Xen users - Oct 2008 - How to setup my Xen network?

Hi all,

I have several servers I''d like to consolidate to Xen 3.2 and I am
having a bit of trouble with firewalls and the best network environment to chose
from.  I have read documentation here and there but I am a bit confused now and
after some advice or specific documentation.

1/ I''d like the following but have had problems getting ut to work with
a firewall on Dom0


                                |-> Dom1 (10.0.0.10) - Mail
WAN <-----> eth0 Dom0 <---------|-> Dom2 (10.0.0.10) - Web
        (87.98.252.205)         |-> Dom3 (10.0.0.10) - Web

Where Dom0 is the firewall and DomUs are natted.  Dom0 would have a web proxy to
redirect http to the right server.  I tried getting this to work with shorewall
but it''s a no go.  Has someone managed this setup with a proper
firewall in place?

2/ Second option would be to use a bridge but I''m not sure the
following would work

          |-> Dom0 87.98.252.205 - (Restricted)
          |-> Dom1 98.12.113.200 - Mail
WAN <-----|-> Dom2 99.130.15.200 - Web
          |-> Dom3 85.99.120.113 - Web

Can I have a bridge with public IPs in completely different ranges?

3/ Last but not least is a theory I found about putting the Dom1 as the
firewall, locking out Dom0 for security reason and have the whole environment
natted.  If this would work for me, is there any documentation?  I see threads
and attempts but no real documentation on how this is done.

Many thanks for any help you can provide.  Like I said, pointers to good
documentation is more than welcome!
--
eco

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

----- lists@precognet.com wrote:
> Hi all,
> 
> I have several servers I''d like to consolidate to Xen 3.2 and I am
> having a bit of trouble with firewalls and the best network
> environment to chose from.  I have read documentation here and there
> but I am a bit confused now and after some advice or specific
> documentation.
> 
> 1/ I''d like the following but have had problems getting ut to work
> with a firewall on Dom0
> 
> 
>                                 |-> Dom1 (10.0.0.10) - Mail
> WAN <-----> eth0 Dom0 <---------|-> Dom2 (10.0.0.10) - Web
>         (87.98.252.205)         |-> Dom3 (10.0.0.10) - Web
> 
> Where Dom0 is the firewall and DomUs are natted.  Dom0 would have a
> web proxy to redirect http to the right server.  I tried getting this
> to work with shorewall but it''s a no go.  Has someone managed this
> setup with a proper firewall in place?
> 
> 2/ Second option would be to use a bridge but I''m not sure the
> following would work
> 
>           |-> Dom0 87.98.252.205 - (Restricted)
>           |-> Dom1 98.12.113.200 - Mail
> WAN <-----|-> Dom2 99.130.15.200 - Web
>           |-> Dom3 85.99.120.113 - Web
> 
> Can I have a bridge with public IPs in completely different ranges?
> 
> 3/ Last but not least is a theory I found about putting the Dom1 as
> the firewall, locking out Dom0 for security reason and have the whole
> environment natted.  If this would work for me, is there any
> documentation?  I see threads and attempts but no real documentation
> on how this is done.
> 
> Many thanks for any help you can provide.  Like I said, pointers to
> good documentation is more than welcome!
> --
> eco

I guess what I am asking for is advice on how to make 3 DomUs available to the
internet through one physical interface with a minimum of risk.  I''d
rather only use one public IP but I can have access to several more but in
different ranges as shown above.

Any documentation explaining how to do this is welcome.

Thanks
--
eco

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

----- "Lists" <lists@precognet.com>
wrote:
> I guess what I am asking for is advice on how to make 3 DomUs
> available to the internet through one physical interface with a
> minimum of risk.  I''d rather only use one public IP but I can have
> access to several more but in different ranges as shown above.
> 
> Any documentation explaining how to do this is welcome.
> 
> Thanks
> --
> eco
Here is what I have come up with but it needs to be testted... anyone want to
comment on this?

