[Fwd: Re: isolated "internal" network?]

[Evaldo Gardenali <evaldo%gardenali.biz@localhost>]

Oups, bad mail client!
There it goes to the ML, sorry

Evaldo

-------- Original Message --------
Subject:        Re: isolated "internal" network?
Date:   Wed, 13 Sep 2006 19:29:07 -0300
From:   Evaldo Gardenali <evaldo%gardenali.biz@localhost>
To:     Geert Hendrickx <ghen%NetBSD.org@localhost>
References:     <20060913080148.GA29829%lori.ghen.be@localhost>



Geert Hendrickx wrote:
> Hi,
>
> I'm planning to deploy a NetBSD/Xen based server with several services
> hosted in separate domains.  Not all domains (e.g. database server(s),
> build server) should have a public IP therefore I'd whish to have two
> separately bridged networks, a public network with public IP's on bridge0
> and an internal network with private IP's on bridge1.  But I don't want to
> connect bridge1 to any physical network device on the dom0.  What (virtual)
> network device can/should I use on the dom0 to communicate with the private
> LAN?  tap, tun, gif, ... ?  
>
>         Geert
>   
Whoa! lots of complex ideas have been mentioned here and on the 
replies... when the thing is really simple (2 solutions described here)

imagine this example: All domains have a public and a private interface 
(0=public)

xvif1.0 xvif2.0 and xvif3.0 are bridged to fxp0, so none need an ip address;
xvif1.1, xvif2.1 and xvif3.1 are on the internal bridge, so just need to 
assign 172.16.0.1 to xvif1.1 and its done ;)

This example has a systemic failure: When domain 1 gets destroyed, the 
interface gets destroyed and all other domains cant communicate to 
domain 0 anymore. This can be easily solved with:

Create a tap(4) device, assign an ip address to it, add it to the 
private bridge. A tap device without a backend program is expected to 
behave just like an ethernet interface with no media attached, so it 
will do fine.

Evaldo