Xen users - May 2009 - Help me to set up network (routes)

Hi there, I''m Alan.

2nd day I''m trying to set up network in Xen. Firstly, I set up it via 
bridges and it have worked in some success ;-) But bridges is not what I 
want.

So, I decide to reconstruct network with routes. I set up everything as 
many tutorials said, but nothing happens: I can''t ping domU from host 
and can''t ping dom0 from guest ;-(

So, below, I will show what I''m doing, I would like to hear what
I''m
doing wrong.

Thanks for your patience.

===============Dom0 have one (1) working net card: eth0

with IP for external LAN: 10.9.3.92
and gateway for with IP: 10.9.3.1

---------
My xend-config.sxp have:

(network-script network-route)
(vif-script vif-route)

---------

%# cat /proc/sys/net/ipv4/conf/all/proxy_arp
1
%# cat /proc/sys/net/ipv4/conf/eth0/proxy_arp
1
%# cat /proc/sys/net/ipv4/ip_forward
1

---------

In my %.vm (Virtual Machine) file I have:

vif  = [ ''ip=10.0.2.2'' ]

--------

In my DomU (Windows in my case) I set up network interface as follow:

address 10.0.2.2
netmask 255.255.255.0
gateway 10.9.3.1  # it''s a gateway which gave me ISP (see above)

=======After "xm create ...":

--------

%# ip r
[...]
10.0.2.2 dev vif2.0  scope link  src 10.9.3.92
[...]

-------

%# ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:e0:4c:a0:b0:20
           inet addr:10.9.3.92  Bcast:10.9.3.255  Mask:255.255.255.0
           inet6 addr: fe80::2e0:4cff:fea0:b020/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:2158921 errors:1 dropped:78 overruns:1 frame:0
           TX packets:1918655 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:2215803222 (2.0 GiB)  TX bytes:1294017960 (1.2 GiB)
           Interrupt:17 Base address:0xd000
[...]
tap2.0    Link encap:Ethernet  HWaddr 4e:69:00:fd:f0:48
           inet6 addr: fe80::4c69:ff:fefd:f048/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:26 errors:0 dropped:0 overruns:0 frame:0
           TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:500
           RX bytes:2343 (2.2 KiB)  TX bytes:468 (468.0 B)

vif2.0    Link encap:Ethernet  HWaddr fe:ff:ff:ff:ff:ff
           inet addr:10.9.3.92  Bcast:10.255.255.255  Mask:255.255.255.255
           inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
           TX packets:0 errors:0 dropped:6 overruns:0 carrier:0
           collisions:0 txqueuelen:32
           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

--------

%# route -n
[...]
10.0.2.2        0.0.0.0         255.255.255.255 UH    0      0        0 
vif2.0
[...]
10.9.3.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
[...]
0.0.0.0         172.16.0.1      0.0.0.0         UG    0      0        0 ppp0

The last line is doesn''t matter

---------

%# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  10.0.2.2             anywhere            PHYSDEV 
match --physdev-in vif2.0
ACCEPT     udp  --  anywhere             anywhere            PHYSDEV 
match --physdev-in vif2.0 udp spt:bootpc dpt:bootps

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

%# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

==========
from Dom0:

%# ping 10.0.2.2
PING 10.0.2.2 (10.0.2.2) 56(84) bytes of data.
 From 10.9.3.92 icmp_seq=2 Destination Host Unreachable
 From 10.9.3.92 icmp_seq=3 Destination Host Unreachable
 From 10.9.3.92 icmp_seq=4 Destination Host Unreachable

from DomU:
%# ping 10.9.3.92
ping time out
ping time out
ping time out
ping time out

Also in Dom0:
%# tcpdump | grep 10.0.2.2
shows nothing ;-(

========
Thank for patience.

P.S. Gentoo user ;-)

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Alan,

I haven''t set up routed networking, but I would say the problem is that
the gateway on the Windows DomU is 10.9.3.1, which it doesn''t know how 
to get to. I would suggest to changing it to 10.0.2.254 which is on the 
same subnet as the DomU''s network interface, the traffic should then 
come out via vif2.0 and be handled by Dom0.

