Xen users - Jun 2011 - Alternative to network-nat on Debian Squeeze with XEN4?

Hello,

Are there any good alternatives to the network-nat script on Debian
Squeeze?
I have tried using (network-script network-nat) and (vif-script
vif-nat), but I end up
with an error message like

Error: Device 1 (vif) could not be connected. ip addr add 10.0.1.259 dev
vif4.1 failed

with configuration file directive

vif =[  ''script=vif-nat,ip=10.0.1.132'' ]

I need Internet access for my DomU''s but I cannot assign each one a
public IP address due to limited addressing.



_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Sun, Jun 19, 2011 at 2:20 PM, Andrew Sorensen <andrewx192@gmail.com>
wrote:
> ----- Original message -----
>>
>>
>> --- On Sun, 6/19/11, Andrew Sorensen <andrewx192@gmail.com>
wrote:
>>
>> > From: Andrew Sorensen <andrewx192@gmail.com>
>> > Subject: [Xen-users] Alternative to network-nat on Debian Squeeze
with
>> > XEN4? To: xen-users@lists.xensource.com
>> > Date: Sunday, June 19, 2011, 12:38 AM
>
>> > Hello,
>> >
>> > Are there any good alternatives to the network-nat script
>> > on Debian
>> > Squeeze?
>> > I have tried using (network-script network-nat) and
>> > (vif-script
>> > vif-nat), but I end up
>> > with an error message like
>> >
>> > Error: Device 1 (vif) could not be connected. ip addr add
>> > 10.0.1.259 dev
>> > vif4.1 failed
>> >
>> > with configuration file directive
>> >
>> > vif =[  ''script=vif-nat,ip=10.0.1.132'' ]
>> >
>> > I need Internet access for my DomU''s but I cannot assign
>> > each one a
>> > public IP address due to limited addressing.
>>
>> If using xen < 4.1, then it should work with this network
>>
>> network 10.0.0.0
>> gateway 10.0.0.254
>>
>> Whatever ip you pass to vif needs a static setup in the guest.
>>
>> --
>> Mark
>
> Right, but I cannot even start the DomU because of that error.
> Should I go about creating a vlan on the host and bridge to the vlan behind
> NAT? I''m not sure how best to do that.
>
I''m wondering if we should considering using a QEMU-like approach for
NAT on Xen going forward?

Something like:
http://wiki.qemu.org/Documentation/Networking/NAT

Thoughts?

Thanks,
Todd
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
>


-- 
Todd Deshane
http://www.linkedin.com/in/deshantm
http://www.xen.org/products/cloudxen.html
http://runningxen.com/

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Mon, Jun 20, 2011 at 7:59 AM, Todd Deshane <todd.deshane@xen.org>
wrote:
> On Sun, Jun 19, 2011 at 2:20 PM, Andrew Sorensen
<andrewx192@gmail.com> wrote:
>>> > Hello,
>>> >
>>> > Are there any good alternatives to the network-nat script
>>> > on Debian
>>> > Squeeze?
> I''m wondering if we should considering using a QEMU-like approach
for
> NAT on Xen going forward?
>
> Something like:
> http://wiki.qemu.org/Documentation/Networking/NAT
>
> Thoughts?
Todd: Is this the same one used by libvirt with virbr0? Using
something common would be nice, as it means NAT-networking can be
treated the same way as bridge networking from Xen''s perspective.

Andrew: try installing virt-manager (or perhaps libvirt-bin is
enough). It should create a bridge called virbr0, which you can use on
domU config file (add "bridge" section to vif line).

-- 
Fajar

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

----- Original message -----
> On Mon, Jun 20, 2011 at 7:59 AM, Todd Deshane <todd.deshane@xen.org>
> wrote:
> > On Sun, Jun 19, 2011 at 2:20 PM, Andrew Sorensen
> > <andrewx192@gmail.com> wrote:
> > > > > Hello,
> > > > > 
> > > > > Are there any good alternatives to the network-nat
script
> > > > > on Debian
> > > > > Squeeze?
> 
> > I''m wondering if we should considering using a QEMU-like
approach for
> > NAT on Xen going forward?
> > 
> > Something like:
> > http://wiki.qemu.org/Documentation/Networking/NAT
> > 
> > Thoughts?
> 
> Todd: Is this the same one used by libvirt with virbr0? Using
> something common would be nice, as it means NAT-networking can be
> treated the same way as bridge networking from Xen''s perspective.
> 
> Andrew: try installing virt-manager (or perhaps libvirt-bin is
> enough). It should create a bridge called virbr0, which you can use on
> domU config file (add "bridge" section to vif line).
> 
> -- 
> Fajar
> 
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
I already have bridged networking working, but would like to add NAT to my
setup.. I''d rather stay away from libvirt as it has caused problems in
the past. I don''t see the need to have libvirt to accomplish my
requirements.

