a firewall between the two NICs. It is setup with two bridges, 
one that connects the internet side of the virtual network (first physical 
NIC and first virtual NIC) and one that connects the LAN side of the virtual 
network (seconf physical NIC for the rest of the LAN, second virtual NIC for 
dom0 and virtual NICs for the different domU''s).

Unfortunatly, what I am trying to achieve is yet another slight variation. See 
the attached image.

I would like to setup a system with two physical NICs (peth0 and peth1), where 
the firewall runs in domU.

For that I would like to setup two xen bridges.
The first is on the LAN side, and is a typical Xen bridge: one physical NIC, a 
virtual NIC for dom0 and one for domU.

The second would be on the internet side, but it should NOT have a virtual NIC 
for dom0, only for domU. The idea is that dom0 should not be accessible from 
the internet, only from the LAN.

Is such a setup possible ? And if yes, how ?

Thank you.

Geert Janssens

P.S. in an earlier attempt I tried to eliminate the second bridge altogether 
by assigning peth1 directly to the domU with PCI back. Unfortunatly, I
can''t
seem to get PCI back working correctly on my system, so I''d like to try
this
alternative approach.


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Hi Marc,

I have seen two network diagrams of you passing in the thread already and they 
both helped me understand the Xen networking a lot better.

The first diagram explained how to setup a Xen system with 1 physical NIC, 
where one domU acts as a firewall for the other domU''s. In this
scenario,
dom0 is connected to the bridge that links to the unsafe net (the
"outside"
network for the domU firewall).

The second diagram explained who to setup a Xen system with 2 physical NICs, 
dom0 acts as a firewall between the two NICs. It is setup with two bridges, 
one that connects the internet side of the virtual network (first physical 
NIC and first virtual NIC) and one that connects the LAN side of the virtual 
network (seconf physical NIC for the rest of the LAN, second virtual NIC for 
dom0 and virtual NICs for the different domU''s).

Unfortunatly, what I am trying to achieve is yet another slight variation. See 
the attached image.

I would like to setup a system with two physical NICs (peth0 and peth1), where 
the firewall runs in domU.

For that I would like to setup two xen bridges.
The first is on the LAN side, and is a typical Xen bridge: one physical NIC, a 
virtual NIC for dom0 and one for domU.

The second would be on the internet side, but it should NOT have a virtual NIC 
for dom0, only for domU. The idea is that dom0 should not be accessible from 
the internet, only from the LAN.

Is such a setup possible ? And if yes, how ?

Thank you.

Geert Janssens

P.S. in an earlier attempt I tried to eliminate the second bridge altogether 
by assigning peth1 directly to the domU with PCI back. Unfortunatly, I
can''t
seem to get PCI back working correctly on my system, so I''d like to try
this
alternative approach.

-- 
Kobalt W.I.T.
Web & Information Technology
Brusselsesteenweg 152
1850 Grimbergen

Tel  : +32 479 339 655
Email: info@kobaltwit.be


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Sat, May 05 ''07 at 16:19, Geert Janssens
wrote:
> I would like to setup a system with two physical NICs (peth0 and
> peth1), where the firewall runs in domU.
> ... 
> P.S. in an earlier attempt I tried to eliminate the second bridge
altogether
> by assigning peth1 directly to the domU with PCI back. Unfortunatly, I
can''t
> seem to get PCI back working correctly on my system, so I''d like
to try this
> alternative approach.
I just wanted to suggest to use a "driver domain" with PCI
passthrough,
but if that does not work for you, why don''t you simply build the
bridge
manualy? Not using the xen scripts, like e.g. debian does it.

Simply create a bridge named xen-br1 including the eth1 (don''t let xen
rename it to peth1). And simply not configure the bridge on the dom0?

As you don''t mention your distribution, I''ve no idea what
scripts you
need to tweek.
--  
/"\ Goetz Bock at blacknet dot de  --  secure mobile Linux everNETting
\ /       (c) 2007 Creative Commons, Attribution-ShareAlike 2.0 de
 X   [ 1. Use descriptive subjects - 2. Edit a reply for brevity -  ]
/ \  [ 3. Reply to the list - 4. Read the archive *before* you post ]

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Hi,

Thank you for your suggestion. I never thought of that myself. I will try to 
figure this out early next week, when I have access to the servers again.