Jeff Williams
wherethebitsroam.com

On 07/05/09 03:57, AlannY wrote:
> Hi there, I''m Alan.
>
> 2nd day I''m trying to set up network in Xen. Firstly, I set up it
via
> bridges and it have worked in some success ;-) But bridges is not what 
> I want.
>
> So, I decide to reconstruct network with routes. I set up everything 
> as many tutorials said, but nothing happens: I can''t ping domU
from
> host and can''t ping dom0 from guest ;-(
>
> So, below, I will show what I''m doing, I would like to hear what
I''m
> doing wrong.
>
> Thanks for your patience.
>
> ===============> Dom0 have one (1) working net card: eth0
>
> with IP for external LAN: 10.9.3.92
> and gateway for with IP: 10.9.3.1
>
> ---------
> My xend-config.sxp have:
>
> (network-script network-route)
> (vif-script vif-route)
>
> ---------
>
> %# cat /proc/sys/net/ipv4/conf/all/proxy_arp
> 1
> %# cat /proc/sys/net/ipv4/conf/eth0/proxy_arp
> 1
> %# cat /proc/sys/net/ipv4/ip_forward
> 1
>
> ---------
>
> In my %.vm (Virtual Machine) file I have:
>
> vif  = [ ''ip=10.0.2.2'' ]
>
> --------
>
> In my DomU (Windows in my case) I set up network interface as follow:
>
> address 10.0.2.2
> netmask 255.255.255.0
> gateway 10.9.3.1  # it''s a gateway which gave me ISP (see above)
>
> =======> After "xm create ...":
>
> --------
>
> %# ip r
> [...]
> 10.0.2.2 dev vif2.0  scope link  src 10.9.3.92
> [...]
>
> -------
>
> %# ifconfig -a
> eth0      Link encap:Ethernet  HWaddr 00:e0:4c:a0:b0:20
>           inet addr:10.9.3.92  Bcast:10.9.3.255  Mask:255.255.255.0
>           inet6 addr: fe80::2e0:4cff:fea0:b020/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:2158921 errors:1 dropped:78 overruns:1 frame:0
>           TX packets:1918655 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:2215803222 (2.0 GiB)  TX bytes:1294017960 (1.2 GiB)
>           Interrupt:17 Base address:0xd000
> [...]
> tap2.0    Link encap:Ethernet  HWaddr 4e:69:00:fd:f0:48
>           inet6 addr: fe80::4c69:ff:fefd:f048/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:26 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:500
>           RX bytes:2343 (2.2 KiB)  TX bytes:468 (468.0 B)
>
> vif2.0    Link encap:Ethernet  HWaddr fe:ff:ff:ff:ff:ff
>           inet addr:10.9.3.92  Bcast:10.255.255.255  Mask:255.255.255.255
>           inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:6 overruns:0 carrier:0
>           collisions:0 txqueuelen:32
>           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
>
> --------
>
> %# route -n
> [...]
> 10.0.2.2        0.0.0.0         255.255.255.255 UH    0      0        
> 0 vif2.0
> [...]
> 10.9.3.0        0.0.0.0         255.255.255.0   U     0      0        
> 0 eth0
> [...]
> 0.0.0.0         172.16.0.1      0.0.0.0         UG    0      0        
> 0 ppp0
>
> The last line is doesn''t matter
>
> ---------
>
> %# iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     all  --  10.0.2.2             anywhere            PHYSDEV 
> match --physdev-in vif2.0
> ACCEPT     udp  --  anywhere             anywhere            PHYSDEV 
> match --physdev-in vif2.0 udp spt:bootpc dpt:bootps
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
> %# iptables -t nat -L
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
>
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
> ==========>
> from Dom0:
>
> %# ping 10.0.2.2
> PING 10.0.2.2 (10.0.2.2) 56(84) bytes of data.
> From 10.9.3.92 icmp_seq=2 Destination Host Unreachable
> From 10.9.3.92 icmp_seq=3 Destination Host Unreachable
> From 10.9.3.92 icmp_seq=4 Destination Host Unreachable
>
> from DomU:
> %# ping 10.9.3.92
> ping time out
> ping time out
> ping time out
> ping time out
>
> Also in Dom0:
> %# tcpdump | grep 10.0.2.2
> shows nothing ;-(
>
> ========>
> Thank for patience.
>
> P.S. Gentoo user ;-)
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

I followed many tutorials to and pulled my hair out my head.

