We would like to implement following scenario .. please look at the png attachment Main Question: how do i set up a domU firewall/router with one interface bridged to the internet and interfaces connected to other domUs? do we even need an interface for each connected domU? thanks in advance merry xmas Max _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Thiago Camargo Martins Cordeiro
2008-Dec-18 17:56 UTC
[Xen-devel] Fwd: [Xen-users] firewall domU
forwardind to the list: ---------- Forwarded message ---------- From: Thiago Camargo Martins Cordeiro <thiagocmartinsc@gmail.com> Date: 2008/12/18 Subject: Re: [Xen-users] firewall domU To: "Maximilian W. Zeller" <mawize@gmail.com> Zeller, I have 4 domUs acting as a firewall in a bridge fashion, but my hardware has 2 physical ethernets. In dom0, my public eth0 IP is 200.1.2.2/28, 200.1.2.1 is the gateway of public network. My private eth1 IP is 192.168.1.1/24. Create the file /etc/xen/scripts/network-bridge-wrapper with: #!/bin/sh /etc/xen/scripts/network-bridge $1 netdev=eth0 /etc/xen/scripts/network-bridge $1 netdev=eth1 In /etc/xen/xend-config.sxp change the line: (network-script network-bridge) to: (network-script network-bridge-wrapper) # ...and restart xendomains / xend. In your domU firewall configuration file, "vif" must be like this: grep vif /etc/xen/firewall01.cfg: vif = [ ''mac=00:01:64:ac:8f:2c, bridge=eth0'', ''mac=00:01:64:9b:b5:1b, bridge=eth1'' ] So you will have two ethernets in your domU firewall, each of it connected to it''s relative public/private bridge. In your domU eth0, configure the public IP 200.1.2.3/28 with gateway 200.1.2.1 (the same gateway of dom0) and in your domU eth1, configure the IP 192.168.1.254/25, this will be the gateway for all your domUs. Living on the same hypervisor or not (it''s a bridge remember). Ah! You do not need an interface for each domU... I hope help you in your scenario. Regards, Thiago 2008/12/18 Maximilian W. Zeller <mawize@gmail.com>> We would like to implement following scenario .. please look at the png > attachment > > Main Question: > how do i set up a domU firewall/router with one interface bridged to the > internet and interfaces connected to other domUs? do we even need an > interface for each connected domU? > > thanks in advance > merry xmas > > Max > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Forwarding to the list again: ---------- Forwarded message ---------- From: Thiago Camargo Martins Cordeiro <thiagocmartinsc@gmail.com> Date: 2008/12/18 Subject: Re: [Xen-users] firewall domU To: "Maximilian W. Zeller" <mawize@gmail.com> Zeller, I fogot to say that in your www and mail domUs, it''s eth0 will be connected to "bridge=eth1"! Like this: grep vif /etc/xen/mail01.cfg vif = [ ''mac=00:01:64:WW:YY:XX, bridge=eth1'' ] Thiago 2008/12/18 Thiago Camargo Martins Cordeiro <thiagocmartinsc@gmail.com> Zeller,> > I have 4 domUs acting as a firewall in a bridge fashion, but my hardware > has 2 physical ethernets. > > In dom0, my public eth0 IP is 200.1.2.2/28, 200.1.2.1 is the gateway of > public network. My private eth1 IP is 192.168.1.1/24. > > Create the file /etc/xen/scripts/network-bridge-wrapper with: > > #!/bin/sh > /etc/xen/scripts/network-bridge $1 netdev=eth0 > /etc/xen/scripts/network-bridge $1 netdev=eth1 > > In /etc/xen/xend-config.sxp change the line: > (network-script network-bridge) > > to: > (network-script network-bridge-wrapper) # ...and restart xendomains / > xend. > > In your domU firewall configuration file, "vif" must be like this: > > grep vif /etc/xen/firewall01.cfg: > vif = [ ''mac=00:01:64:ac:8f:2c, bridge=eth0'', > ''mac=00:01:64:9b:b5:1b, bridge=eth1'' ] > > So you will have two ethernets in your domU firewall, each of it connected > to it''s relative public/private bridge. > > In your domU eth0, configure the public IP 200.1.2.3/28 with gateway > 200.1.2.1 (the same gateway of dom0) and in your domU eth1, configure the IP > 192.168.1.254/25, this will be the gateway for all your domUs. Living on > the same hypervisor or not (it''s a bridge remember). Ah! You do not need an > interface for each domU... > > I hope help you in your scenario. > > Regards, > Thiago > > 2008/12/18 Maximilian W. Zeller <mawize@gmail.com> > >> We would like to implement following scenario .. please look at the png >> attachment >> >> Main Question: >> how do i set up a domU firewall/router with one interface bridged to the >> internet and interfaces connected to other domUs? do we even need an >> interface for each connected domU? >> >> thanks in advance >> merry xmas >> >> Max >> >> >> _______________________________________________ >> Xen-users mailing list >> Xen-users@lists.xensource.com >> http://lists.xensource.com/xen-users >> > >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Thu, Dec 18, 2008 at 8:23 AM, Maximilian W. Zeller <mawize@gmail.com>wrote:> We would like to implement following scenario .. please look at the png > attachment > > Main Question: > how do i set up a domU firewall/router with one interface bridged to the > internet and interfaces connected to other domUs? do we even need an > interface for each connected domU? > > thanks in advance > merry xmas > > MaxMax, Why would you want two firewalls protecting your internal network? Anyway it seems you''d want to do this if you keep both firewalls. Have both DomU firewalls connect to the standard eth0 bridge just as you have it now. Each DomU firewall will have a second vif. Create two more bridges - br0 and br1 (name them has you like) and specify the appropriate bridge in the www DomUs and email DomUs config files. You''ll also need to specify that the second interfaces on the DomU firewalls reside on the appropriate bridges. Grant McWilliams Some people, when confronted with a problem, think "I know, I''ll use Windows." Now they have two problems. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users