My distribution is CentOS 5, maybe you can tell me where I should start 
looking.

On the other hand, if you could help me with the PCI passthrough problem, I 
would still prefer that solution. I sent my question last week to this list 
with message title "PCI Passthrough not working" dated 25-04-07.

Regards,

Geert

On Sunday 6 May 2007 00:36, Goetz Bock wrote:
> On Sat, May 05 ''07 at 16:19, Geert Janssens wrote:
> > I would like to setup a system with two physical NICs (peth0 and
> > peth1), where the firewall runs in domU.
> > ...
> > P.S. in an earlier attempt I tried to eliminate the second bridge
> > altogether by assigning peth1 directly to the domU with PCI back.
> > Unfortunatly, I can''t seem to get PCI back working correctly
on my
> > system, so I''d like to try this alternative approach.
>
> I just wanted to suggest to use a "driver domain" with PCI
passthrough,
> but if that does not work for you, why don''t you simply build the
bridge
> manualy? Not using the xen scripts, like e.g. debian does it.
>
> Simply create a bridge named xen-br1 including the eth1 (don''t let
xen
> rename it to peth1). And simply not configure the bridge on the dom0?
>
> As you don''t mention your distribution, I''ve no idea what
scripts you
> need to tweek.
> --
> /"\ Goetz Bock at blacknet dot de  --  secure mobile Linux everNETting
> \ /       (c) 2007 Creative Commons, Attribution-ShareAlike 2.0 de
>  X   [ 1. Use descriptive subjects - 2. Edit a reply for brevity -  ]
> / \  [ 3. Reply to the list - 4. Read the archive *before* you post ]
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
-- 
Kobalt W.I.T.
Web & Information Technology
Brusselsesteenweg 152
1850 Grimbergen

Tel  : +32 479 339 655
Email: info@kobaltwit.be

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Hi Geert,

you scheme it''s so cool, I think it is one of the best way to secure 
Xen, I use similar config for one of my Xen servers.
You can do it manualy, as told Bock. Normally, I use a wrapper of 
network-bridge. One question:

In CentOS are xend-config.sxp and network-bridge scripts? In this case I 
can post the config

Regards,

Marc

Geert Janssens wrote:
> Hi Marc,
>
> I have seen two network diagrams of you passing in the thread already and
they
> both helped me understand the Xen networking a lot better.
>
> The first diagram explained how to setup a Xen system with 1 physical NIC, 
> where one domU acts as a firewall for the other domU''s. In this
scenario,
> dom0 is connected to the bridge that links to the unsafe net (the
"outside"
> network for the domU firewall).
>
> The second diagram explained who to setup a Xen system with 2 physical
NICs,
> dom0 acts as a firewall between the two NICs. It is setup with two bridges,
> one that connects the internet side of the virtual network (first physical 
> NIC and first virtual NIC) and one that connects the LAN side of the
virtual
> network (seconf physical NIC for the rest of the LAN, second virtual NIC
for
> dom0 and virtual NICs for the different domU''s).
>
> Unfortunatly, what I am trying to achieve is yet another slight variation.
See
> the attached image.
>
> I would like to setup a system with two physical NICs (peth0 and peth1),
where
> the firewall runs in domU.
>
> For that I would like to setup two xen bridges.
> The first is on the LAN side, and is a typical Xen bridge: one physical
NIC, a
> virtual NIC for dom0 and one for domU.
>
> The second would be on the internet side, but it should NOT have a virtual
NIC
> for dom0, only for domU. The idea is that dom0 should not be accessible
from
> the internet, only from the LAN.
>
> Is such a setup possible ? And if yes, how ?
>
> Thank you.
>
> Geert Janssens
>
> P.S. in an earlier attempt I tried to eliminate the second bridge
altogether
> by assigning peth1 directly to the domU with PCI back. Unfortunatly, I
can''t
> seem to get PCI back working correctly on my system, so I''d like
to try this
> alternative approach.
>
>   
>
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Hello, i''ve some remarks!