Xen 3.2.1 bridged with 1 physical NIC and multiple NIC Aliases and bridges


          |hardware       |Alias          |Bridge        |DomN  


                       |-> eth0    <-----> eth0   <-----> eth0
dom0
WAN <-----> eth0 <-----|-> eth0:0  <-----> eth0:2
<-----> eth0 dom1
                       |-> eth0:1  <-----> eth0:3 <-----> eth0
dom2


Dom0 - /etc/network/interfaces
------------------------------
auto eth0
iface eth0 inet static
        address 192.168.110.150
        netmask 255.255.255.0
        gateway 192.168.110.2
#       post-up ethtool -K eth0 tx off

auto eth0:0
iface eth0:0 inet static
        address 192.168.61.1
        netmask 255.255.255.0
#       post-up ethtool -K eth0 tx off

auto eth0:1
iface eth0:1 inet static
        address 192.168.62.1
        netmask 255.255.255.0
#       post-up ethtool -K eth0 tx off


Dom0 - /etc/xen/scripts/network-bridge-multiple
-----------------------------------------------
#!/bin/sh
dir=$(dirname "$0")
"$dir/network-bridge" "$@" netdev=eth0 bridge=eth0
"$dir/network-bridge" "$@" netdev=eth0:0 bridge=eth1
"$dir/network-bridge" "$@" netdev=eth0:1 bridge=eth2


Dom0 - /etc/xen/test01.test.com.cfg
-----------------------------------
kernel      = ''/boot/vmlinuz-2.6.18-6-xen-686''
ramdisk     = ''/boot/initrd.img-2.6.18-6-xen-686''
memory      = ''64''
root        = ''/dev/sda2 ro''
disk        = [
                  ''phy:/dev/vm/test01.test.com-swap,sda1,w'',
                  ''phy:/dev/vm/test01.test.com-disk,sda2,w'',
              ]
name        = ''test01''
vif         = [ ''mac=00:16:3E:EF:76:34, bridge=eth0:0'' ]
on_poweroff = ''destroy''
on_reboot   = ''restart''
on_crash    = ''restart''

DomU - /etc/network/interfaces
------------------------------
auto eth0
iface eth0 inet static
        address 192.168.61.10
        netmask 255.255.255.0
        gateway 192.168.61.1
# post-up ethtool -K eth0 tx off

Both DomUs boot and I can ssh from Dom0 to DomU and vice versa.  Sadly I
can''t test from the WAN.

Any thoughts at all? :)
--
eco

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

lists@precognet.com wrote:
> Hi all,
> 
> I have several servers I''d like to consolidate to Xen 3.2 and I am
having a bit of trouble with firewalls and the best network environment to chose
from.  I have read documentation here and there but I am a bit confused now and
after some advice or specific documentation.
> 
> 1/ I''d like the following but have had problems getting ut to work
with a firewall on Dom0
> 
> 
>                                 |-> Dom1 (10.0.0.10) - Mail
> WAN <-----> eth0 Dom0 <---------|-> Dom2 (10.0.0.10) - Web
>         (87.98.252.205)         |-> Dom3 (10.0.0.10) - Web
> 
> Where Dom0 is the firewall and DomUs are natted.  Dom0 would have a web
proxy to redirect http to the right server.  I tried getting this to work with
shorewall but it''s a no go.  Has someone managed this setup with a
proper firewall in place?
> 
> 2/ Second option would be to use a bridge but I''m not sure the
following would work
> 
>           |-> Dom0 87.98.252.205 - (Restricted)
>           |-> Dom1 98.12.113.200 - Mail
> WAN <-----|-> Dom2 99.130.15.200 - Web
>           |-> Dom3 85.99.120.113 - Web
> 
> Can I have a bridge with public IPs in completely different ranges?
> 
> 3/ Last but not least is a theory I found about putting the Dom1 as the
firewall, locking out Dom0 for security reason and have the whole environment
natted.  If this would work for me, is there any documentation?  I see threads
and attempts but no real documentation on how this is done.
> 
> Many thanks for any help you can provide.  Like I said, pointers to good
documentation is more than welcome!
Hi, eco!

Here is a link to a setup I built back in ''06. I don''t claim
that it''s
*good* documentation.

   http://www.hostisimo.com/xen-howto.html

It uses xen-3.0.2 so some things have certainly changed but this may 
serve as a basis for your efforts.

Because it is in a controlled access environment and at times I need to 
hang physical boxes onto the various bridges I used three physical NICs. 
  In your case you would only need the WAN to be physical; the DMZ would 
use a tap device for the bridge.

Chop off what you don''t need and use what you do.

I hope you have as much fun as I did getting all the pieces to work 
together.

nb: this doc resides on a low bandwith adsl connection so access may not 
be too zippy.

hth,
Mike Wright :m)

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users