Hi everyone, I''m new to Xen having been steered into a project at work as the resident Linux user. I''m trying to set up some networking and I''m finding it very taxing (it''s way more in-depth iptables and networking that I''m used to). I''d really be grateful if someone could help me please. There are 3 VMs: an HVM WIndows server 2008 R2 guest with the PV drivers installed and 2 Ubuntu 10.04 PV installs. The Networks: A - 10.1.2.0/24 - The company network (on physical eth0) B - 172.16.2.0/24 - Physical network connected to a hardware data receiver product. (physical eth1) C - 192.168.99.0/23 - Private LAN in Xenland used to connect the VMs together and to the host. D - Xenbr0 (192.168.99.1/24) - The default gateway for the VMs on the private LAN. E - Physical interface eth2 - Bridged into xenbr0 to provide physical maintenance access into the guests'' world from a laptop. What I''m trying to achieve: 1. Each guest should have a single network connection onto the virtual 192.168 (C) LAN. 2. I have a single IP address available on network A so I need to NAT all the 192.168 addresses of the VMs so they can all get access to the company LAN. 3. I have a single IP address available on network B so I need to NAT all the VMs so they can access the data receiver. 4. The data receiver produces a multicast stream. I need the VMs to be able to subscribe to it with IGMP and the multicast UDP to make its way across the host and onto the C network to them when subscribed (or all the time if that''s much easier) 5. I do NOT want the multicast to leak out onto LAN A or machines on LAN A to be able to subscribe. 6. All packets from the VMs not addressed on the 192.168 or 172 networks need to be forwarded through the host to the company LAN (with ESTABLISHED and RELATED returns allowed) 7. Port 80 incoming on physical eth0 (LAN A) is redirected through the host to the webserver on one of the VMs (192.168.99.20:80) From my research, I believe that the stock Ubuntu server kernel on the host won''t forward multicast on its own and I need some software agent to handle the subscriptions and passing of the UDP multicast data. IGMPProxy, XORP or pimd seem to "do the right thing" but I''m not sure which to choose or how to set them up (particularly in the case of XORP which seems very flexible and to have a lot of learning curve) I think my head is about to explode. Thank you in advance, Paul. _______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users
paul@stimpsonfamily.co.uk wrote:>I''m new to Xen having been steered into a project at work as the >resident Linux user.It''s good fun isn''t it :D>I''m trying to set up some networking and I''m finding it very taxing >(it''s way more in-depth iptables and networking that I''m used to).Talk about in at the deep end !>There are 3 VMs: an HVM WIndows server 2008 R2 guest with the PV >drivers installed and 2 Ubuntu 10.04 PV installs. > >The Networks: > >A - 10.1.2.0/24 - The company network (on physical eth0) >B - 172.16.2.0/24 - Physical network connected to a hardware data >receiver product. (physical eth1) >C - 192.168.99.0/23 - Private LAN in Xenland used to connect the VMs >together and to the host. >D - Xenbr0 (192.168.99.1/24) - The default gateway for the VMs on >the private LAN. >E - Physical interface eth2 - Bridged into xenbr0 to provide >physical maintenance access into the guests'' world from a laptop. > >What I''m trying to achieve: > > >1. Each guest should have a single network connection onto the >virtual 192.168 (C) LAN.OK, that bit is easy - just create the bridge in /etc/network/interfaces. I prefer to give meaningful names to things (eg ethint), so you''d have something like (from memory) : auto ethint interface ethint bridge-ports eth2 address 192.168.99.1 netmask 255.255.254.0>2. I have a single IP address available on network A so I need >to NAT all the 192.168 addresses of the VMs so they can all get >access to the company LAN.Ah, I''ve never setup up NAT in this situation ! At home I''ve created a virtual router in it''s own VM, and that does the NAT in a two interface setup. Is there any reason you can''t have multiple addresses ? it would make things a LOT simpler for you ? It''s not as if private addresses are scarse. If you can have one IP per VM then you don''t need the NAT and you simply bridge stuff together.