2007/5/3, Marc Patino Gómez
<mpatino@es.clara.net>:
>
> Hi again,
>
> this is the config of xen in my Debian Etch:
>
> /etc/xen/xend-config
>
> (network-script network-bridge-wrapper)
> (vif-script vif-bridge)
> (dom0-min-mem 196)
> (dom0-cpus 0)
> (vncpasswd '''')
>
> ---------------------------------------------------------------------------
>
> /etc/xen/scripts/network-bridge-wrapper
>
> /etc/xen/scripts/network-bridge start bridge=xenbr0 vifnum=0
> /usr/sbin/brctl addbr xenbr1
> /sbin/ifconfig xenbr1 up
>
>
----------------------------------------------------------------------------
>
> the domu (Firewall)
>
> /etc/xen/firewall-config.sxp
>
>
> name="firewall"
> kernel="/boot/vmlinuz-2.6.16.33-xenU-x86_64"
> root="/dev/hda1"
> cpu=3
> memory=256
> disk=[''file:/xen1/firewall.img,hda1,w'']
>
> vif=[
> ''mac=00:16:3e:70:21:02,bridge=xenbr0,vifname=firewall.eth0
>
'',''mac=00:16:3e:70:32:02,bridge=xenbr1,vifname=firewall.eth1''
> ]
> dhcp="off"
> ip="XX.XX.XX.XX"
> netmask="255.255.255.0"
> gateway="XX.XX.XX.XX"

In my mind, there is a problem here, because you define one
ip="XX.XX.XX.XX"
but you define two vif ...
So where this ip is allocated? vifname=firewall or vifname=firewall.eth1?


hostname="firewall.domain.com"
>
> extra="3"
>
> on_poweroff = ''destroy''
> on_reboot   = ''restart''
> on_crash    = ''restart''
>
>
-------------------------------------------------------------------------------
>
> in this domU (the firewall) I have a bridge between eth1 and eth0, you
> can do in CentOS way (inside the domain) ;)
>
>
> here is the config file of a domu behind the FW:
>
> /etc/xen/domu-config.sxp
> name="domu"
> kernel="/boot/vmlinuz-2.6.16.33-xenU-x86_64"
> root="/dev/hda1"
> cpu=3
> memory=92
> disk=[''file:/xen1/domu.img,hda1,w'']
>
> vif=[ ''bridge=xenbrFW , vifname=domu.eth0'' ]
> dhcp="off"
> ip="XX.XX.XX.XX"

Here it ''s good ! One ip for one vif !

netmask="255.255.255.0"
> gateway="XX.XX.XX.XX"
> hostname="domu.domain.com"
>
> extra="3"
>
> on_poweroff = ''destroy''
> on_reboot   = ''restart''
> on_crash    = ''restart''
>
>
----------------------------------------------------------------------------------------------------
>
>
> > Xen-users mailing list
> > Xen-users@lists.xensource.com
> > http://lists.xensource.com/xen-users
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
>

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Sorry for this double post. It was sent from the wrong e-mail address, which I 
realised just too late. You can ignore it and comment on the original post if 
you like instead.

Again, sorry.

Geert

On Saturday 5 May 2007 16:18, Geert Janssens wrote:
> Hi Marc,
>
> I have seen two network diagrams of you passing in the thread already and
> they both helped me understand the Xen networking a lot better.
>
> The first diagram explained how to setup a Xen system with 1 physical NIC,
> where one domU acts as a firewall for the other domU''s. In this
scenario,
> dom0 is connected to the bridge that links to the unsafe net (the
"outside"
> network for the domU firewall).
>
> The second diagram explained who to setup a Xen system with 2 physical
> NICs, dom0 acts as a firewall between the two NICs. It is setup with two
> bridges, one that connects the internet side of the virtual network (first
> physical NIC and first virtual NIC) and one that connects the LAN side of
> the virtual network (seconf physical NIC for the rest of the LAN, second
> virtual NIC for dom0 and virtual NICs for the different domU''s).
>
> Unfortunatly, what I am trying to achieve is yet another slight variation.
> See the attached image.
>
> I would like to setup a system with two physical NICs (peth0 and peth1),
> where the firewall runs in domU.
>
> For that I would like to setup two xen bridges.
> The first is on the LAN side, and is a typical Xen bridge: one physical
> NIC, a virtual NIC for dom0 and one for domU.
>
> The second would be on the internet side, but it should NOT have a virtual
> NIC for dom0, only for domU. The idea is that dom0 should not be accessible
> from the internet, only from the LAN.
>
> Is such a setup possible ? And if yes, how ?
>
> Thank you.
>
> Geert Janssens
>
> P.S. in an earlier attempt I tried to eliminate the second bridge
> altogether by assigning peth1 directly to the domU with PCI back.
> Unfortunatly, I can''t seem to get PCI back working correctly on my
system,
> so I''d like to try this alternative approach.
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Hi Marc,

I don''t want to rush you, but have you found some time already to look
at the
config that would match my scheme ?

