Good afternoon, I have a host on which I am running Xen. I have succesfully created a new guest machine and I can connect to it using routed networking. I am not able to used bridged due to restrictions with my hosting company. This server has a connection to my VPN on interface tap0. I would like to add another interface to each of my virtual machines on this VPN network which means that I need to be able to route over the tap0 interface (I think). However I have not been able to accomplish this and searching around the internet has not provided me with a complete answer. If anyone has any pointers on this please can you forward them on? I know I could probably run OpenVPN on each of the virtual machines, but that would mean traffic is being sent back and forth between remote servers rather than on the one network on the host, e.g. if machine A wants to communicate with machine B on the VPN network and they are both hosted on the same host. Both the host and the virtual machines are running Debian 5 64 bit. Thanks very much, Russell Seymour PS I have seen lots of articles / posts about OpenVPN and people saying that it should be a question for that list, however as I am trying to route the traffic after VPN endpoint around a virtual network I thought this would be the better list. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Wed, Dec 29, 2010 at 8:53 PM, Russell Seymour <russell.seymour@turtlesystems.co.uk> wrote:> Good afternoon, > > I have a host on which I am running Xen. I have succesfully created a new > guest machine and I can connect to it using routed networking. I am not > able to used bridged due to restrictions with my hosting company.You can use bridge networking with a custom bridge not connected to any dom0''s eth, and making dom0 a router/firewall for domUs. If you''re familiar with managing router/firewall, this setup is actualy easier to manage. One example of such setup is virbr0 created by libvirt (bridge + nat).> > This server has a connection to my VPN on interface tap0. I would like to > add another interface to each of my virtual machines on this VPN network > which means that I need to be able to route over the tap0 interface (I > think). However I have not been able to accomplish this and searching > around the internet has not provided me with a complete answer. If anyone > has any pointers on this please can you forward them on? >You can try : - create a bridge manually on dom0 (call it brtap0 or whatever) - put tap0 on that bridge (you can use openvpn''s --up argument to do this automatically, see openvpn''s manual) - add another interface on domU''s config, but specifically use "script=vif-bridge" on that vif''s definition, and put it on the same bridge That way you should be able to use both route and bridge networking. -- Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Fajar, Thanks very much for this. I am looking at changing the way the networking works as you have suggested. I used iptables currently for my home router so am familiar with this sort of setup. I have created my virbr0 using libvirt, but how do I know tell Xen to use this interface? I have modified the .sxp file to use bridge networking, but it creates its own thing. I have tried to set it to netdev=virbr0 but that did not seem to have any effect. IN other words how can I get Xen to use this custom bridge? Thanks again, Russell On 29/12/2010 14:31, Fajar A. Nugraha wrote:> On Wed, Dec 29, 2010 at 8:53 PM, Russell Seymour > <russell.seymour@turtlesystems.co.uk> wrote: >> Good afternoon, >> >> I have a host on which I am running Xen. I have succesfully created a new >> guest machine and I can connect to it using routed networking. I am not >> able to used bridged due to restrictions with my hosting company. > You can use bridge networking with a custom bridge not connected to > any dom0''s eth, and making dom0 a router/firewall for domUs. If you''re > familiar with managing router/firewall, this setup is actualy easier > to manage. > > One example of such setup is virbr0 created by libvirt (bridge + nat). > >> This server has a connection to my VPN on interface tap0. I would like to >> add another interface to each of my virtual machines on this VPN network >> which means that I need to be able to route over the tap0 interface (I >> think). However I have not been able to accomplish this and searching >> around the internet has not provided me with a complete answer. If anyone >> has any pointers on this please can you forward them on? >> > You can try : > - create a bridge manually on dom0 (call it brtap0 or whatever) > - put tap0 on that bridge (you can use openvpn''s --up argument to do > this automatically, see openvpn''s manual) > - add another interface on domU''s config, but specifically use > "script=vif-bridge" on that vif''s definition, and put it on the same > bridge > > That way you should be able to use both route and bridge networking. >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Thu, Dec 30, 2010 at 4:31 AM, Russell Seymour <russell.seymour@turtlesystems.co.uk> wrote:> Fajar, > > Thanks very much for this. > > I am looking at changing the way the networking works as you have > suggested. I used iptables currently for my home router so am familiar with > this sort of setup. > > I have created my virbr0 using libvirt,I use virbr0 as an example. It''s setup by default by libvirt using masquarade NAT. If you want routing without NAT, create a new bridge using your OS''s networking setup. See http://wiki.debian.org/BridgeNetworkConnections for /etc/network/interfaces example. You won''t need "bridge_ports" for this purpose (since the bridge will only connect with domU''s interfaces, not dom0''s eth).