Xen users - Sep 2011 - Should VMs' IP addresses be on the same subnet as the Dom0 and other boxes on our LAN?

Hi.

I''ve installed our 1st Virtualized server using Xen.  I''ve
managed to
create & populate a VM that''s going to be used as our office mail
server.

Everything seems to work ok -- I can send/receive email to/from the
''real world''.

I''ve read a bunch at the Xen wiki about routing, and bridging, and
security.  Wow! Lots of stuff to digest compared to doing stuff in
VirtualBox. But I get this is a different beast, and I think I got a
good idea of what I _can_ do.

I''ve one question about assigning VM''s IP addresses. 
Basically, what
_should_ I do about assigning VM IP addresses?

What I have right now is pretty basic.

Internet
  |
  |
  |  X.X.X.X/29
Firewall+Router: 10.0.0.1
  |  10.0.0.1/24
  |
  |
Ethernet Switch
  |
  |---- my Desktop: eth0:10.0.0.2
  |
  |---- Server Dom0: eth0:10.0.0.3
             |
             |---- VM#1 (Mail Server): bridge:10.0.0.4

Mail sent from the outside to my network gets a NAT redirect to the Mail
Server @ 10.0.0.4.

Works great.

My question is:

For security, or performance, or general Xen, reasons, should I change
that "VM#1 (Mail Server)" IP address to a different subnet.  Like
10.100.0.1/24?  And do some sort of routing somewhere?

Instead of having mail traffic passthrough ''through'' the Dom0
to the VM,
is it better to have a second, real Ethernet card assigned to the VM,
and do this instead:

Internet
  |
  |
  |  X.X.X.X/29
Firewall+Router: eth0: 10.0.0.1, 10.100.0.1
  |  10.0.0.1/24, 10.100.0.1/24
  |
Ethernet Switch
  |
  |-------------------------------------------------------------|
  |                                                             |
  |                                                             |
  |---- my Desktop: eth0:10.0.0.2                               |
  |                                                             |
  |---- Server Dom0: eth0:10.0.0.3                              |
             |                                                  |
             |---- VM#1 (Mail Server): bridge:10.0.0.4          |
                              |                                 |
                              |----: ''real'' eth1:10.100.0.4
----|

?

Thanks for your help with any suggestions or any good URLs to read!

Greg

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

gregk.xen@mailforce.net wrote:
>I''ve one question about assigning VM''s IP addresses. 
Basically, what
>_should_ I do about assigning VM IP addresses?
Short answer - whatever is right for *your* network !
Xen just doesn''t care, and it doesn''t impose any restrictions.
Think
of the bridge in Dom0 as "just another switch" and you''re
near enough
there.
>What I have right now is pretty basic.
>
>Internet
>   |
>   |
>   |  X.X.X.X/29
>Firewall+Router: 10.0.0.1
>   |  10.0.0.1/24
>   |
>   |
>Ethernet Switch
>   |
>   |---- my Desktop: eth0:10.0.0.2
>   |
>   |---- Server Dom0: eth0:10.0.0.3
>              |
>              |---- VM#1 (Mail Server): bridge:10.0.0.4
>
>Mail sent from the outside to my network gets a NAT redirect to the Mail
>Server @ 10.0.0.4.
>
>Works great.
Yes, I''d expect it to. Most of us running home servers will have 
something similar.
>My question is:
>
>For security, or performance, or general Xen, reasons, should I change
>that "VM#1 (Mail Server)" IP address to a different subnet.  Like
>10.100.0.1/24?  And do some sort of routing somewhere?
Well there is an argument for not running public servers on the same 
network as your internal stuff - so that should someone compromise 
your public facing server, they still have another layer of security 
before they can get to your LAN. On the other hand, lots and lots of 
people (including myself) have a setup just like yours.
>Instead of having mail traffic passthrough ''through'' the
Dom0 to the VM,
>is it better to have a second, real Ethernet card assigned to the VM,
>and do this instead:
>
>Internet
>   |
>   |
>   |  X.X.X.X/29
>Firewall+Router: eth0: 10.0.0.1, 10.100.0.1
>   |  10.0.0.1/24, 10.100.0.1/24
>   |
>Ethernet Switch
>   |
>   |-------------------------------------------------------------|
>   |                                                             |
>   |                                                             |
>   |---- my Desktop: eth0:10.0.0.2                               |
>   |                                                             |
>   |---- Server Dom0: eth0:10.0.0.3                              |
>              |                                                  |
>              |---- VM#1 (Mail Server): bridge:10.0.0.4          |
>                               |                                 |
>                               |----: ''real''
eth1:10.100.0.4 ----|
Unless your hardware has hardware IO Emulation then I don''t think 
this would help at all - Dom0 still has to route the packets, just at 
the PCI emulation level instead of layer 2 network. Or that''s my 
understanding anyway.