Remember in your guest config file along with

vif = [ip=foo, mac=foo, etc]

make shure to add.

netmask = foo
gateway = foo


AlannY wrote:
> Hi there, I''m Alan.
>
> 2nd day I''m trying to set up network in Xen. Firstly, I set up it
via
> bridges and it have worked in some success ;-) But bridges is not what 
> I want.
>
> So, I decide to reconstruct network with routes. I set up everything 
> as many tutorials said, but nothing happens: I can''t ping domU
from
> host and can''t ping dom0 from guest ;-(
>
> So, below, I will show what I''m doing, I would like to hear what
I''m
> doing wrong.
>
> Thanks for your patience.
>
> ===============> Dom0 have one (1) working net card: eth0
>
> with IP for external LAN: 10.9.3.92
> and gateway for with IP: 10.9.3.1
>
> ---------
> My xend-config.sxp have:
>
> (network-script network-route)
> (vif-script vif-route)
>
> ---------
>
> %# cat /proc/sys/net/ipv4/conf/all/proxy_arp
> 1
> %# cat /proc/sys/net/ipv4/conf/eth0/proxy_arp
> 1
> %# cat /proc/sys/net/ipv4/ip_forward
> 1
>
> ---------
>
> In my %.vm (Virtual Machine) file I have:
>
> vif  = [ ''ip=10.0.2.2'' ]
>
> --------
>
> In my DomU (Windows in my case) I set up network interface as follow:
>
> address 10.0.2.2
> netmask 255.255.255.0
> gateway 10.9.3.1  # it''s a gateway which gave me ISP (see above)
>
> =======> After "xm create ...":
>
> --------
>
> %# ip r
> [...]
> 10.0.2.2 dev vif2.0  scope link  src 10.9.3.92
> [...]
>
> -------
>
> %# ifconfig -a
> eth0      Link encap:Ethernet  HWaddr 00:e0:4c:a0:b0:20
>           inet addr:10.9.3.92  Bcast:10.9.3.255  Mask:255.255.255.0
>           inet6 addr: fe80::2e0:4cff:fea0:b020/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:2158921 errors:1 dropped:78 overruns:1 frame:0
>           TX packets:1918655 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:2215803222 (2.0 GiB)  TX bytes:1294017960 (1.2 GiB)
>           Interrupt:17 Base address:0xd000
> [...]
> tap2.0    Link encap:Ethernet  HWaddr 4e:69:00:fd:f0:48
>           inet6 addr: fe80::4c69:ff:fefd:f048/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:26 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:500
>           RX bytes:2343 (2.2 KiB)  TX bytes:468 (468.0 B)
>
> vif2.0    Link encap:Ethernet  HWaddr fe:ff:ff:ff:ff:ff
>           inet addr:10.9.3.92  Bcast:10.255.255.255  Mask:255.255.255.255
>           inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:6 overruns:0 carrier:0
>           collisions:0 txqueuelen:32
>           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
>
> --------
>
> %# route -n
> [...]
> 10.0.2.2        0.0.0.0         255.255.255.255 UH    0      0        
> 0 vif2.0
> [...]
> 10.9.3.0        0.0.0.0         255.255.255.0   U     0      0        
> 0 eth0
> [...]
> 0.0.0.0         172.16.0.1      0.0.0.0         UG    0      0        
> 0 ppp0
>
> The last line is doesn''t matter
>
> ---------
>
> %# iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     all  --  10.0.2.2             anywhere            PHYSDEV 
> match --physdev-in vif2.0
> ACCEPT     udp  --  anywhere             anywhere            PHYSDEV 
> match --physdev-in vif2.0 udp spt:bootpc dpt:bootps
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
> %# iptables -t nat -L
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
>
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
> ==========>
> from Dom0:
>
> %# ping 10.0.2.2
> PING 10.0.2.2 (10.0.2.2) 56(84) bytes of data.
> From 10.9.3.92 icmp_seq=2 Destination Host Unreachable
> From 10.9.3.92 icmp_seq=3 Destination Host Unreachable
> From 10.9.3.92 icmp_seq=4 Destination Host Unreachable
>
> from DomU:
> %# ping 10.9.3.92
> ping time out
> ping time out
> ping time out
> ping time out
>
> Also in Dom0:
> %# tcpdump | grep 10.0.2.2
> shows nothing ;-(
>
> ========>
> Thank for patience.
>
> P.S. Gentoo user ;-)
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
>
>

