Re: xen networking

[Iain Hibbert <plunky%ogmig.net@localhost>]

On Fri, 5 Jun 2020, Greg Troxel wrote:

> Iain Hibbert <plunky%ogmig.net@localhost> writes:
> 
> > dom0 has wm0 connected to bridge0, and bridge1 is domU network
> >
> > domU-router has two interfaces, one on each bridge
> >
> > domU clients otherwise have one interface, connected to bridge1
> 
> This is the hard way, compared to having dom0 do NAT.  But not wrong,
> just harder.

I was having a separate difficulty on the dom0. You can't attach an IP 
address to a bridge, so dhcpd won't touch it. Neither would dhcpcd and 
dnsmasq complained about something. Linux bridge can have IP addresses 
attached which would help with all that.

> > domU-router has dnsmasq set up to provide IP addresses onto bridge1 and 
> > this works fine, I can ping back and forth using hostnames. I also have 
> > dom0 ask for an IP on this network (might NAT that to a separate network 
> > instead, later)
> 
> So dom0 has some sort of pseudo-interface on bridge1?

dom0 just currently asks for an IP address on xvif1i1 which is the 
domu-router interface connected to bridge1. I don't know if there is 
another way to have a local interface to a bridge. I have considered that 
the dom0 should not be accessible from the domUs in general so might add a 
separate interface for that but I can work on that later.

> > So currently I am stuck. I want to have domU-router get the IP address to 
> > the external interface with dhcpcd. Then bridge0 will do its job and 
> > domU-router will be the front end, right? (if so then I set up NAT)
> 
> If you want to have your router/NAT be in a domU, then yes, the domU has
> to have an address that belongs on your ethernet, via its xennet0 which
> is a member of dom0 bridge0, along with dom0 wm0 being in bridge0.

ok

> > Unfortunately, I think, if I get domU-router to issue a DHCP request, what 
> > happens is that it goes out onto bridge0 with the domU-router MAC address 
> > as source.
> 
> That is correct behavior; why do you say "unfortunately"?

Ah. The unfortunately is I have to work out another way then :)

> > I can see it with tcpdump on wm0 but I don't know if it 
> > actually goes out on the wire, and nothing ever comes back. I don't see 
> > any way around that and seem to have been all over the internet looking 
> > for clues - is there a way to do this, network wise?
> 
> I have no recent experience, but have set up many machines with a dom0
> and a bunch of  domUs, where the dom0 had a bridge0, each domU had a
> xennet0 and on the dom0, xvifN.0 or whatever was added into bridge0.
> Then I could configure addresses on each domU's xennet0 and that worked
> fine.  I was not trying to use dhcp.

I was trying to get away with minimal configuration in the domU's, 
currently I just add 'hostname=foo; dhcpcd=YES' and its good to go.

> Suggestions:
> 
>   use tcpdump on another machine on the wm0 ethernet with a hub, use it
>   on the dhcp server, and/or look at the dchp server logs

Unfortunately it is in a data centre and also no console access

>   configure an address statically and try to ping the dhcp server

Yeah I'm wondering about that. I'm guessing that my IP address will be 
fixed, so I could perhaps just set it up as static in the domU-router.

>   also look at arp with tcpdump

looking for what, the MAC address of domU-router xennet0 ?  I can see some 
other who-has stuff going on out there in general but nothing specific to 
my domU-router requests

>   choose a fake ethernet address that's real, perhaps one belonging to a
>   powered-off card.   who knows what "security" mechanisms are in place!

I did try the MAC address from (the unconnected) wm1 but no joy and I'm 
suspecting that they just have a table of MAC->IP address at the DHCP 
server.

> > I see that you can push wm0 into the domU-router with pciback though not 
> > sure if possible, using NetBSD-9.0_STABLE and xen4.11 ?
> 
> My impression is that pci passthrough  didn't work at least recently.
> If it does now that's big news, at least to me.

It was my impression too which is why I haven't tried it yet :)

iain