> but how do I know tell Xen to use > this interface? I have modified the .sxp file to use bridge networking,which sxp? xend-config.sxp?> but > it creates its own thing.if you don''t need to bridge domU directly to dom0''s eth, you can just comment-out network-script line on xend-config.sxp entirely.> I have tried to set it to netdev=virbr0 but that > did not seem to have any effect. IN other words how can I get Xen to use > this custom bridge?Are you going for full bridged networking? If yes, the easiest way would be to : - comment-out network-script on xend-config.sxp (or leave it with network-route, if you still need it) - create your own bridge in /etc/network/interfaces (call it brtap0 or whatever) - create necessary routing/iptables rules - use something like this on domU''s vif config line vif = [ ''mac=00:16:3E:7F:A5:5C, script=vif-bridge, bridge=brtap0, vifname=domU1-eth0'' ] -- Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
OK great this is getting clearer :-). I thought i would do the virtual bridge networking as I can then use iptables etc to manage it. I am not able to use full bridged networking for the static public IP addresses for my domUs as I have to use routing as this is a restriction imposed by my hosting provider. So this is what it think I can do: - comment out network script in xend-config.xsp - create the bridges as needed, e.g. virbr0 and brtap0 - configure routing and masqurading for the public IP addresses to NAT through to the internal addresses on the domUs connected to virbr0 - use the bridged brtap0 and assign ip addresses on my domUs that are within my OpenVPN subnet I think that is correct, apologies if I am barking up the wrong tree. Thanks very much for your help. Russell On 29/12/2010 21:47, Fajar A. Nugraha wrote:> On Thu, Dec 30, 2010 at 4:31 AM, Russell Seymour > <russell.seymour@turtlesystems.co.uk> wrote: >> Fajar, >> >> Thanks very much for this. >> >> I am looking at changing the way the networking works as you have >> suggested. I used iptables currently for my home router so am familiar with >> this sort of setup. >> >> I have created my virbr0 using libvirt, > I use virbr0 as an example. It''s setup by default by libvirt using > masquarade NAT. If you want routing without NAT, create a new bridge > using your OS''s networking setup. > > See http://wiki.debian.org/BridgeNetworkConnections for > /etc/network/interfaces example. You won''t need "bridge_ports" for > this purpose (since the bridge will only connect with domU''s > interfaces, not dom0''s eth). > >> but how do I know tell Xen to use >> this interface? I have modified the .sxp file to use bridge networking, > which sxp? xend-config.sxp? > >> but >> it creates its own thing. > if you don''t need to bridge domU directly to dom0''s eth, you can just > comment-out network-script line on xend-config.sxp entirely. > >> I have tried to set it to netdev=virbr0 but that >> did not seem to have any effect. IN other words how can I get Xen to use >> this custom bridge? > Are you going for full bridged networking? > If yes, the easiest way would be to : > - comment-out network-script on xend-config.sxp (or leave it with > network-route, if you still need it) > - create your own bridge in /etc/network/interfaces (call it brtap0 or whatever) > - create necessary routing/iptables rules > - use something like this on domU''s vif config line > > vif = [ ''mac=00:16:3E:7F:A5:5C, script=vif-bridge, bridge=brtap0, > vifname=domU1-eth0'' ] >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On 29/12/10 21:55, Russell Seymour wrote:> OK great this is getting clearer :-). > > I thought i would do the virtual bridge networking as I can then use > iptables etc to manage it. I am not able to use full bridged > networking for the static public IP addresses for my domUs as I have > to use routing as this is a restriction imposed by my hosting provider. >Hi Russell, I''m just wondering, why is your hosting provider forcing you to set up the topology of your network in a way that they see best? This sounds very draconian to me... Of course, there are technical reasons why you must do this, for example you are given a link address and need your own edge router. I''m very interested in the reason behind this. Cheers _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users