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On 07/05/09 16:04, AlannY wrote:
> Jeff Williams wrote:
>> I haven''t set up routed networking, but I would say the
problem is
>> that the gateway on the Windows DomU is 10.9.3.1, which it
doesn''t
>> know how to get to. I would suggest to changing it to 10.0.2.254 
>> which is on the same subnet as the DomU''s network interface,
the
>> traffic should then come out via vif2.0 and be handled by Dom0.
>
> I changed it. Nothing happens.
>
> In DomU with gateway 10.0.2.254 (BTW, from where you get *.254 address?):
The 10.0.2.254 came from 
http://wiki.kartbuilding.net/index.php/Xen_Networking#Two-way_Routed_Network_2 
>
> %# ping 10.0.2.254
>
> Pingin 10.0.2.254 with 32 bytes of data:
>
> Request timed out.
> Request timed out.
> Request timed out.
> Request timed out.
>
> And so on for every IP...
>
> Still no luck
You won''t be able to ping 10.0.2.254 - it does not exist, but I thought
this should get traffic out to the dom0 as it is on the network assigned 
to vif2.0 from the Windows side. You can''t ping 10.9.3.92 from the
domU?

What does ''route print'' show on the Windows domU?

Jeff

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

I haven''t used Xen in routed mode, but I can make a few observations 
based on simple IP networking rules.


AlannY wrote:
>Dom0 have one (1) working net card: eth0
>
>with IP for external LAN: 10.9.3.92
>and gateway for with IP: 10.9.3.1
And what IP address have you assigned it for the inside network ?

>In my DomU (Windows in my case) I set up network interface as follow:
>
>address 10.0.2.2
>netmask 255.255.255.0
>gateway 10.9.3.1  # it''s a gateway which gave me ISP (see above)
NO, the gateway MUST be an IP address on it''s own network - ie it 
MUST be 10.0.2.<something>. In this case, it should the be the 
internal IP address you assigned to Dom0. Because the gateway isn''t 
on it''s own network, the guest doesn''t even know how to reach
the
gateway - if you see what I mean.
>%# ifconfig -a
>eth0      Link encap:Ethernet  HWaddr 00:e0:4c:a0:b0:20
>           inet addr:10.9.3.92  Bcast:10.9.3.255  Mask:255.255.255.0
>           inet6 addr: fe80::2e0:4cff:fea0:b020/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:2158921 errors:1 dropped:78 overruns:1 frame:0
>           TX packets:1918655 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:2215803222 (2.0 GiB)  TX bytes:1294017960 (1.2 GiB)
>           Interrupt:17 Base address:0xd000
>[...]
>tap2.0    Link encap:Ethernet  HWaddr 4e:69:00:fd:f0:48
>           inet6 addr: fe80::4c69:ff:fefd:f048/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:26 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:500
>           RX bytes:2343 (2.2 KiB)  TX bytes:468 (468.0 B)
>
>vif2.0    Link encap:Ethernet  HWaddr fe:ff:ff:ff:ff:ff
>           inet addr:10.9.3.92  Bcast:10.255.255.255  Mask:255.255.255.255
This will need to be i the 10.0.2.x subnet

-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Jeff Williams wrote:
> I haven''t set up routed networking, but I would say the problem is
that
> the gateway on the Windows DomU is 10.9.3.1, which it doesn''t know
how
> to get to. I would suggest to changing it to 10.0.2.254 which is on the 
> same subnet as the DomU''s network interface, the traffic should
then
> come out via vif2.0 and be handled by Dom0.
I changed it. Nothing happens.

In DomU with gateway 10.0.2.254 (BTW, from where you get *.254 address?):

%# ping 10.0.2.254

Pingin 10.0.2.254 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

And so on for every IP...

