[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: default route on other subnet
hello. Why does ipfilter not work with domu's and NetBSD? Even if you
can't filter on a bridge at the bridge level, filter on the IP layer and
make the dom0 a router.
1. Turn packet forwarding on.
2. Configure a network interface on Dom0 with a subnet equal to the size of
the inside network of the machines comprising the guest domu's.
3. Configure a bridge, including the interface you configured or created
in Step 2.
4. Run nat between the interface from step 2 and the outside world.
5. Set the IP address you used in step 2 as the default router on the
Does this not work?
On Sep 30, 1:44am, Pierre-Philipp Braun wrote:
} Subject: Re: default route on other subnet
} Quoting Jean-Yves Migeon 01/07/2011 00:29,
} > What you are trying to achieve is kind of difficult. With a xennet0
} > configured as a /32 in domU (and without a default route), you are
} > basically setting up your domain as being "non routable". It can only
} > communicate with itself (excluding certain circumstances, but that's not
} > the point here).
} Hi Jean-Yves,
} sorry for coming back on that matter, but that's exactly the point.
} That's even the subject of this thread: using a default route on another
} subnet. Do you really think that it's the /32 netmask that prevents the
} route trick to work? I tryed again today with current and on a brand
} new linux dom0; and it's a very standard XEN configuration. In fact,
} I'm always building the whole thing from scratch with the official
} tarball for xen & tools (4.1.1), and jeremy's repository (today's
} next-2.6.32). The same happens again.
} In a basic bridge configuration, with a reachable gateway on network
} interface, this is supposed to do the trick on the netbsd guest side,
} ifconfig xennet0 GUESTIP netmask 255.255.255.255 up
} route add -host GATEWAYIP -link xennet0 -iface
} route add default -ifa GUESTIP GATEWAYIP
} but instead I still receive the arp warnings (xx:xx:xx:xx:xx:xx tried to
} overwrite permanent arp info for GATEWAYIP).
} > Routing packets (like the ones with your ping) will only work when the
} > domain is capable of figuring out a route at a L2 level, e.g. AF_LINK
} > for routing socket. But the NetBSD domain will refuse to add addresses
} > in its ARP table that do not belong to its networks, and as it has none...
} I tryed with network 255.255.0.0 instead, trying to overcome what you
} just said, while keeping the rest of the procedure (route add -host and
} default). No changes, I still receive the happy arp warnings.
} > For routing dom0 <> domU, without proxy ARP, I'd suggest to set an IP
} > for vif, and a small iproute2 command:
} Now about a routing configuration, without proxy ARP (I honestly don't
} know what it is about anyway), I have to use an additional IP indeed,
} which isn't an option here as I'm dealing with public IPs (and I don't
} have much of them).
} Of course the problem would be solved if I could use NAT. Thing is, I'm
} fighting, for a few monthes now, because I precisely would like NetBSD
} to be my nat gateway for the other guests. I can't stand iptables and
} appreciate the good old ipfilter & ipnat tools.
>-- End of excerpt from Pierre-Philipp Braun
Main Index |
Thread Index |