>3. I have a single IP address available on network B so I need >to NAT all the VMs so they can access the data receiver.Ditto, why the single address ?>4. The data receiver produces a multicast stream. I need the VMs >to be able to subscribe to it with IGMP and the multicast UDP to >make its way across the host and onto the C network to them when >subscribed (or all the time if that''s much easier)Dunno - never worked with multicast, other than at a very primitive level.>5. I do NOT want the multicast to leak out onto LAN A or >machines on LAN A to be able to subscribe.No problem, unless you link them in some way then they will remain separate.>6. All packets from the VMs not addressed on the 192.168 or 172 >networks need to be forwarded through the host to the company LAN >(with ESTABLISHED and RELATED returns allowed) >7. Port 80 incoming on physical eth0 (LAN A) is redirected >through the host to the webserver on one of the VMs >(192.168.99.20:80)That''s a matter of setting the default gateway and routing properly (the default connected net routes will be OK). Plus the SNAT for outbound NAT, and DNAT for the inbound port 80. The NAT is stateful and will handle the returns automagically.>I think my head is about to explode.I know how you feel, I''ve just had to revisit traffic shaping and accounting as I''m updating my edge routers - things have moved on a bit and I''ve been having fun getting my head around packet marking and matching (I use Shorewall BTW - highly recommended). -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books.
On Thu, Nov 22, 2012 at 11:28 AM, paul@stimpsonfamily.co.uk < paul@stimpsonfamily.co.uk> wrote:> ** > Hi everyone, > > I''m new to Xen having been steered into a project at work as the resident > Linux user. I''m trying to set up some networking and I''m finding it very > taxing (it''s way more in-depth iptables and networking that I''m used to). > I''d really be grateful if someone could help me please. > > There are 3 VMs: an HVM WIndows server 2008 R2 guest with the PV drivers > installed and 2 Ubuntu 10.04 PV installs. > > The Networks: > > A - 10.1.2.0/24 - The company network (on physical eth0) > B - 172.16.2.0/24 - Physical network connected to a hardware data > receiver product. (physical eth1) > C - 192.168.99.0/23 - Private LAN in Xenland used to connect the VMs > together and to the host. > D - Xenbr0 (192.168.99.1/24) - The default gateway for the VMs on the > private LAN. > E - Physical interface eth2 - Bridged into xenbr0 to provide physical > maintenance access into the guests'' world from a laptop. > > What I''m trying to achieve: > > > 1. Each guest should have a single network connection onto the virtual > 192.168 (C) LAN. > 2. I have a single IP address available on network A so I need to NAT > all the 192.168 addresses of the VMs so they can all get access to the > company LAN. > 3. I have a single IP address available on network B so I need to NAT > all the VMs so they can access the data receiver. > 4. The data receiver produces a multicast stream. I need the VMs to be > able to subscribe to it with IGMP and the multicast UDP to make its way > across the host and onto the C network to them when subscribed (or all the > time if that''s much easier) > 5. I do NOT want the multicast to leak out onto LAN A or machines on > LAN A to be able to subscribe. > 6. All packets from the VMs not addressed on the 192.168 or 172 > networks need to be forwarded through the host to the company LAN (with > ESTABLISHED and RELATED returns allowed) > 7. Port 80 incoming on physical eth0 (LAN A) is redirected through the > host to the webserver on one of the VMs (192.168.99.20:80) > > > > From my research, I believe that the stock Ubuntu server kernel on the > host won''t forward multicast on its own and I need some software agent to > handle the subscriptions and passing of the UDP multicast data. IGMPProxy, > XORP or pimd seem to "do the right thing" but I''m not sure which to choose > or how to set them up (particularly in the case of XORP which seems very > flexible and to have a lot of learning curve) > > I think my head is about to explode. > > Thank you in advance, > Paul. >I think it''s going to look something like this. I put my rules in a script so I can do multiple things. You didn''t say if your eth0 was on a bridge or not so I''ll give you my setup for xenbr0 (company network) and xenbr1 (VM network) and you can play with it. I''m forwarding port 80 to an internal VM. Since I don''t have time to rewrite it for your setup I''d suggest replacing my xenbr0 with eth0. You should only then need to worry about your data receiver. I''d write more but it''s Thanksgiving... #!