Subject: [Fwd: Re: isolated "internal" network?]
To: None <port-xen@netbsd.org>
From: Evaldo Gardenali <evaldo@gardenali.biz>
List: port-xen
Date: 09/13/2006 19:32:02
Oups, bad mail client!
There it goes to the ML, sorry
Evaldo
-------- Original Message --------
Subject: Re: isolated "internal" network?
Date: Wed, 13 Sep 2006 19:29:07 -0300
From: Evaldo Gardenali <evaldo@gardenali.biz>
To: Geert Hendrickx <ghen@NetBSD.org>
References: <20060913080148.GA29829@lori.ghen.be>
Geert Hendrickx wrote:
> Hi,
>
> I'm planning to deploy a NetBSD/Xen based server with several services
> hosted in separate domains. Not all domains (e.g. database server(s),
> build server) should have a public IP therefore I'd whish to have two
> separately bridged networks, a public network with public IP's on bridge0
> and an internal network with private IP's on bridge1. But I don't want to
> connect bridge1 to any physical network device on the dom0. What (virtual)
> network device can/should I use on the dom0 to communicate with the private
> LAN? tap, tun, gif, ... ?
>
> Geert
>
Whoa! lots of complex ideas have been mentioned here and on the
replies... when the thing is really simple (2 solutions described here)
imagine this example: All domains have a public and a private interface
(0=public)
xvif1.0 xvif2.0 and xvif3.0 are bridged to fxp0, so none need an ip address;
xvif1.1, xvif2.1 and xvif3.1 are on the internal bridge, so just need to
assign 172.16.0.1 to xvif1.1 and its done ;)
This example has a systemic failure: When domain 1 gets destroyed, the
interface gets destroyed and all other domains cant communicate to
domain 0 anymore. This can be easily solved with:
Create a tap(4) device, assign an ip address to it, add it to the
private bridge. A tap device without a backend program is expected to
behave just like an ethernet interface with no media attached, so it
will do fine.
Evaldo