Still no luck

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Jeff Williams wrote:

 > The 10.0.2.254 came from
 > 
http://wiki.kartbuilding.net/index.php/Xen_Networking#Two-way_Routed_Network_2 


I have read this page already, but not found answers. The "tutorial"
say
something about "gateway 10.0.0.254", but I can''t find where
discussion
about *.254 (so, I asked) ;-)

 > You won''t be able to ping 10.0.2.254 - it does not exist, but I
thought
 > this should get traffic out to the dom0 as it is on the network assigned
 > to vif2.0 from the Windows side. You can''t ping 10.9.3.92 from
the domU?
 >
 > What does ''route print'' show on the Windows domU?
 >
 > Jeff
 >

Nope, I can''t ping 10.9.3.92 nor any other known me address.

*In route print nothing special. Sorry, but I can''t copy/paste
''cause
don''t have network ;-(

Still no luck ;-(

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Simon Hobson wrote:
> And what IP address have you assigned it for the inside network ?
I''m not really understand what you are asking, but my card (which eth0)
had only one IP which gives me ISP via DHCP. Maybe I should create alias 
(second IP) for it?
> NO, the gateway MUST be an IP address on it''s own network - ie it
MUST
> be 10.0.2.<something>. In this case, it should the be the internal IP
> address you assigned to Dom0. Because the gateway isn''t on
it''s own
> network, the guest doesn''t even know how to reach the gateway - if
you
> see what I mean.
Yes, I know this (I''m not so dummy in networking, though). But, as I 
have read from many mailing-list (especial list.xensource.com), some 
people writing to use Dom0''s gateway as gateway. Now, I think, that
it''s
just my misunderstood, ''cause, seems, I should use Dom0 as gateway 
(seems right), but not Dom0''s gateway.
> This will need to be i the 10.0.2.x subnet
> 
And this I know too. BUT! From the official XenNetworking 
(http://wiki.xensource.com/xenwiki/XenNetworking) I get for routing: 
"When domU starts up, xend runs (within dom0) vif-route which: copies 
the ip address from eth0 to vif<id#>.0". So, it''s not me,
who assign
this address for this vif, it have done automatically ;-)

Still no luck...

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Thu, May 7, 2009 at 6:05 PM, AlannY <m@alanny.ru>
wrote:
> But, as I have
> read from many mailing-list (especial list.xensource.com), some people
> writing to use Dom0''s gateway as gateway. Now, I think, that
it''s just my
> misunderstood, ''cause, seems, I should use Dom0 as gateway (seems
right),
> but not Dom0''s gateway.
That depends on what your config is like. If you use NAT on dom0, or
if your ISP assigns a new block of addresses routed via your dom0 IP,
then it''s correct.

Can you elaborate why you don''t want to use bridging?
IMHO it''s easier to setup, and you can still use dom0 as router. For
example, libvirt on RHEL create a NAT network for domU,
192.168.122.0/24, with 192.168.122.1 located on dom0''s virbr.

Regards,

Fajar

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

AlannY wrote:
>BUT! From the official XenNetworking 
>(http://wiki.xensource.com/xenwiki/XenNetworking) I get for routing: 
>"When domU starts up, xend runs (within dom0) vif-route which: 
>copies the ip address from eth0 to vif<id#>.0". So, it''s
not me, who
>assign this address for this vif, it have done automatically ;-)
Hmm, now I understand why it''s not working. It seems to be what could 
best be described as an "interesting" setup ! Unfortunately, I think 
in many OS''s you can''t set the route as required - because
really you
want to be setting your default router as (in Linux IP speak) :
   ip route add default dev eth0
Ie your DomU just spits packets out of the device without considering 
what the IP address of the other end is. I **think** the Dom0 will 
then take care of routing them to their destination. You''ll need to 
be able to tell the routers on the "outside" (ie connected to the 
physical ethernet card) network that they can route to your DomU via 
the IP address of the Dom0.

I don''t know if Windows or OS X can do this at all, let alone via 
their network config GUIs.
-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Fajar A. Nugraha wrote:
> Can you elaborate why you don''t want to use bridging?
> IMHO it''s easier to setup, and you can still use dom0 as router.
For
> example, libvirt on RHEL create a NAT network for domU,
> 192.168.122.0/24, with 192.168.122.1 located on dom0''s virbr.
So, my ISP giving my address 10.9.3.92/24. When I''m using bridging, for
every DomU I must assign address from my ISP''s network (10.9.3.0/24), 
for example 10.9.3.93. In that configuration everything works, I can 
ping IPS''s LAN and Dom0 (10.9.3.92).

