Xen users - Jun 2011 - Xen 4.0 Bridged Networking MAC Rewrite?

Hello,

I currently am working in an environment with 3 NIC operating in bridged
mode with XEN.
The two cards configured with static ip addressing are working properly
in XEN DomU guests, and Dom0.

However, there is one interface that connects upstream to my ISP, which
has IP addressing based on DHCP.
The DomU in question has all three network cards bridged to it, and two
of them work, but the the WAN uplink does not.

`brctl show` on the Dom0 shows that the DomU is connected to the correct
bridge.

Is it possible to rewrite the MAC address on Dom0 to a MAC address that
the ISP would assign an IP too (I''m assuming it''s rejecting
the XEN MAC
at this point)?

XEN 4.0.1 / Debian Squeeze

# xm info
host                   : WLN-SRV-ASUSP5QLP
release                : 2.6.32-5-xen-amd64
version                : #1 SMP Thu May 19 01:16:47 UTC 2011
machine                : x86_64
nr_cpus                : 2
nr_nodes               : 1
cores_per_socket       : 2
threads_per_core       : 1
cpu_mhz                : 2533
hw_caps                :
bfebfbff:20100800:00000000:00000940:0008e39d:00000000:00000001:00000000
virt_caps              : 
total_memory           : 6143
free_memory            : 2360
node_to_cpu            : node0:0-1
node_to_memory         : node0:2360
node_to_dma32_mem      : node0:2360
max_node_id            : 0
xen_major              : 4
xen_minor              : 0
xen_extra              : .1
xen_caps               : xen-3.0-x86_64 xen-3.0-x86_32p 
xen_scheduler          : credit
xen_pagesize           : 4096
platform_params        : virt_start=0xffff800000000000
xen_changeset          : unavailable
xen_commandline        : placeholder dom0_mem=256M
cc_compiler            : gcc version 4.4.5 (Debian 4.4.5-10) 
cc_compile_by          : waldi
cc_compile_domain      : debian.org
cc_compile_date        : Wed Jan 12 14:04:06 UTC 2011
xend_config_format     : 4


# cat /etc/xen/demo.cfg 

#
# Configuration file for the Xen instance demo, created
# by xen-tools 4.2 on Sun Jun  5 00:52:44 2011.
#

#
#  Kernel + memory size
#


bootloader = ''/usr/lib/xen-default/bin/pygrub''

vcpus       = ''1''
memory      = ''128''

#
#  Disk device(s).
#
root        = ''/dev/xvda2 ro''
disk        = [
                  ''phy:/dev/crmd2-vg/demo-disk,xvda2,w'',
                  ''phy:/dev/crmd2-vg/demo-swap,xvda1,w'',
              ]


#
#  Physical volumes
#


#
#  Hostname
#
name        = ''demo''

#
#  Networking
#
vif         = [
''bridge=br1,ip=172.16.91.1,mac=00:16:3E:DD:D2:4A'',
''bridge=br0,mac=00:16:3E:DD:E2:4C'',
''bridge=br2,ip=172.24.91.1,mac=00:16:3E:DD:D2:4B'' ]

#
#  Behaviour
#
on_poweroff = ''destroy''
on_reboot   = ''restart''
on_crash    = ''restart''



_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Thu, Jun 9, 2011 at 2:08 PM, Andrew Sorensen <andrewx192@gmail.com>
wrote:
> Hello,
>
> I currently am working in an environment with 3 NIC operating in bridged
> mode with XEN.
> The two cards configured with static ip addressing are working properly in
> XEN DomU guests, and Dom0.
>
> However, there is one interface that connects upstream to my ISP, which has
> IP addressing based on DHCP.
> The DomU in question has all three network cards bridged to it, and two of
> them work, but the the WAN uplink does not.
>
> `brctl show` on the Dom0 shows that the DomU is connected to the correct
> bridge.
>
> Is it possible to rewrite the MAC address on Dom0 to a MAC address that the
> ISP would assign an IP too (I''m assuming it''s rejecting
the XEN MAC at this
> point)?
Why don''t you just change mac setting on domU''s config file
(the vif line)?

The closest thing to MAC rewrite in domU is either ebtables nat or
proxy arp, both are standard Linux mechanism (e.g. not xen-specific)
and are more complex compared to just editing domU''s config file.