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Mon, Jun 20, 2011 at 11:11 AM, Andrew Sorensen <andrewx192@gmail.com>
wrote:
>>
>> Todd: Is this the same one used by libvirt with virbr0? Using
>> something common would be nice, as it means NAT-networking can be
>> treated the same way as bridge networking from Xen''s
perspective.
>>
>> Andrew: try installing virt-manager (or perhaps libvirt-bin is
>> enough). It should create a bridge called virbr0, which you can use on
>> domU config file (add "bridge" section to vif line).
>>
>> --
>> Fajar
> I already have bridged networking working, but would like to add NAT to my
> setup.. I''d rather stay away from libvirt as it has caused
problems in the
> past. I don''t see the need to have libvirt to accomplish my
requirements.
libvirt simply makes it easier to setup virbr0. If you don''t use
virt-manager/virt-install, then basically it''s all libvirt does:
create virtbr0.

If you''re familiar enough with manual bridge and NAT setup, you could
just create it manually, which would involve:
- create a bridge with is not connected to any physical host
- create NAT MASQUARADE rule for any traffic coming from that bridge
- (optional) run dnsmasq to provide DHCP and DNS

With that kind of setup (either manual or created by libvirt) you can
simply use bridge networking in Xen as usual, and it doesn''t matter
whether your uplink is already bridged or not. And the same bridge+NAT
setup can be used for other virtualization setup as well (For example,
I''m using libvirt to create a bridge on my Virtualbox setup, which
Virtulbox uses later as bridged networking)

-- 
Fajar

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Mon, 2011-06-20 at 11:24 +0700, Fajar A. Nugraha
wrote:
> On Mon, Jun 20, 2011 at 11:11 AM, Andrew Sorensen
<andrewx192@gmail.com> wrote:
> >>
> >> Todd: Is this the same one used by libvirt with virbr0? Using
> >> something common would be nice, as it means NAT-networking can be
> >> treated the same way as bridge networking from Xen''s
perspective.
> >>
> >> Andrew: try installing virt-manager (or perhaps libvirt-bin is
> >> enough). It should create a bridge called virbr0, which you can
use on
> >> domU config file (add "bridge" section to vif line).
> >>
> >> --
> >> Fajar
> 
> > I already have bridged networking working, but would like to add NAT
to my
> > setup.. I''d rather stay away from libvirt as it has caused
problems in the
> > past. I don''t see the need to have libvirt to accomplish my
requirements.
> 
> libvirt simply makes it easier to setup virbr0. If you don''t use
> virt-manager/virt-install, then basically it''s all libvirt does:
> create virtbr0.
> 
> If you''re familiar enough with manual bridge and NAT setup, you
could
> just create it manually, which would involve:
> - create a bridge with is not connected to any physical host
> - create NAT MASQUARADE rule for any traffic coming from that bridge
> - (optional) run dnsmasq to provide DHCP and DNS
> 
> With that kind of setup (either manual or created by libvirt) you can
> simply use bridge networking in Xen as usual, and it doesn''t
matter
> whether your uplink is already bridged or not. And the same bridge+NAT
> setup can be used for other virtualization setup as well (For example,
> I''m using libvirt to create a bridge on my Virtualbox setup, which
> Virtulbox uses later as bridged networking)
> 
That was what I was trying to do. If you visit
http://wiki.qemu.org/Documentation/Networking/NAT and take a look at
that script at the bottom, it creates a bridged interface and takes in a
a parameter to add to the NAT bridge. I''m not sure what I would need to
modify in that script to create the NAT MASQUARADE rule.