Thank you.

Geert

On Monday 7 May 2007 09:45, Marc Patino Gómez wrote:
> Hi Geert,
>
> you scheme it''s so cool, I think it is one of the best way to
secure
> Xen, I use similar config for one of my Xen servers.
> You can do it manualy, as told Bock. Normally, I use a wrapper of
> network-bridge. One question:
>
> In CentOS are xend-config.sxp and network-bridge scripts? In this case I
> can post the config
>
> Regards,
>
> Marc
>
> Geert Janssens wrote:
> > Hi Marc,
> >
> > I have seen two network diagrams of you passing in the thread already
and
> > they both helped me understand the Xen networking a lot better.
> >
> > The first diagram explained how to setup a Xen system with 1 physical
> > NIC, where one domU acts as a firewall for the other domU''s.
In this
> > scenario, dom0 is connected to the bridge that links to the unsafe net
> > (the "outside" network for the domU firewall).
> >
> > The second diagram explained who to setup a Xen system with 2 physical
> > NICs, dom0 acts as a firewall between the two NICs. It is setup with
two
> > bridges, one that connects the internet side of the virtual network
> > (first physical NIC and first virtual NIC) and one that connects the
LAN
> > side of the virtual network (seconf physical NIC for the rest of the
LAN,
> > second virtual NIC for dom0 and virtual NICs for the different
domU''s).
> >
> > Unfortunatly, what I am trying to achieve is yet another slight
> > variation. See the attached image.
> >
> > I would like to setup a system with two physical NICs (peth0 and
peth1),
> > where the firewall runs in domU.
> >
> > For that I would like to setup two xen bridges.
> > The first is on the LAN side, and is a typical Xen bridge: one
physical
> > NIC, a virtual NIC for dom0 and one for domU.
> >
> > The second would be on the internet side, but it should NOT have a
> > virtual NIC for dom0, only for domU. The idea is that dom0 should not
be
> > accessible from the internet, only from the LAN.
> >
> > Is such a setup possible ? And if yes, how ?
> >
> > Thank you.
> >
> > Geert Janssens
> >
> > P.S. in an earlier attempt I tried to eliminate the second bridge
> > altogether by assigning peth1 directly to the domU with PCI back.
> > Unfortunatly, I can''t seem to get PCI back working correctly
on my
> > system, so I''d like to try this alternative approach.
> >
> >
> >
> >
------------------------------------------------------------------------
> >
> >
------------------------------------------------------------------------
> >
> > _______________________________________________
> > Xen-users mailing list
> > Xen-users@lists.xensource.com
> > http://lists.xensource.com/xen-users
-- 
Kobalt W.I.T.
Web & Information Technology
Brusselsesteenweg 152
1850 Grimbergen

Tel  : +32 479 339 655
Email: info@kobaltwit.be

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

I had some time today to experiment and I have found the configuration setup 
for my own diagram. I have worked with the available scripts a much as 
possible, because I believe that will cause the least administration 
headaches later on.
On the other hand, it''s not perfect either, because the NIC connected
to the
internet in dom0 is up for a few seconds during boot time. This may be a 
security risk, I don''t know for sure.

I''ll just post it here for others interested in it.

Remember my setup is in CentOS 5 both in dom0 and domU, I have reattached the 
diagram for this to be a complete message.

Note: for this setup you will need a server with two physical network 
interfaces, both detected in dom0.
peth0 will be connected to the lan
peth1 will be connected to the internet

Step 1.
-------
In dom0, configure eth0 as you like (fixed IP or dhcp, whatever suites you) 
and have it start at boot. Configure eth1 to NOT start at boot. I have given 
eth1 an invalid address (meaning one that is not in any of my networks) to 
cope with the few seconds of uptime.

Step 2.
------
Setup a domU. Relevant information can be found in this mailinglist and in 
examples provided with xen. The only relevant part for this specific setup is 
to have two virtual network interfaces that will both be attached to a 
separate bridge:
vif = [ ''mac=aa:cc:00:00:00:02, bridge=xenbr0'',
        ''mac=aa:cc:00:00:00:04, bridge=xenbr1'' ]

Step 3.
-------
Create a wrapper script for network-bridge.
I have called this "network-bridge-wrapper", and it''s stored 
in /etc/xen/scripts.

