Mailing List Archive

On Saturday 16 July 2005 04:14, David Richardson wrote:
> Hey everyone,
> Any help with the following question would be greatly
> appreciated. Here's what I'd like to do: Right now,
> my dom0 has a static IP address on eth0. I want to
> create a virtual network interface on dom0 (say
> eth0:1),

you don't need an alias on eth0 to do that, create a bridge NOT attached to an
hw interface in dom0, connect the domU's to that bridge, and setup dom0 to
route between eth0 and that bridge.

> and have all of my virtual domU domains
> connect to this interface, creating a vpn. Of course,
> I need traffic to be routed between eth0 and my
> virtual interface eth0:1 in dom0 so that the domU
> domains on the virtual network can talk to the outside
> world. Any suggestions for how to do this? Thanks a
> lot!

Be aware that ALL other computers in your network have to be aware of your
dom0 being a router for the domUs in that setup for it to work.
If you don't need real IPs for your domUs, you can also nat/masquerade between
eth0 and the bridge.

/Ernst

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Hey guys,
I'm still having problems getting this to work
correctly. Maybe I should be more clear in my setup.
I only have 1 nic, eth0. My dom0 gets its IP address
from a dhcp server on eth0. However, the dhcp server
always gives me the same IP address based on my MAC
address. As such, my domU guests are unable to use
this dhcp server to obtain IPs. Therefore, what I
want to do (I think...) is to create a vpn of domU
guests that bridge to a virtual interface eth0:1 in
dom0. Outside traffic can then be routed between the
real eth0 and the virtual eth0:1 to reach the domU
guests. Then, I can run a dhcp server in dom0 for
eth0:1 to assign made-up addresses to the domU guests
when they boot.

I've never done anything like this before, so any help
would be great. My first attempts have started out by
doing the following:

Create the virtual ethernet interface:
#ifconfig eth0:1 192.168.1.1 netmask 255.255.255.0

Create a bridge in dom0, attach it to eth0:1:
#brctl addbr xen-br1
#brctl stp xen-br1 off
#brctl setfd xen-br1 0
#ip link set xen-br1 up
#brctl addif xen-br1 eth0:1

Is this even a remotely correct way of getting
started?? Thanks!

~Dave



--- David Richardson <daverich04@yahoo.com> wrote:

> Hey everyone,
> Any help with the following question would be
> greatly
> appreciated. Here's what I'd like to do: Right now,
> my dom0 has a static IP address on eth0. I want to
> create a virtual network interface on dom0 (say
> eth0:1), and have all of my virtual domU domains
> connect to this interface, creating a vpn. Of
> course,
> I need traffic to be routed between eth0 and my
> virtual interface eth0:1 in dom0 so that the domU
> domains on the virtual network can talk to the
> outside
> world. Any suggestions for how to do this? Thanks
> a
> lot!
>
> ~Dave
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
>


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Monday 18 July 2005 03:25, David Richardson wrote:
> Hey guys,
> I'm still having problems getting this to work
> correctly. Maybe I should be more clear in my setup.
> I only have 1 nic, eth0. My dom0 gets its IP address
> from a dhcp server on eth0. However, the dhcp server
> always gives me the same IP address based on my MAC
> address. As such, my domU guests are unable to use
> this dhcp server to obtain IPs.

Simply assign a different MAC address to your domU.
You can run with standard bridging, don't need alias devices and whatnot.
For the DHCP Server it looks like a second computer with different MAC is
behind an ethernet bridge, so it'll assign a different IP to it.

> Therefore, what I
> want to do (I think...) is to create a vpn of domU
> guests that bridge to a virtual interface eth0:1 in
> dom0.

Bridging only accepts real interfaces AFAIK. After all, virtual eth0:1 style
interfaces are just alias IP adresses, and the bridge works on ethernet level
and doesn't care about IP at all.

> Outside traffic can then be routed between the
> real eth0 and the virtual eth0:1 to reach the domU
> guests. Then, I can run a dhcp server in dom0 for
> eth0:1 to assign made-up addresses to the domU guests
> when they boot.

with VPN you mean NAT?