_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Mon, Jun 20, 2011 at 11:47 AM, Andrew Sorensen <andrewx192@gmail.com>
wrote:
> On Mon, 2011-06-20 at 11:24 +0700, Fajar A. Nugraha wrote:
>> On Mon, Jun 20, 2011 at 11:11 AM, Andrew Sorensen
<andrewx192@gmail.com> wrote:
>> >>
>> >> Todd: Is this the same one used by libvirt with virbr0? Using
>> >> something common would be nice, as it means NAT-networking can
be
>> >> treated the same way as bridge networking from Xen''s
perspective.
>> >>
>> >> Andrew: try installing virt-manager (or perhaps libvirt-bin is
>> >> enough). It should create a bridge called virbr0, which you
can use on
>> >> domU config file (add "bridge" section to vif line).
>> >>
>> >> --
>> >> Fajar
>>
>> > I already have bridged networking working, but would like to add
NAT to my
>> > setup.. I''d rather stay away from libvirt as it has
caused problems in the
>> > past. I don''t see the need to have libvirt to accomplish
my requirements.
>>
>> libvirt simply makes it easier to setup virbr0. If you don''t
use
>> virt-manager/virt-install, then basically it''s all libvirt
does:
>> create virtbr0.
>>
>> If you''re familiar enough with manual bridge and NAT setup,
you could
>> just create it manually, which would involve:
>> - create a bridge with is not connected to any physical host
>> - create NAT MASQUARADE rule for any traffic coming from that bridge
>> - (optional) run dnsmasq to provide DHCP and DNS
>>
>> With that kind of setup (either manual or created by libvirt) you can
>> simply use bridge networking in Xen as usual, and it doesn''t
matter
>> whether your uplink is already bridged or not. And the same bridge+NAT
>> setup can be used for other virtualization setup as well (For example,
>> I''m using libvirt to create a bridge on my Virtualbox setup,
which
>> Virtulbox uses later as bridged networking)
>>
> That was what I was trying to do. If you visit
> http://wiki.qemu.org/Documentation/Networking/NAT and take a look at
> that script at the bottom, it creates a bridged interface and takes in a
> a parameter to add to the NAT bridge. I''m not sure what I would
need to
> modify in that script to create the NAT MASQUARADE rule.
... and what I''ve been trying to say is that you don''t have to
use
that script. Not if it gives you more trouble.

Instead, I suggest you split it into two separate process:
(1) Creation of the bridge with NAT support
(2) Adding domU''s vif to that bridge

For (1) Can be done with either libvirt or setup manually.
For (2), you can simply use Xen''s existing bridge script. No need to
create additional network script.

-- 
Fajar

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Mon, 2011-06-20 at 11:52 +0700, Fajar A. Nugraha
wrote:
> On Mon, Jun 20, 2011 at 11:47 AM, Andrew Sorensen
<andrewx192@gmail.com> wrote:
> > On Mon, 2011-06-20 at 11:24 +0700, Fajar A. Nugraha wrote:
> >> On Mon, Jun 20, 2011 at 11:11 AM, Andrew Sorensen
<andrewx192@gmail.com> wrote:
> >> >>
> >> >> Todd: Is this the same one used by libvirt with virbr0?
Using
> >> >> something common would be nice, as it means
NAT-networking can be
> >> >> treated the same way as bridge networking from
Xen''s perspective.
> >> >>
> >> >> Andrew: try installing virt-manager (or perhaps
libvirt-bin is
> >> >> enough). It should create a bridge called virbr0, which
you can use on
> >> >> domU config file (add "bridge" section to vif
line).
> >> >>
> >> >> --
> >> >> Fajar
> >>
> >> > I already have bridged networking working, but would like to
add NAT to my
> >> > setup.. I''d rather stay away from libvirt as it has
caused problems in the
> >> > past. I don''t see the need to have libvirt to
accomplish my requirements.
> >>
> >> libvirt simply makes it easier to setup virbr0. If you
don''t use
> >> virt-manager/virt-install, then basically it''s all
libvirt does:
> >> create virtbr0.
> >>
> >> If you''re familiar enough with manual bridge and NAT
setup, you could
> >> just create it manually, which would involve:
> >> - create a bridge with is not connected to any physical host
> >> - create NAT MASQUARADE rule for any traffic coming from that
bridge
> >> - (optional) run dnsmasq to provide DHCP and DNS
> >>
> >> With that kind of setup (either manual or created by libvirt) you
can
> >> simply use bridge networking in Xen as usual, and it
doesn''t matter
> >> whether your uplink is already bridged or not. And the same
bridge+NAT
> >> setup can be used for other virtualization setup as well (For
example,
> >> I''m using libvirt to create a bridge on my Virtualbox
setup, which
> >> Virtulbox uses later as bridged networking)
> >>
> > That was what I was trying to do. If you visit
> > http://wiki.qemu.org/Documentation/Networking/NAT and take a look at
> > that script at the bottom, it creates a bridged interface and takes in
a
> > a parameter to add to the NAT bridge. I''m not sure what I
would need to
> > modify in that script to create the NAT MASQUARADE rule.
> 
> ... and what I''ve been trying to say is that you don''t
have to use
> that script. Not if it gives you more trouble.
> 
> Instead, I suggest you split it into two separate process:
> (1) Creation of the bridge with NAT support
> (2) Adding domU''s vif to that bridge
> 
> For (1) Can be done with either libvirt or setup manually.
> For (2), you can simply use Xen''s existing bridge script. No need
to
> create additional network script.
> 
For (1), How would I go about setting it up manually?
For (2), When you refer to "bridge script" are you referring to -
''vif-script'' or ''network-script''?
Currently I am using a statement like
''bridge=br1,mac=xxxxxxxx,ip=xx.xx.xx.xx'', which is working out
fine for
my "true" bridged network.