/bin/sh echo "1" > /proc/sys/net/ipv4/ip_forward iptables -F iptables -t nat -F iptables -t nat -A POSTROUTING -o xenbr0 -j MASQUERADE iptables -t filter -A FORWARD -i xenbr0 -o xenbr1 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -t filter -A FORWARD -i xenbr1 -o xenbr0 -j ACCEPT iptables -t filter -A INPUT -i xenbr1 -j ACCEPT ### Port Forwarding ### iptables -t nat -A PREROUTING -p tcp -i xenbr0 --dport 80 -j DNAT --to 192.168.0.100:80 Grant McWilliams http://grantmcwilliams.com/ Some people, when confronted with a problem, think "I know, I''ll use Windows." Now they have two problems. _______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users
Hello, Paul. Not that complex, btw, don''t let yourself to intimidate. El 22/11/12 15:01, Simon Hobson escribió:> paul@stimpsonfamily.co.uk wrote: >> 2. I have a single IP address available on network A so I need to >> NAT all the 192.168 addresses of the VMs so they can all get access to >> the company LAN. > > Ah, I''ve never setup up NAT in this situation ! At home I''ve created a > virtual router in it''s own VM, and that does the NAT in a two interface > setup.Very suitable in production environments as well. No matter if NAT is involved or not, it depends more on the rest of the network (can it route packets in a right way or not). Deploy a dedicated router VM with interfaces in all needed networks, and it''s setup will be no different than any other software router. There are a lot of documentation, reference, tutorials and even ready-to-use appliances to do that. Attempting to do routing on Dom0 will be more "low level", but with much more details to take care of. Does not worth it.> Is there any reason you can''t have multiple addresses ? it would make > things a LOT simpler for you ? It''s not as if private addresses are > scarse. If you can have one IP per VM then you don''t need the NAT and > you simply bridge stuff together.No really, not always. NAT is sometimes useful even on a pure private network, even if there are plenty of private addresses to assign. Depend on topology and demarcation points, the latest is very important. My suggestion for you is to draw, literally, the network topology you desire, even if it''s too simple. It will clear many things and it''s an excellent exercise. I doubt someone here will do for you whatever has to be done, but if you make yourself a plan you can get more specific feedback, just as the one you are getting now. While this, some ideas: A - Get 2 addresses on 10.1.2.0/24 for your box. Use one on your router VM, it will be the primary gateway between your networks. Use the other as Dom0 auxiliar address, it shall listen only to SSH on it. In case you lock yourself out of the router VM due to a failure or a mistake, Dom0 will allow you to re-take control of your box. B - It''s OK to dedicate a single physical interface to THE external provider. But if their''s number sometime grows, it''s usable to plug them to a L2 administrable switch, isolated on different VLAN''s, and have access to all of them via the same physical eth1. C - Why 192.168.99.0/23 and not 192.168.99.0/24 ? /24 is easer to manage. E - Consider bridging eth2, if it''s available and not a security issue, to the network you called Xenland. Excellent for troubleshooting and future scalability. 3. Make the same router VM to have interface on network A, network B and network C. The routing configuration is trivial. 5. A "normal restrictive" filter will prevent any accidental leak. DROP everything via iptables -P, unless specifically allowed. 6. Trivial on router VM, you will even not need any extra routing rules, just normal IP interfaces setup if default gateway on one of them and allow IPv4 forward. 7. Consider port forwarding (DNAT in iptables land) on router VM, or a reverse proxy like Nginx. A reverse proxy is much cleaner and give you more access control. -- Alexandre Kouznetsov