#!/bin/sh
/etc/xen/scripts/network-bridge $1 vifnum=0
/etc/xen/scripts/network-bridge $1 vifnum=1
ifdown eth1

This script is pretty simple: it just calls network-bridge twice with
it''s own
command (start/stop/status) and with two different vifnums.
Using the parameter that is normally passed to network-bridge 
(start/stop/status) helps with compatibility. The different vifnums ensure 
that two bridges are setup.
Then dom0''s virtual interface eth1 will be shut down.

When dom0 is started, this wrapper will create xenbr0 and xenbr1.
xenbr0 will contain eth0 and peth0 (for the LAN side), and xenbr1 will be 
setup with eth1 and peth0, although eth1 is shut down immediatly in the next 
command. This will keep the bridge but with only the physical NIC in it.

At this point, no network traffic can reach dom0 via peth1 (the internet). The 
time it takes the server to setup xenbr1 and shutting down eth1, dom0 IS 
reachable via peth1. It''s a very short timeframe though. I think most
setups
have a similar short opening between bringing up the NIC and the firewall.

Step 4.
-------
Edit /etc/xen/xend-config.sxp, and replace network-bridge with 
network-bridge-wrapper

Step 5.
-------
Start the domU (xm create ...).

That''s it.

Regards,

Geert

On Monday 7 May 2007 09:45, Marc Patino Gómez wrote:
> Hi Geert,
>
> you scheme it''s so cool, I think it is one of the best way to
secure
> Xen, I use similar config for one of my Xen servers.
> You can do it manualy, as told Bock. Normally, I use a wrapper of
> network-bridge. One question:
>
> In CentOS are xend-config.sxp and network-bridge scripts? In this case I
> can post the config
>
> Regards,
>
> Marc
>
> Geert Janssens wrote:
> > Hi Marc,
> >
> > I have seen two network diagrams of you passing in the thread already
and
> > they both helped me understand the Xen networking a lot better.
> >
> > The first diagram explained how to setup a Xen system with 1 physical
> > NIC, where one domU acts as a firewall for the other domU''s.
In this
> > scenario, dom0 is connected to the bridge that links to the unsafe net
> > (the "outside" network for the domU firewall).
> >
> > The second diagram explained who to setup a Xen system with 2 physical
> > NICs, dom0 acts as a firewall between the two NICs. It is setup with
two
> > bridges, one that connects the internet side of the virtual network
> > (first physical NIC and first virtual NIC) and one that connects the
LAN
> > side of the virtual network (seconf physical NIC for the rest of the
LAN,
> > second virtual NIC for dom0 and virtual NICs for the different
domU''s).
> >
> > Unfortunatly, what I am trying to achieve is yet another slight
> > variation. See the attached image.
> >
> > I would like to setup a system with two physical NICs (peth0 and
peth1),
> > where the firewall runs in domU.
> >
> > For that I would like to setup two xen bridges.
> > The first is on the LAN side, and is a typical Xen bridge: one
physical
> > NIC, a virtual NIC for dom0 and one for domU.
> >
> > The second would be on the internet side, but it should NOT have a
> > virtual NIC for dom0, only for domU. The idea is that dom0 should not
be
> > accessible from the internet, only from the LAN.
> >
> > Is such a setup possible ? And if yes, how ?
> >
> > Thank you.
> >
> > Geert Janssens
> >
> > P.S. in an earlier attempt I tried to eliminate the second bridge
> > altogether by assigning peth1 directly to the domU with PCI back.
> > Unfortunatly, I can''t seem to get PCI back working correctly
on my
> > system, so I''d like to try this alternative approach.
> >
> >
> >
> >
------------------------------------------------------------------------
> >
> >
------------------------------------------------------------------------
> >
> > _______________________________________________
> > Xen-users mailing list
> > Xen-users@lists.xensource.com
> > http://lists.xensource.com/xen-users
-- 
Kobalt W.I.T.
Web & Information Technology
Brusselsesteenweg 152
1850 Grimbergen

Tel  : +32 479 339 655
Email: info@kobaltwit.be


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users