Re: xen networking

[Iain Hibbert <plunky%ogmig.net@localhost>]

On Sat, 6 Jun 2020, Dima Veselov wrote:

> On Fri, Jun 05, 2020 at 02:42:55PM +0100, Iain Hibbert wrote:
> 
> > I have a xen dom0 with external connectivity and wish to set up NAT to
> > allow the domU network access but having a little difficulty with network
> > setup. I have tried several variations and always hit a wall eventually.
> > This is where I'm currently at:
> 
> If I understand right - you have one dom0 with several domU's and one
> domU acting as a router/NAT for other domUs.
> 
> Real network - wm0 (dom0) br0 - xennet0 (domU) xennet1 - br1 (dom0) br1 - domU
> xennet0

yes that is right.

> > domU-router has dnsmasq set up to provide IP addresses onto bridge1 and
> > this works fine, I can ping back and forth using hostnames. I also have
> > dom0 ask for an IP on this network (might NAT that to a separate network
> > instead, later)
> > 
> > So currently I am stuck. I want to have domU-router get the IP address to
> > the external interface with dhcpcd. Then bridge0 will do its job and
> > domU-router will be the front end, right? (if so then I set up NAT)
> 
> Something stay undisclosed here. You say dnsmasq is working good but then it
> sounds domU-router can't get xennet0 IP. Then what means it works good?

dnsmasq is dhcp/dns server for the domU network only so only listens on 
xennet1.

domU-router would like to get the external IP on xennet0 so that it can be 
the firewall.

> > Unfortunately, I think, if I get domU-router to issue a DHCP request, what
> > happens is that it goes out onto bridge0 with the domU-router MAC address
> > as source. 
> 
> Do you want domU-router to get an IP with mac-address of dom0 as it sounds?
> This will never happen, bridge is like a switch - every server have its own
> unique mac. 

> There should be something about your network configuration. I suppose you
> make this setup complexed because you have some limitations in real network
> connected to wm0, but we need to know what they are.

Well, I only have a single IP available. I was trying to run these 
services on the domU rather than the dom0 for security. Perhaps that is 
not ultimately necessary.

> As it sounds to me - DHCP server which you try to use accept only dom0's wm0
> mac address. If it is so - you can either use dom0 as a router/NAT instead
> or swap mac addresses between dom0 and domU-router.

Hm ok, perhaps that would be an option. I can assign whatever MAC address 
on the domU that I like. I don't think I can actually remove the wm0 MAC 
but could add something else as the active address.

> > I can see it with tcpdump on wm0 but I don't know if it
> > actually goes out on the wire, and nothing ever comes back.
> 
> Once you see it on dom0 wm0 you can be sure its on the wire. tcpdump capture
> output packets after all processing. There are some problematic cases when
> its not true but I would check it only as a last shot.

Ah. That means that the upstream is not speaking to me then. I presume 
they have some kind of filtering (probably a MAC=>IP table)

iain