But I wouldn''t bother - your mail server isn''t going to be
running up
huge loads in Dom0. I''ve got servers running much larger IO loads and 
it''s not an issue for me.
For completeness though, it is true that Dom0 can be a bottleneck for 
network IO as I believe (from comments posted here) the packet 
handling code is single threaded. Unless your internet connection is 
rated in gigabits *and* you use it, then it''s not going to be an 
issue for your mail server !

Now, given that you have 5 public IPs available, I''d be tempted to do 
something different for different reasons. This is just one of those 
"this is my preference things" - it''s very subjective and a
matter of
preference.

I''d make a separate switch for your X.X.X.X/29 subnet and put my 
public facing servers there - no NAT to f**k up stuff. Yes, I have 
this think about NAT, and especially about people who think it''s the 
best thing since sliced bread - NAT == broken.
It does depend on how your internet, and the IPs, are provided. On 
our ADSL lines we use PPPoA and with the right modem can use PPPoE at 
our end - or as I''ve got, PPPoEoA !. Typically one of the public IPs 
is used for our end of the PPP link and "it just works" to use that 
same address on the ethernet side. If your internet is provided as an 
ethernet connection, then proxy ARP might be required.

So you''d still use NAT from your LAN to the internet, but your 
servers would be on public IPs in a DMZ.


Or, you can just use the public IPs as the mapped address for NAT and 
it still works for most stuff (mail included).


NB - At home the block you have labelled as Firewall+Router is a 
guest on my Xen host. I used to have a separate physical NIC given 
over to this with PCI passthrough, but at the moment I''m using a 
single NIC as my new box is very light on slots and I''m using PPPoE 
which means the modem itself can be on the LAN. At some point I''ll 
probably pick myself up a small switch that can do VLANs and split 
them out again.

-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Simon,

Thanks for such a great response, and having patience with a beginner
:-)
> Xen just doesn''t care, and it doesn''t impose any
restrictions. Think
> of the bridge in Dom0 as "just another switch" and
you''re near enough
> there.
That helps to think about it that way.
> lots and lots of people (including myself) have a setup just like yours.
Okay, so I''m not being completely harebrained about this.
> Unless your internet connection is 
> rated in gigabits *and* you use it, then it''s not going to be an 
> issue for your mail server !
My external-internet connection isn''t THAT heavily used.  But I do hope
to have a FileServer (NFS4 maybe) for my LAN and my VMs serving from my
Xen box.  I haven''t figured out if I should do that at Dom0 or in
another VM yet.  Anyway, that means the ethernet connection between the
Xen box and my LAN may be pretty heavily used.

Does THAT make a difference ?
> Now, given that you have 5 public IPs available ...
Yeah, I''d thought about that a bit. And, I''ve got a
VLAN-capabable
switch sitting on my shelf here that I''ve been staring at wondering
what
to do with.

I put that off for now, trying to KISS at the start of this.

Good food for thought.
> NB - At home the block you have labelled as Firewall+Router is a 
> guest on my Xen host. I used to have a separate physical NIC given 
> over to this with PCI passthrough, but at the moment I''m using a 
> single NIC as my new box is very light on slots and I''m using
PPPoE
> which means the modem itself can be on the LAN. At some point I''ll
> probably pick myself up a small switch that can do VLANs and split 
> them out again.
Right now I''m on ATT DSL, which is PPPoE.  I put the modem in a passive
bridge mode, and am handling the PPPoE on the Firewall+Router.