-- 
Fajar

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Please keep replies to the list as well.

On Thu, Jun 9, 2011 at 2:19 PM, Andrew Sorensen <andrewx192@gmail.com>
wrote:
>> > Is it possible to rewrite the MAC address on Dom0 to a MAC address
that the
>> > ISP would assign an IP too (I''m assuming it''s
rejecting the XEN MAC at this
>> > point)?
>>
>> Why don''t you just change mac setting on domU''s
config file (the vif line)?
>>
>> The closest thing to MAC rewrite in domU is either ebtables nat or
>> proxy arp, both are standard Linux mechanism (e.g. not xen-specific)
>> and are more complex compared to just editing domU''s config
file.
>>
> I already tried changing the MAC address in the vif line, but did not
> have any better results.
Then changing it to some other mac won''t work either.
> I also read that the mac address specified in a
> vif line must start with the XEN prefix, so I figured it was bad
> practice.
Where is that written? You should be able to put any mac you want
(well, any mac valid for a NIC anyway), so you could impersonate (e.g)
a Cisco router if you want.

The recommendation to use xen prefix is more of a best-practice to
prefent mac address conflict.

At this point I highly suggest you ask your ISP. Probably they only
allow one IP address on that port. If they don''t know, then I guess
the best option would be to look at ebtables.

-- 
Fajar

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Fajar A. Nugraha wrote:
>Where is that written? You should be able to put any mac you want
>(well, any mac valid for a NIC anyway), so you could impersonate (e.g)
>a Cisco router if you want.
>
>The recommendation to use xen prefix is more of a best-practice to
>prefent mac address conflict.
Indeed, and I know someone who''s had a MAC address conflict which was 
apparently "quite interesting" ! This was in a University and they 
had a desktop refresh - it seems Dell had an "off by one" bug in 
their config system and for every 257 machines, there would be two 
with the same MAC. Of course, this would only show up if someone 
bought sufficiently large numbers all in one go ...

If you stick to using the Xen prefix, it just means you that you can 
only conflict with other Xen VMs - thus narrowing the target a bit.
>At this point I highly suggest you ask your ISP. Probably they only
>allow one IP address on that port. If they don''t know, then I guess
>the best option would be to look at ebtables.
I believe they vary considerably. Some may require you to register 
the (singular) MAC address that you''ll be connecting. I believe most 
common is that (as you say) you''ll be limited to one IP address (or 
more if you''ve paid for them). But, this is usually given out by DHCP 
or similar, and the address cannot be reissued to another device 
until the previous lease expires. You can either wait (a problem if 
the lease tiem is in hours or days), or you may have to get your ISP 
to reset the lease.

-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Thu, 2011-06-09 at 08:53 +0100, Simon Hobson wrote:
> Fajar A. Nugraha wrote:
> 
> >Where is that written? You should be able to put any mac you want
> >(well, any mac valid for a NIC anyway), so you could impersonate (e.g)
> >a Cisco router if you want.
> >
> >The recommendation to use xen prefix is more of a best-practice to
> >prefent mac address conflict.
> 
> Indeed, and I know someone who''s had a MAC address conflict which
was
> apparently "quite interesting" ! This was in a University and
they
> had a desktop refresh - it seems Dell had an "off by one" bug in 
> their config system and for every 257 machines, there would be two 
> with the same MAC. Of course, this would only show up if someone 
> bought sufficiently large numbers all in one go ...
> 
> If you stick to using the Xen prefix, it just means you that you can 
> only conflict with other Xen VMs - thus narrowing the target a bit.
> 
> >At this point I highly suggest you ask your ISP. Probably they only
> >allow one IP address on that port. If they don''t know, then I
guess
> >the best option would be to look at ebtables.
> 
> I believe they vary considerably. Some may require you to register 
> the (singular) MAC address that you''ll be connecting. I believe
most
> common is that (as you say) you''ll be limited to one IP address
(or
> more if you''ve paid for them). But, this is usually given out by
DHCP
> or similar, and the address cannot be reissued to another device 
> until the previous lease expires. You can either wait (a problem if 
> the lease tiem is in hours or days), or you may have to get your ISP 
> to reset the lease.
It turns out my issue was a simple need to restart my modem. Everything
started working as expected after a reboot!


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users