Menu
▾
▴
Re: [Shorewall-users] RHEL 5 Xen Host with Multiple Network Cards
|
From: Simon H. <li...@th...> - 2007-07-30 14:04:48
|
Teo En Ming wrote: >Just to confirm your point #2: > >Dom 0 - eth0 / xenbr0 only - eth0 configured as ><http://192.168.1.1>192.168.1.1 for management purposes. This will >be the only interface for Dom 0. Firewalling in Dom 0 is only for >eth0. Perhaps open ports for ssh only. > >eth1 / xenbr1 - no IP address configured in Dom 0 - reserved for >virtual machine Dom 1 >eth2 / xenbr2 - no IP address configured in Dom 0 - reserved for >virtual machine Dom 2 >eth3 / xenbr3 - no IP address configured in Dom 0 - reserved for >virtual machine Dom 3 >eth4 / xenbr4 - no IP address configured in Dom 0 - reserved for >virtual machine Dom 4 >eth5 / xenbr5 - no IP address configured in Dom 0 - reserved for >virtual machine Dom 5 > >Thus I will configure IP address for the virtual eth0 inside virtual >machines and do firewalling for eth0 inside VMs. > >Hope I understood correctly. Yes, that's exactly what I meant. >When I configured Dom 1 as ><http://192.168.1.2/255.255.255.0>192.168.1.2/255.255.255.0, I >couldn't ping Dom 1 from Dom 0. Similarly, I could not ping Dom 0 >from Dom 1. I get Destination Host Unreachable error messages. Any >fix? Bear in mind I'm a Xen newbie as well ... Are the relevant ethernet cards all connected to the same switch ? Don't forget that the way you have this set up, inter-domain traffic will go out through one physical port, through an external switch, and back in via a different physical port. I would also test it for traffic between dom-0 or a dom-u and an external device - ie make sure you can ping between dom-0 and an external device, and between dom-1 and an external device, etc. Also, something I found out last week while experimenting (I'm running a bridge in a dom-u doing traffic accounting for traffic to other dom-u's behind it), dom-0 seems to need a vif in each bridge even if is't not going to pass any traffic. In my case, I found that I had to add vif0.1 to xenbr1 and then xenbr1 started working. In your case, if you do "brctl show xenbr1" you should see peth1, vif0.1 and vif1.1 listed as members. |