My box is light on slots too, and I''m a bit nervous about PCI
Passthrough.  There''s tons written about it, and from what
I''ve seen,
lots of nitpicky problems.  Maybe later I''ll try that.

Thanks a lot!

Greg

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

gregk.xen@mailforce.net wrote:
>  > Unless your internet connection is
>>  rated in gigabits *and* you use it, then it''s not going to be
an
>>  issue for your mail server !
>
>My external-internet connection isn''t THAT heavily used.  But I do
hope
>to have a FileServer (NFS4 maybe) for my LAN and my VMs serving from my
>Xen box.  I haven''t figured out if I should do that at Dom0 or in
>another VM yet.  Anyway, that means the ethernet connection between the
>Xen box and my LAN may be pretty heavily used.
>
>Does THAT make a difference ?
Nope, not really as I''m assuming it''s for a home setup. I
doubt
you''ll be that bothered if a file takes 12 seconds to copy instead of 
8. If you were *that* worried about performance then you''d almost 
certainly be looking at a dedicated (bare metal) box for the server. 
Don''t forget that block device access also goes through Dom0, not 
just the network.
>  > Now, given that you have 5 public IPs available ...
>
>Yeah, I''d thought about that a bit. And, I''ve got a
VLAN-capabable
>switch sitting on my shelf here that I''ve been staring at wondering
what
>to do with.
>
>I put that off for now, trying to KISS at the start of this.
KISS is good.

FYI - my plan would be :
1 VLAN for LAN
1 VLAN for outside (ie modem and PPPoE)
1 VLAN for public wireless
and add an access point that supports multiple SSIDs on separate 
VLANs (which is actually quite common)

Set a switch port to trunked mode, and trunk all those into your 
single NIC on teh host, and configure bridges for each VLAN. Connect 
interface(s) to DomUs as required. If using an external 
firewall/router, you''d need to trunk the relevant ports to that 
instead of/as well as Dom0 - eg Dom0 wouldn''t need direct access to 
the modem.
>Right now I''m on ATT DSL, which is PPPoE.  I put the modem in a
passive
>bridge mode, and am handling the PPPoE on the Firewall+Router.
Certainly for Linux based devices, you can use the same IP/subnet 
mask on the internal side as the outside with that configuration. 
Then you can NAT your LAN to the gateway IP, and let other devices 
have direct public IPs. Not something I''ve actually setup myself as 
so far I''ve either had a single IP or not been using NAT.

-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Hi Simon,

On Sunday, September 18, 2011 9:59 PM, "Simon Hobson"
<simon@thehobsons.co.uk> wrote:
> >Does THAT make a difference ?
> 
> Nope, not really as I''m assuming it''s for a home setup.
> I doubt you''ll be that bothered if a file takes 12 seconds to copy
instead of 8.
Actually, for a small office.

But that''s true enough.
> Don''t forget that block device access also goes through Dom0, not
just the network.
Actually, I had forgotten.  Good point.
> FYI - my plan would be :
> 1 VLAN for LAN
> 1 VLAN for outside (ie modem and PPPoE)
> 1 VLAN for public wireless
> and add an access point that supports multiple SSIDs on separate 
> VLANs (which is actually quite common)
> 
> Set a switch port to trunked mode, and trunk all those into your 
> single NIC on teh host, and configure bridges for each VLAN. Connect 
> interface(s) to DomUs as required. If using an external 
> firewall/router, you''d need to trunk the relevant ports to that 
> instead of/as well as Dom0 - eg Dom0 wouldn''t need direct access
to
> the modem.
Looking at my switch''s docs and WebUI, something''s not smart
enough to
do all that.  Whether that''s me, or the switch, is an open question.

Sticking this on my "to do" list.

I''m making progress.  Slowly.

Thanks a lot!

Greg

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users