Port-xen archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: default route on other subnet

        hello.  Why does ipfilter not work with domu's and NetBSD?  Even if you
can't filter on a bridge at the bridge level, filter on the IP layer and
make the dom0 a router.

ON Dom0:
1.  Turn packet forwarding on.

2.  Configure a network interface on Dom0 with a subnet equal to the size of
the inside network of the machines comprising the guest domu's.

3.  Configure a bridge, including the interface you configured or created
in Step 2.

4.  Run nat between the interface from step 2 and the outside world.

5.  Set the IP address you used in step 2 as the default router on the

Does this not work?

On Sep 30,  1:44am, Pierre-Philipp Braun wrote:
} Subject: Re: default route on other subnet
} Quoting Jean-Yves Migeon 01/07/2011 00:29,
} > What you are trying to achieve is kind of difficult. With a xennet0
} > configured as a /32 in domU (and without a default route), you are
} > basically setting up your domain as being "non routable". It can only
} > communicate with itself (excluding certain circumstances, but that's not
} > the point here).
} Hi Jean-Yves,
} sorry for coming back on that matter, but that's exactly the point. 
} That's even the subject of this thread: using a default route on another 
} subnet.  Do you really think that it's the /32 netmask that prevents the 
} route trick to work?  I tryed again today with current and on a brand 
} new linux dom0; and it's a very standard XEN configuration.  In fact, 
} I'm always building the whole thing from scratch with the official 
} tarball for xen & tools (4.1.1), and jeremy's repository (today's 
} next-2.6.32).  The same happens again.
} In a basic bridge configuration, with a reachable gateway on network 
} interface, this is supposed to do the trick on the netbsd guest side,
}       ifconfig xennet0 GUESTIP netmask up
}       route add -host GATEWAYIP -link xennet0 -iface
}       route add default -ifa GUESTIP GATEWAYIP
} but instead I still receive the arp warnings (xx:xx:xx:xx:xx:xx tried to 
} overwrite permanent arp info for GATEWAYIP).
} > Routing packets (like the ones with your ping) will only work when the
} > domain is capable of figuring out a route at a L2 level, e.g. AF_LINK
} > for routing socket. But the NetBSD domain will refuse to add addresses
} > in its ARP table that do not belong to its networks, and as it has none...
} I tryed with network instead, trying to overcome what you 
} just said, while keeping the rest of the procedure (route add -host and 
} default).  No changes, I still receive the happy arp warnings.
} > For routing dom0 <> domU, without proxy ARP, I'd suggest to set an IP
} > for vif, and a small iproute2 command:
} Now about a routing configuration, without proxy ARP (I honestly don't 
} know what it is about anyway), I have to use an additional IP indeed, 
} which isn't an option here as I'm dealing with public IPs (and I don't 
} have much of them).
} Of course the problem would be solved if I could use NAT.  Thing is, I'm 
} fighting, for a few monthes now, because I precisely would like NetBSD 
} to be my nat gateway for the other guests.  I can't stand iptables and 
} appreciate the good old ipfilter & ipnat tools.
} Thanks
>-- End of excerpt from Pierre-Philipp Braun

Home | Main Index | Thread Index | Old Index