But, my IPS give me just ONE IP - 10.9.3.92. I can''t use any other 
address. I''m afraid that my configuration will invoke an "IP
address
conflict". And, in either case, if I would like to connect to 10.9.3.93 
from my Dom0? Where it will connect? to DomU or to real user of my ISP?

So, after 2 days of bridging magic, I decide to drop that idea and now 
looking for another solution.

Early, I have used Qemu and there was that configuration for net: tap0 
is up and then some masquerading with iptables. Everything works. But, I 
can''t adapt this solution to Xen (yet?).

That is ;-)

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

I am not familiar enough with Xen routing to help you, but I can
tell you that there are users out there using Xen with routing and NAT.
Also, there has been discussion of setting up a domU as a firewall in the
last 24 hours where it would be the only exposed host and dom0 would be on
an internal bridge.  In this scenario, you could use bridging and have the
firewall domU be a NAT domU.
	Dustin

-----Original Message-----
From: xen-users-bounces@lists.xensource.com
[mailto:xen-users-bounces@lists.xensource.com] On Behalf Of AlannY
Sent: Thursday, May 07, 2009 11:33
To: Fajar A. Nugraha
Cc: xen-users@lists.xensource.com
Subject: Re: [Xen-users] Help me to set up network (routes)

Fajar A. Nugraha wrote:
> Can you elaborate why you don''t want to use bridging?
> IMHO it''s easier to setup, and you can still use dom0 as router.
For
> example, libvirt on RHEL create a NAT network for domU,
> 192.168.122.0/24, with 192.168.122.1 located on dom0''s virbr.
So, my ISP giving my address 10.9.3.92/24. When I''m using bridging, for
every DomU I must assign address from my ISP''s network (10.9.3.0/24), 
for example 10.9.3.93. In that configuration everything works, I can 
ping IPS''s LAN and Dom0 (10.9.3.92).

But, my IPS give me just ONE IP - 10.9.3.92. I can''t use any other 
address. I''m afraid that my configuration will invoke an "IP
address
conflict". And, in either case, if I would like to connect to 10.9.3.93 
from my Dom0? Where it will connect? to DomU or to real user of my ISP?

So, after 2 days of bridging magic, I decide to drop that idea and now 
looking for another solution.

Early, I have used Qemu and there was that configuration for net: tap0 
is up and then some masquerading with iptables. Everything works. But, I 
can''t adapt this solution to Xen (yet?).

That is ;-)

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users



_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

AlannY wrote:
>But, my IPS give me just ONE IP - 10.9.3.92. I can''t use any other 
>address. I''m afraid that my configuration will invoke an "IP
address
>conflict". And, in either case, if I would like to connect to 
>10.9.3.93 from my Dom0? Where it will connect? to DomU or to real 
>user of my ISP?
>
>So, after 2 days of bridging magic, I decide to drop that idea and 
>now looking for another solution.
I would seriously consider running a DomU dedicated as your outside 
router/firewall. I do that, in my case I use a Netgear DM111P 
ADSL-Ethernet modem and an ethernet card in the server. I use 
pciback.hide to hide the ethernet card from Dom0 and assign it to the 
router DomU (which runs Shorewall). IMO this gives you an easy to 
configure and easy to secure setup - your ''router'' is a simple
"two
ethernet card" job, and Dom0 is not directly connected to the outside 
world.

As you''ve found out, the networking in Dom0 is non-trivial, and
it''s
a lot easier to separate out the external routing/firewall functions 
into their own DomU.

However, I don''t know what is required to use your outside interface 
in a DomU - all I can see is that it''s a PPP interface, so is that 
using an ADSL modem card ?

-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

2009/5/8 AlannY <m@alanny.ru>
> Fajar A. Nugraha wrote:
>
>> Can you elaborate why you don''t want to use bridging?
>> IMHO it''s easier to setup, and you can still use dom0 as
router. For
>> example, libvirt on RHEL create a NAT network for domU,
>> 192.168.122.0/24, with 192.168.122.1 located on dom0''s virbr.
>>
>
> So, my ISP giving my address 10.9.3.92/24. When I''m using
bridging, for
> every DomU I must assign address from my ISP''s network
(10.9.3.0/24), for
> example 10.9.3.93. In that configuration everything works, I can ping
IPS''s
> LAN and Dom0 (10.9.3.92).
>
> But, my IPS give me just ONE IP - 10.9.3.92. I can''t use any other
address.
> I''m afraid that my configuration will invoke an "IP address
conflict". And,
> in either case, if I would like to connect to 10.9.3.93 from my Dom0? Where
> it will connect? to DomU or to real user of my ISP?
>
> So, after 2 days of bridging magic, I decide to drop that idea and now
> looking for another solution.
>
>
I think what Fajar is trying to say is that, out-of-the-box CentOS/RHEL
support the type of networking you want to achieve using bridging + NAT.

