Hi There, I currently have several machines doing seperate tasks that I''d like to consolidate into one machine and make more efficient use of system resources. I have ben reading through the Xen docs, wiki, and list archives and have it all figured out except for one part, which I am hoping you might be able to help me out with.... My Xen server has three NICs... one for remote management of dom0 and the other two will be hidden from dom0 and assigned to the firewall. One NIC onthe firewall will be for the Internet, the other for the LAN, and I will use a ''vif'' interface for the DMZ (since the only machine in it will be a guest server) My problem is that I plan on having a couple of the guest systems on the Xen server ontheLAN as well, but since the physical LAN NIC onthe firewall will be connected to a physical switch, I am not sure how to pull this off. Is it possible to use a ''vif'' interface and perhaps bridge it and have it all seamless? If so, any pointers on how to do this (docs, HOWTO, etc.) Thanks! I look forward to hearing form you :-) -Alan _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Alan, I guess there are several solutions to your problem. Here''s mine: (I assume you mean you want access to these servers from the LAN, not that you want to migrate them to the LAN :) , although the following design should still hold.) For the LAN interface, hide the NIC from dom0 and export it to the Firewall driver domain. For an internal DMZ create a bridge in dom0 (possibly tied to a dummy interface) without an IP assigned to it and export it to the firewall. Any domUs you want your LAN to access just need to have this bridge specified in their xen config, and the appropriate firewall rules for routing between the LAN and DMZ. You could use the Firewall driver domain as a network backend for your domUs, but this results in a new vif being issued in the Firewall for each domU created, and can cause problems with firewalls like Shorewall. Hence my preference for an ''untethered'' bridge. No reason why you can''t have a number of DMZ bridges for different purposes, but the more interfaces you have the longer Shorewall takes for calculation of rules (~60 secs for 10-12 interfaces on a P3/650!) For the privileged firewall domain you can either compile a specialised kernel with hardware access and the appropriate driver for your NIC, or just use your dom0 kernel. This idea is being worked on, and may look something like this: http://marcusbrutus.cust.internode.on.net/Computers/v0-4-3/Xen_Firewall_0_4_33 Where, in your case the green dashed-line would actually be permanently tied to your third NIC (for administration). Hope that helps to start you off, Marcus. Alan Murrell wrote:> Hi There, > > I currently have several machines doing seperate tasks that I''d like to > consolidate into one machine and make more efficient use of system > resources. > > I have ben reading through the Xen docs, wiki, and list archives and > have it all figured out except for one part, which I am hoping you might > be able to help me out with.... > > My Xen server has three NICs... one for remote management of dom0 and > the other two will be hidden from dom0 and assigned to the firewall. > One NIC onthe firewall will be for the Internet, the other for the LAN, > and I will use a ''vif'' interface for the DMZ (since the only machine in > it will be a guest server) > > My problem is that I plan on having a couple of the guest systems on the > Xen server ontheLAN as well, but since the physical LAN NIC onthe > firewall will be connected to a physical switch, I am not sure how to > pull this off. > > Is it possible to use a ''vif'' interface and perhaps bridge it and have > it all seamless? > > If so, any pointers on how to do this (docs, HOWTO, etc.) > > Thanks! I look forward to hearing form you :-) > > -Alan > > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Marcus, On Wed, 2005-09-14 at 10:35 +1000, Marcus Brown wrote:> (I assume you mean you want access to these servers from the LAN, > not that you want to migrate them to the LAN :) , although the > following design should still hold.)Not sure if this is what you mean, but my Xensource server will have at least one machine in a DMZ (external web and email), and a couple of servers that will be sitting on the LAN (a file/print server, mythtv backend, maybe a couple others). Since the physical LAN interface being assigned to the fireall (also on the Xensource server) will plug