> I've never done anything like this before, so any help
> would be great. My first attempts have started out by
> doing the following:
>
> Create the virtual ethernet interface:
> #ifconfig eth0:1 192.168.1.1 netmask 255.255.255.0
>
> Create a bridge in dom0, attach it to eth0:1:
> #brctl addbr xen-br1
> #brctl stp xen-br1 off
> #brctl setfd xen-br1 0
> #ip link set xen-br1 up
> #brctl addif xen-br1 eth0:1

More like:
# no eth0:1 iface!

brctl addbr xen-br1
brctl stp xen-br1 off
brctl setfd xen-br1 0
# no brctl addif!
ifconfig xen-br1 192.168.1.1 netmask 255.255.255.0 up
# connect domUs to xen-br1
# set "192.168.1.1" as default route inside domU

#setup NAT in dom0:
iptables -t nat -I POSTROUTING -i xen-br1 -j SNAT --to <insert IP of eth0
here>
...
(the nat rules will need more work, maybe your distribution comes with premade
scripts there)

/Ernst

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Mon, 18 Jul 2005, Ernst Bachmann wrote:

> On Monday 18 July 2005 03:25, David Richardson wrote:

Hey, guys.. just to get my oar in the water..

>
> Bridging only accepts real interfaces AFAIK. After all, virtual eth0:1 style
> interfaces are just alias IP adresses, and the bridge works on ethernet level
> and doesn't care about IP at all.

This is incorrect.. bridging is happy with eth0 and eth0:1 interfaces..
my understanding is that it creating the eth0:1 inteface does just that --
creates a (virtual) device just the same as a real device, and loads a new
TCP stack.. for all intensive purposes, it's a stand-alone device..

My undestanding may be off the mark, but the first line, anyways, holds..

:)

Carl

- --

"There are 10 types of people in the world: Those who understand binary
and those that don't."


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Monday 18 July 2005 15:08, Carl Holtje ;021;vcsg6; wrote:
> This is incorrect.. bridging is happy with eth0 and eth0:1 interfaces..

Well, no. While it may accept eth0:1, it still enslaves the HW interface:

# brctl show
bridge name bridge id STP enabled interfaces
pan0 8000.0010a70aab7a no eth0

# ifconfig eth0:test 192.168.100.1 up

# ifconfig
eth0 Link encap:Ethernet HWaddr 00:10:A7:0A:AB:7A
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:300487012 errors:0 dropped:0 overruns:0 frame:0
TX packets:249994141 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2540897286 (2423.1 Mb) TX bytes:3489368961 (3327.7 Mb)
Interrupt:11

eth0:test Link encap:Ethernet HWaddr 00:10:A7:0A:AB:7A
inet addr:192.168.100.1 Bcast:192.168.100.255 Mask:255.255.255.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:11

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:898243 errors:0 dropped:0 overruns:0 frame:0
TX packets:898243 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:249587829 (238.0 Mb) TX bytes:249587829 (238.0 Mb)

pan0 Link encap:Ethernet HWaddr 00:10:A7:0A:AB:7A
inet addr:192.168.1.21 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:300486998 errors:0 dropped:0 overruns:0 frame:0
TX packets:249994141 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2629045622 (2507.2 Mb) TX bytes:3366380547 (3210.4 Mb)

# brctl addbr test
# brctl addif test eth0:test
device eth0:test is already a member of a bridge; can't enslave it to bridge
test.

Bang. eth0 is already bridged, so the alias ifaces can't be bridged any more.

> my understanding is that it creating the eth0:1 inteface does just that --
> creates a (virtual) device just the same as a real device, and loads a new
> TCP stack.. for all intensive purposes, it's a stand-alone device..

Also, from the linux kernel documentation:
/usr/src/linux/Documentation/networking/alias.txt

--
IP-aliases are additional IP-addresses/masks hooked up to a base
interface by adding a colon and a string when running ifconfig.
This string is usually numeric, but this is not a must.
--
They're IP only, thats far from being a real ethernet network iface.

Hope that brought some light in the issue,
/Ernst

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Thanks for your help everyone. I think I'm close now
(hopefully). Here's what I've got: In dom0, I
execute the following to set up the bridge xenbr1 with
address 192.168.1.1

#brctl addbr xenbr1
#brctl stp xenbr1 off
#brctl setfd xenbr1 0
#ifconfig xenbr1 192.168.1.1 netmask 255.255.255.0 up

Then, in my domU's config file, I add:
vif = [ 'bridge=xenbr1']

So that eth0 in domU will bridge to my xenbr1. I also
modify /etc/network/interfaces in my domU filesystem
(it's a debian guest) with:

auto eth0
iface eth0 inet static
address 192.168.1.5
netmask 255.255.255.0

To assign the address 192.168.1.5 to the domU guest.
Finally, I try to set up the nat by doing (in dom0):

#iptables --flush
#iptables --delete-chain
#iptables --table nat --delete-chain
#iptables --table nat --append POSTROUTING /
--out-interface eth0 -j MASQUERADE
#iptables --append FORWARD --in-interface xenbr1 -j /
ACCEPT
#echo 1 > /proc/sys/net/ipv4/ip_forward

#route add -net 192.168.1.0 netmask 255.255.255.0 /
dev xenbr1

When I boot up domU, I am able to ping 192.168.1.1
from domU, and likewise ping 192.168.1.5 from dom0.
However, I can't get to the outside world from domU,
suggesting that my nat'ing (or something else) isn't
quite right... Any suggestions? Thanks again for all
the help.