The Dom0 is assigned your IP from your ISP and internally creates a brigde
and DHCP server for your DomUs. So you enable DHCP in your DomUs and they
will be automatically assigned an ip in the 192.168.122.* range and have
internet connectivity through the Dom0.

Regards,
Ravikesh


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Thu, May 7, 2009 at 10:32 PM, AlannY <m@alanny.ru>
wrote:
> Early, I have used Qemu and there was that configuration for net: tap0 is
up
> and then some masquerading with iptables. Everything works. But, I
can''t
> adapt this solution to Xen (yet?).
You can. Easily.
RHEL5 by default has libvirt, which would create a bridge called
virbr0. Just assign your domUs to that bridge and they will be
automagically NAT-ed without having to setup any iptables rules
manually.

Regards,

Fajar

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Fajar A. Nugraha wrote:
> You can. Easily.
> RHEL5 by default has libvirt, which would create a bridge called
> virbr0. Just assign your domUs to that bridge and they will be
> automagically NAT-ed without having to setup any iptables rules
> manually.
I''m in Gentoo and there are libvirt *masked* for installing, so I
can''t
use it ;-(

But you give me a good idea to port my thoughts from my Qemu network to Xen.

Today, I rewrite vif-nat script and make my own. And it works! This is 
NOT a great script, ''cause only one Xen machine can grab network 
(really, I dont test it on 2 or more VM, so I thought it cannot work). 
But, I''m love my hardware and never-never run more than one VM. My 
script is, of course, for me only.

But, I decide to post in here, on mailing-list, ''cause maybe someone 
find it later via Google ;-)

============================%# cat > /etc/xen/scripts/vif-tap <<
"EOF"
#!/bin/bash

# written by AlannY (m@alanny.ru) from vif-nat.
# 8 May 2009
# public domain

dir=$(dirname "$0")
. "$dir/vif-common.sh"

if [ "$ip" = "" ]; then
   fatal ''IP not found in config''
fi

dom0_ip=$(echo "$ip" | awk -F. ''{print
$1"."$2"."$3".1"}'')
dom0_broadcast=$(echo "$ip" | awk -F. ''{print
$1"."$2"."$3".255"}'')

if [ "$ip" -eq "$dom0_ip" ]; then
   fatal ''DomU IP cannot be Dom0 IP''
fi

if [ "$ip" -eq "$dom0_broadcast" ]; then
   fatal ''DomU IP cannot be Dom0 broadcast''
fi

domU_ip=`echo ${ip} | awk -F/ ''{print $1}''`

# it''s a HACK
tap=$(echo $vif | sed s/vif/tap/)

case "$command" in
     online)
         if ip route | grep -q "dev $tap"
         then
           log debug "$tap already up"
           exit 0
         fi

	do_or_die ifconfig "$tap" up "$dom0_ip" netmask
"255.255.255.0"
broadcast "$dom0_broadcast"

	do_or_die iptables -t nat -A POSTROUTING -s $domU_ip -j MASQUERADE
	do_or_die iptables -t nat -A POSTROUTING -d $domU_ip -o $tap
         ;;
     offline)
         do_without_error ifconfig "$vif" down

	do_without_error iptables -t nat -D POSTROUTING -s $domU_ip -j MASQUERADE
	do_without_error iptables -t nat -D POSTROUTING -d $domU_ip -o $tap
         ;;
esac

log debug "Successful vif-tap $command for $tap."

if [ "$command" = "online" ]; then
   success
fi
EOF
%# chmod 0755 /etc/xen/scripts/vif-tap

Also, edit /etc/xen/xend-config.sxp and replace:

(network-script /bin/true)
(vif-script     vif-tap)