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Mon, Jun 20, 2011 at 12:12 PM, Andrew Sorensen <andrewx192@gmail.com>
wrote:
>> >> With that kind of setup (either manual or created by libvirt)
you can
>> >> simply use bridge networking in Xen as usual, and it
doesn''t matter
>> >> whether your uplink is already bridged or not. And the same
bridge+NAT
>> >> setup can be used for other virtualization setup as well (For
example,
>> >> I''m using libvirt to create a bridge on my Virtualbox
setup, which
>> >> Virtulbox uses later as bridged networking)
>> >>
>> > That was what I was trying to do. If you visit
>> > http://wiki.qemu.org/Documentation/Networking/NAT and take a look
at
>> > that script at the bottom, it creates a bridged interface and
takes in a
>> > a parameter to add to the NAT bridge. I''m not sure what I
would need to
>> > modify in that script to create the NAT MASQUARADE rule.
>>
>> ... and what I''ve been trying to say is that you
don''t have to use
>> that script. Not if it gives you more trouble.
>>
>> Instead, I suggest you split it into two separate process:
>> (1) Creation of the bridge with NAT support
>> (2) Adding domU''s vif to that bridge
>>
>> For (1) Can be done with either libvirt or setup manually.
>> For (2), you can simply use Xen''s existing bridge script. No
need to
>> create additional network script.
>>
>
> For (1), How would I go about setting it up manually?
I''d still recommend you use libvirt. However, if you want to create
the bridge manually, see
http://wiki.xensource.com/xenwiki/HostConfiguration/Networking .
Basically you use whatever method the OS has (/etc/network/interfaces
for Debian/Ubuntu).

As an example, you can use something like this on
/etc/network/interfaces which combines bridge and NAT creation (you
might need to load "dummy" module first, or add it to /etc/modules)

#======================================auto dummy0
iface dummy0 inet manual

auto br0
iface br0 inet static
        address 192.168.123.1
        netmask 255.255.255.0

        bridge_ports dummy0
        bridge_stp yes

        post-up /sbin/iptables --table filter --insert INPUT --source \
                192.168.123.0/255.255.255.0 --jump ACCEPT
        post-up /sbin/iptables --table filter --insert FORWARD --source \
                192.168.123.0/255.255.255.0 --jump ACCEPT
        post-up /sbin/iptables --table filter --insert FORWARD --destination \
                192.168.123.0/255.255.255.0 --match state \
                --state ESTABLISHED,RELATED --jump ACCEPT
        post-up /sbin/iptables --table nat --insert POSTROUTING --source \
                192.168.123.0/255.255.255.0 \
                ! --destination 192.168.123.0/255.255.255.0 --jump MASQUERADE

        pre-down /sbin/iptables --table filter --delete INPUT --source \
                192.168.123.0/255.255.255.0 --jump ACCEPT
        pre-down /sbin/iptables --table filter --delete FORWARD --source \
                192.168.123.0/255.255.255.0 --jump ACCEPT
        pre-down /sbin/iptables --table filter --delete FORWARD --destination \
                192.168.123.0/255.255.255.0 --match state \
                --state ESTABLISHED,RELATED --jump ACCEPT
        pre-down /sbin/iptables --table nat --delete POSTROUTING --source \
                192.168.123.0/255.255.255.0 \
                ! --destination 192.168.123.0/255.255.255.0 --jump MASQUERADE

#======================================
Make sure that /proc/sys/net/ipv4/ip_forward = 1 (edit
/etc/sysctl.conf if you have to).
> For (2), When you refer to "bridge script" are you referring to -
> ''vif-script'' or ''network-script''?
> Currently I am using a statement like
> ''bridge=br1,mac=xxxxxxxx,ip=xx.xx.xx.xx'', which is
working out fine for
> my "true" bridged network.
Just use whatever you currently use on "true" bridged network. Just
watch out for:
- bridge names. In my example, the bridge with NAT support is br0
- no need for "ip=xxxxx" part. Some setups with ebtables or modified
domU config can make use of that, but usually it''s not needed
- setup IP address from domU. In my example I don''t have a dhcp server
on dom0, so I need to assign static address in domU manually.

-- 
Fajar

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users