~Dave




--- Ernst Bachmann <e.bachmann@xebec.de> wrote:

> On Monday 18 July 2005 03:25, David Richardson
> wrote:
> > Hey guys,
> > I'm still having problems getting this to work
> > correctly. Maybe I should be more clear in my
> setup.
> > I only have 1 nic, eth0. My dom0 gets its IP
> address
> > from a dhcp server on eth0. However, the dhcp
> server
> > always gives me the same IP address based on my
> MAC
> > address. As such, my domU guests are unable to
> use
> > this dhcp server to obtain IPs.
>
> Simply assign a different MAC address to your domU.
> You can run with standard bridging, don't need alias
> devices and whatnot.
> For the DHCP Server it looks like a second computer
> with different MAC is
> behind an ethernet bridge, so it'll assign a
> different IP to it.
>
> > Therefore, what I
> > want to do (I think...) is to create a vpn of domU
> > guests that bridge to a virtual interface eth0:1
> in
> > dom0.
>
> Bridging only accepts real interfaces AFAIK. After
> all, virtual eth0:1 style
> interfaces are just alias IP adresses, and the
> bridge works on ethernet level
> and doesn't care about IP at all.
>
> > Outside traffic can then be routed between the
> > real eth0 and the virtual eth0:1 to reach the domU
> > guests. Then, I can run a dhcp server in dom0 for
> > eth0:1 to assign made-up addresses to the domU
> guests
> > when they boot.
>
> with VPN you mean NAT?
>
> > I've never done anything like this before, so any
> help
> > would be great. My first attempts have started
> out by
> > doing the following:
> >
> > Create the virtual ethernet interface:
> > #ifconfig eth0:1 192.168.1.1 netmask 255.255.255.0
> >
> > Create a bridge in dom0, attach it to eth0:1:
> > #brctl addbr xen-br1
> > #brctl stp xen-br1 off
> > #brctl setfd xen-br1 0
> > #ip link set xen-br1 up
> > #brctl addif xen-br1 eth0:1
>
> More like:
> # no eth0:1 iface!
>
> brctl addbr xen-br1
> brctl stp xen-br1 off
> brctl setfd xen-br1 0
> # no brctl addif!
> ifconfig xen-br1 192.168.1.1 netmask 255.255.255.0
> up
> # connect domUs to xen-br1
> # set "192.168.1.1" as default route inside domU
>
> #setup NAT in dom0:
> iptables -t nat -I POSTROUTING -i xen-br1 -j SNAT
> --to <insert IP of eth0
> here>
> ...
> (the nat rules will need more work, maybe your
> distribution comes with premade
> scripts there)
>
> /Ernst
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
>


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Mon, 18 Jul 2005, Ernst Bachmann wrote:

> On Monday 18 July 2005 15:08, Carl Holtje ;021;vcsg6; wrote:
> > This is incorrect.. bridging is happy with eth0 and eth0:1 interfaces..
>
> Well, no. While it may accept eth0:1, it still enslaves the HW interface:

\{snip}

mmm... eating my own words.. as luck would have it, I ran into this very
issue today.. (sweet mother of irony!)..

You are correct; bridging does bind to the hardware interface, and not the
aliases.

> > my understanding is that it creating the eth0:1 inteface does just that --
> > creates a (virtual) device just the same as a real device, and loads a new
> > TCP stack.. for all intensive purposes, it's a stand-alone device..
>
> Also, from the linux kernel documentation:
> /usr/src/linux/Documentation/networking/alias.txt

Ah, yes... thank you.. :)

Carl
- --

"There are 10 types of people in the world: Those who understand binary
and those that don't."

