Port-xen archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Routed setup and ARP issues

On Tue, 16 Jun 2009 07:21:56 -0400
"Steven M. Bellovin" <smb%cs.columbia.edu@localhost> wrote:

> On Tue, 16 Jun 2009 14:59:56 +1000
> Christian Lerrahn <lists%penpal4u.net@localhost> wrote:
> > Hi,
> > I'm trying to setup a routed configuration of XEN. My ISP does not
> > let me use bridged setups and bans the use of MAC addresses other
> > than the one of the physical interface on the network.
> > 
> > There are 2 problems I have. One is that on Linux you need to use
> > the kernel's arp_proxy which I don't think the NetBSD kernel has on
> > board. Therefore I assume I need to set up a userland ARP proxy for
> > the routed setup to work. Am I right?
> See the 'proxy' option on arp(8) -- does that do what you want?

I had a look at that before but couldn't make too much sense of it. It
seems to me that this is just for "manual proxying" where I add a
static entry to my ARP tables and choose to proxy that entry. However,
the Linux ARP proxy mode seems to be doing more than just that but
again I'm not 100% sure. I just would like to have as low maintenance a
solution as possible.

> > The second problem is how I make sure that the MAC addresses of the
> > virtual servers never make it onto the physical network. In other
> > words, I would like them to be able to communicate internally based
> > on their MAC addresses while at the same time all outgoing traffic
> > pretends that the physical device has all the IP addresses directly
> > assigned to it.
> > 
> > I'm wondering if this requirement actually means that my physical
> > network interface needs to have all used IP addresses as aliases.
> > However, while I could still route that, it seems like a bit of a
> > messy setup.
> > 
> > Has anyone ever set this up? Is there maybe a howto that I missed in
> > my web searches?
> > 
> Can you get a subnet from your ISP?  If so, assign the domUs addresses
> on it and enable forwarding on the dom0.  No ARP games will be needed.
> Second, depending on your needs, you could NAT the domUs' addresses.

I do have a subnet I can use. However, from how I understood the Linux
XEN howtos, I thought that an ARP proxy was still needed. But maybe
I'll just give it a shot then and hope for the best. :)


Home | Main Index | Thread Index | Old Index