Hi All It''s about time to upgrade my shorewall routers again so thinking of possible changes. In our main office have managed switches and 5 xen servers. I''m thinking of running the firewall/router under xen. Don''t have all the details figured out but this is roughly what I''m thinking of: Set up separate vlan for the two isps and plug isps into the switch. Run into xen servers on tagged vlans and set up separate bridges for each. Each shorewall domu would see 3 interfaces. Then have 2 shorewall domus with fallover on separate xen servers. I''m uncertain of the details for fallover. I''m pretty confident it can be done but is it a good idea? Any thoughts? John ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 4/30/12 8:59 AM, John McMonagle wrote:> Hi All > > It''s about time to upgrade my shorewall routers again so thinking of possible > changes. > In our main office have managed switches and 5 xen servers. > > I''m thinking of running the firewall/router under xen. > Don''t have all the details figured out but this is roughly what I''m thinking > of: > > Set up separate vlan for the two isps and plug isps into the switch. > Run into xen servers on tagged vlans and set up separate bridges for each. > Each shorewall domu would see 3 interfaces. > > Then have 2 shorewall domus with fallover on separate xen servers. > I''m uncertain of the details for fallover. > > I''m pretty confident it can be done but is it a good idea? > Any thoughts?I have no comments -- I haven''t used Xen in years, so I can''t make a recommendation one way or the other. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
John McMonagle wrote:>It''s about time to upgrade my shorewall routers again so thinking of possible >changes. >In our main office have managed switches and 5 xen servers. > >I''m thinking of running the firewall/router under xen. >Don''t have all the details figured out but this is roughly what I''m thinking >of: > >Set up separate vlan for the two isps and plug isps into the switch. >Run into xen servers on tagged vlans and set up separate bridges for each. >Each shorewall domu would see 3 interfaces. > >Then have 2 shorewall domus with fallover on separate xen servers. >I''m uncertain of the details for fallover. > >I''m pretty confident it can be done but is it a good idea?Well it''s certainly one way of doing it. I run Shorewall on pretty well all of my machines (most of which are PV guests under Xen) - no problems there. I also run two redundant routers in our server room - or they would be redundant if one of them hadn''t died). These are just a couple of old surplus 1U rack mount servers that I inherited as stuff was upgraded. I''ve not run VLANs into a Xen host myself (used them into bare-matal hosts), but over on the Xen users lists there have been several threads where people have done it successfully - so I''d have no qualms there either. My preference would be to keep at least one of them as a bare metal device. Your routers are probably the most critical part of the network, and being bare metal means they have few dependencies (such as waiting for the host to boot and then autostart the guests). We''ve had a couple of "cold starts" for various reasons, and it''s a real pain if connectivity and DNS aren''t up as everything else starts. At the moment I''m looking for something small and cost effective to replace the dead box. We don''t have any suitable hardware already spare or due to be soon - and a 1U system tends to be somewhat overkill price-wise. I''m currently thinking about whether one of these Alix boards would work for us (I''m also needing a number of similar boxes for other routing/firewall duties) : http://linitx.com/category/180/113,176,180 -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 5/1/2012 2:59 AM, Simon Hobson wrote:> My preference would be to keep at least one of them as a bare metal > device.I agree with Simon. I haven''t run Shorewall under Xen but I have run virtualized routers and it wasn''t worth losing internet connectivity if I needed to take the host down for any reason. - Bob Coffman ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On Tuesday, May 01, 2012 08:08:01 am Robert K Coffman Jr. -Info From Data Corp. wrote:> On 5/1/2012 2:59 AM, Simon Hobson wrote: > > My preference would be to keep at least one of them as a bare metal > > device. > > I agree with Simon. I haven''t run Shorewall under Xen but I have run > virtualized routers and it wasn''t worth losing internet connectivity if > I needed to take the host down for any reason. > > - Bob Coffman >That was why I was thinking of running 2 of them. For that reason I''m not considering where only 1 xen server is available. It would make a nasty maintenance situation in my situational where most everything is done remotely. Some sort of solid ha would be essential. I''m thinking of something where both are hot on different ips and the "active" one would take over the official addresses. That way if at least one was up I could get in even if ha messed up. Then again one could do the same with 2 pcs. On down side are those occasional situations where power goes out long enough to drain ups batteries. It would be nice if the router gets up first. Needless to say the best one can do it to configure the router domu to start first. Back to the pluses. Been using small pc''s. working Ok. My biggest problem is some times they do not come back up after a long power outage. I think it''s some sort of kvm issue. Our budget is small and it''s hard to justify the cost of a server grade box and the old servers that are available are getting a bit questionable. The xen boxes are good reliable servers. John ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/