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Figured it out. For those interested, I had to change
the out interface from eth0 to xen-br0 to get IP
masquerading to work:

#iptables --table nat --append POSTROUTING /
--out-interface xen-br0 -j MASQUERADE

~Dave

--- David Richardson <daverich04@yahoo.com> wrote:

> Thanks for your help everyone. I think I'm close
> now
> (hopefully). Here's what I've got: In dom0, I
> execute the following to set up the bridge xenbr1
> with
> address 192.168.1.1
>
> #brctl addbr xenbr1
> #brctl stp xenbr1 off
> #brctl setfd xenbr1 0
> #ifconfig xenbr1 192.168.1.1 netmask 255.255.255.0
> up
>
> Then, in my domU's config file, I add:
> vif = [ 'bridge=xenbr1']
>
> So that eth0 in domU will bridge to my xenbr1. I
> also
> modify /etc/network/interfaces in my domU filesystem
> (it's a debian guest) with:
>
> auto eth0
> iface eth0 inet static
> address 192.168.1.5
> netmask 255.255.255.0
>
> To assign the address 192.168.1.5 to the domU guest.
>
> Finally, I try to set up the nat by doing (in dom0):
>
> #iptables --flush
> #iptables --delete-chain
> #iptables --table nat --delete-chain
> #iptables --table nat --append POSTROUTING /
> --out-interface eth0 -j MASQUERADE
> #iptables --append FORWARD --in-interface xenbr1 -j
> /
> ACCEPT
> #echo 1 > /proc/sys/net/ipv4/ip_forward
>
> #route add -net 192.168.1.0 netmask 255.255.255.0 /
> dev xenbr1
>
> When I boot up domU, I am able to ping 192.168.1.1
> from domU, and likewise ping 192.168.1.5 from dom0.
> However, I can't get to the outside world from domU,
> suggesting that my nat'ing (or something else) isn't
> quite right... Any suggestions? Thanks again for
> all
> the help.
>
> ~Dave
>
>
>
>
> --- Ernst Bachmann <e.bachmann@xebec.de> wrote:
>
> > On Monday 18 July 2005 03:25, David Richardson
> > wrote:
> > > Hey guys,
> > > I'm still having problems getting this to work
> > > correctly. Maybe I should be more clear in my
> > setup.
> > > I only have 1 nic, eth0. My dom0 gets its IP
> > address
> > > from a dhcp server on eth0. However, the dhcp
> > server
> > > always gives me the same IP address based on my
> > MAC
> > > address. As such, my domU guests are unable to
> > use
> > > this dhcp server to obtain IPs.
> >
> > Simply assign a different MAC address to your
> domU.
> > You can run with standard bridging, don't need
> alias
> > devices and whatnot.
> > For the DHCP Server it looks like a second
> computer
> > with different MAC is
> > behind an ethernet bridge, so it'll assign a
> > different IP to it.
> >
> > > Therefore, what I
> > > want to do (I think...) is to create a vpn of
> domU
> > > guests that bridge to a virtual interface eth0:1
> > in
> > > dom0.
> >
> > Bridging only accepts real interfaces AFAIK. After
> > all, virtual eth0:1 style
> > interfaces are just alias IP adresses, and the
> > bridge works on ethernet level
> > and doesn't care about IP at all.
> >
> > > Outside traffic can then be routed between the
> > > real eth0 and the virtual eth0:1 to reach the
> domU
> > > guests. Then, I can run a dhcp server in dom0
> for
> > > eth0:1 to assign made-up addresses to the domU
> > guests
> > > when they boot.
> >
> > with VPN you mean NAT?
> >
> > > I've never done anything like this before, so
> any
> > help
> > > would be great. My first attempts have started
> > out by
> > > doing the following:
> > >
> > > Create the virtual ethernet interface:
> > > #ifconfig eth0:1 192.168.1.1 netmask
> 255.255.255.0
> > >
> > > Create a bridge in dom0, attach it to eth0:1:
> > > #brctl addbr xen-br1
> > > #brctl stp xen-br1 off
> > > #brctl setfd xen-br1 0
> > > #ip link set xen-br1 up
> > > #brctl addif xen-br1 eth0:1
> >
> > More like:
> > # no eth0:1 iface!
> >
> > brctl addbr xen-br1
> > brctl stp xen-br1 off
> > brctl setfd xen-br1 0
> > # no brctl addif!
> > ifconfig xen-br1 192.168.1.1 netmask 255.255.255.0
> > up
> > # connect domUs to xen-br1
> > # set "192.168.1.1" as default route inside domU
> >
> > #setup NAT in dom0:
> > iptables -t nat -I POSTROUTING -i xen-br1 -j SNAT
> > --to <insert IP of eth0
> > here>
> > ...
> > (the nat rules will need more work, maybe your
> > distribution comes with premade
> > scripts there)
> >
> > /Ernst
> >
> > _______________________________________________
> > Xen-users mailing list
> > Xen-users@lists.xensource.com
> > http://lists.xensource.com/xen-users
> >
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
>


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users