into a physical switch, I still want the domU LAN servers to appear as though they are on the LAN (and act as such) I hope that''s a bit clearer? Basically, the LAN will have a couple physical machines (laptops, one workstation) and virtual servers. -Alan _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Alan, Alan Murrell wrote:> > Not sure if this is what you mean, but my Xensource server will have at > least one machine in a DMZ (external web and email), and a couple of > servers that will be sitting on the LAN (a file/print server, mythtv > backend, maybe a couple others). > > Since the physical LAN interface being assigned to the fireall (also on > the Xensource server) will plug into a physical switch, I still want the > domU LAN servers to appear as though they are on the LAN (and act as > such) > > I hope that''s a bit clearer? Basically, the LAN will have a couple > physical machines (laptops, one workstation) and virtual servers. >OK, the design and technique I explained last time should do this. You could just use the firewall to DNAT the domains, and/or forward the necessary ports. eg. I have a mail server, web server, freenx server, etc all running as domains, with the firewall (currently) running shorewall. Mail Server: DNAT for the LAN (Green Zone), DNAT Zone GreenZone Host 192.168.254.51 in zone br5 TCP Any 143 DNAT Zone GreenZone Host 192.168.254.51 in zone br5 UDP Any 143 AllowPOP3 Host 192.168.254.51 in zone br5 Zone RedZone Any AllowSMTP Zone GreenZone Zone RedZone Any Web Server: DNAT for the Internet (Red Zone) DNAT Zone RedZone Host 192.168.254.50 in zone br5 UDP Any 443 DNAT Zone RedZone Host 192.168.254.50 in zone br5 TCP Any 443 DNAT Zone RedZone Host 192.168.254.50 in zone br5 TCP Any 80 Freenx Server: DNAT for everywhere DNAT Any Host 192.168.254.5:22 in zone br0 TCP Any XXXXX DNAT Any Host 192.168.254.5:22 in zone br0 UDP Any XXXXX (where XXXXX is a high port) I''ve probably missed a fair bit of detail, but I hope that gives you an idea. Marcus ps. for the domains to actually be ''IN'' the LAN, ie. in the same subnet then the domains need to be on the same bridge as the LAN NIC (short story). But then a routing firewall (iptables) would be pretty useless? If the DNAT technique above doesn''t suit, you might want to check out ebtables and make a Brouter ... ??? _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Marcus On Wed, 2005-09-14 at 10:35 +1000, Marcus Brown wrote:> For the LAN interface, hide the NIC from dom0 and export it to the > Firewall driver domain. For an internal DMZ create a bridge in dom0 > (possibly tied to a dummy interface) without an IP assigned to it > and export it to the firewall. Any domUs you want your LAN to access > just need to have this bridge specified in their xen config, and the > appropriate firewall rules for routing between the LAN and DMZ.How is a bridge like that exported to the firewall? I know how to export a physical device, but not a bridge. Is it done via a ''vif [....]'' statement in the firewall domain''s configuration script?> You could use the Firewall driver domain as a network backend for your > domUs, but this results in a new vif being issued in the Firewall for > each domU created, and can cause problems with firewalls like Shorewall. > Hence my preference for an ''untethered'' bridge.Yeah, I tried doing that (specifying "backend=fw01" in the domU''s config), but since I have LAN and DMZ domUs on the host server, I could not find a way to specify which vif created on the firewall was to be in the DMZ and which was to be in the LAN :-( -Alan P.S.: Replies to the list as opposed to my personal address are preferred, as this information may be quite useful for others. :-) _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Marcus, On Sat, 2005-12-03 at 08:18 -0800, Alan Murrell wrote:> How is a bridge like that exported to the firewall? I know how to > export a physical device, but not a bridge. Is it done via a ''vif > [....]'' statement in the firewall domain''s configuration script?Actually I was able to figure this out from a similar thread you were involved in; the bridge is indeed specified in the Firewall domain''s configuration file with the ''vif = [...]'' statement :-) -Alan _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Greetings, Has anybody successfully installed Xen on SuSe 10? My config : 256 RAM 60 HD SCSI DVD AMD 700 Mhz Too optimistic? Cheers, Jimmy _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users