On every Virtual Machine configuration file use:

vif = [ ''ip=xx.xx.xx.xx'' ]

for example:

vif = [ ''ip=10.0.2.2'' ]

On Virtual OS use following settings:

ip=vif_ip # (see above), for example 10.0.2.2
netmask=255.255.255.0
gateway=xx.xx.xx.1 # based on vif_ip with 1 at the end, for example 10.0.2.1
=======================================
I''m using Xen only 3rd (or 2nd) day, and don''t understand how
Xen works
with TUN/TAP and why vifs are so important. So, I decide to turn off 
that vifs and leave only virtual TUN/TAP driver, which, of course, do 
the main job. Maybe it''s a core mistake and it can''t be
applied to Xen,
but - this script works ;-) And this is only what I need ;-) As I said 
before - this script is only for my purpose.

The problem is solved. Thanks for your patience ;-)

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

AlannY wrote:
> 
Ok. I found more better solution. It''s called Bridging+NAT.

So, a small tutorial.

1) With methods of your OS create a dummy (empty) bridge: br0 (setup its 
options).
2) Set up IP for bridge. (For example, 10.0.2.1)
2) Edit /etc/xen/xend-config.sxp:
     (network-script /bin/true)
     (vif-script vif-bridge)
3) Edit your VM configuration file:
     vif = [ ''bridge=br0'' ] # it''s the bridge, which
we created in step 1
4) Load DomU. Change DomU network configuration:
     IP: Any IP in network specied in step 2 (for example, 10.0.2.2)
     Mask: Mask from step 2 (for example, 255.255.255.0)
     Gateway: Bridge from step 1 IP (for example, 10.0.2.1)
5) In Dom0 apply 2 iptables rules (kernel must be compiled with NAT 
support):
     iptables -t nat -A POSTROUTING -s <IP FROM STEP 4> -j MASQUERADE
     iptables -t nat -A POSTROUTING -d <IP FROM STEP 4> -o <BRIDGE FROM
STEP 1>
6) Start DomU

That''s all. Dom0 accessed from DomU via Bridge IP (step 2). DomU 
accessed from Dom0 via DomU IP (STEP 4).

Everything must work at this point ;-)

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Fri, May 8, 2009 at 7:44 PM, AlannY <m@alanny.ru>
wrote:
> AlannY wrote:
>>
>
> Ok. I found more better solution. It''s called Bridging+NAT.
That''s pretty much what libvirt does. The part that concerns NAT anyway
:)
>
> So, a small tutorial.
>
> 1) With methods of your OS create a dummy (empty) bridge: br0 (setup its
> options).
In libvirt, by default it''s virbr0
> 2) Set up IP for bridge. (For example, 10.0.2.1)
192.168.122.1/24 on virbr0
> 2) Edit /etc/xen/xend-config.sxp:
>    (network-script /bin/true)
>    (vif-script vif-bridge)
> 3) Edit your VM configuration file:
>    vif = [ ''bridge=br0'' ] # it''s the bridge,
which we created in step 1
> 4) Load DomU. Change DomU network configuration:
>    IP: Any IP in network specied in step 2 (for example, 10.0.2.2)
>    Mask: Mask from step 2 (for example, 255.255.255.0)
>    Gateway: Bridge from step 1 IP (for example, 10.0.2.1)
You have two "step 2" :D
> 5) In Dom0 apply 2 iptables rules (kernel must be compiled with NAT
> support):
>    iptables -t nat -A POSTROUTING -s <IP FROM STEP 4> -j MASQUERADE
>    iptables -t nat -A POSTROUTING -d <IP FROM STEP 4> -o <BRIDGE
FROM STEP
Libvirt uses dnsmasq to add dhcp and DNS for NAT-ed domUs

/usr/sbin/dnsmasq --keep-in-foreground --strict-order
--bind-interfaces --pid-file  --conf-file  --listen-address
192.168.122.1 --except-interface lo
--dhcp-leasefile=/var/lib/libvirt/dhcp-default.leases --dhcp-range
192.168.122.2,192.168.122.254
> 1>
> 6) Start DomU
>
> That''s all. Dom0 accessed from DomU via Bridge IP (step 2). DomU
accessed
> from Dom0 via DomU IP (STEP 4).
>
> Everything must work at this point ;-)
>
Glad to hear it!

Regards,

Fajar

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users