How should I configure Xen to allow multiple different IP ranges in the domUs?

Question

I'm trying to get Xen running in a setup where the domUs have a completely different IP than the dom0 (not in the same network range). This answer got everything working within the same /24 range, but not with completely unrelated IPs.

dom0's /etc/network/interfaces:

# The primary interface.
# The configuration is done in the bridge.
auto eth0

# The bridge for Xen to use.
auto xenbr0
iface eth0 inet static
        bridge_ports eth0
        address 188.165.X.Y
        netmask 255.255.255.0
        network 188.165.X.0
        broadcast 188.165.X.255
        gateway 188.165.X.254

dom0's bridge (brctl show):

bridge name     bridge id               STP enabled     interfaces
eth0            8000.00259022aab2       no              peth0
                                                        vif1.0

domU's /etc/network/interfaces:

# The primary network interface
auto eth0
iface eth0 inet static
    address 91.121.A.B
    gateway 188.165.X.254
    netmask 255.255.255.0

I've tried different netmasks in domU's configuration as well. How should I configure the thing to allow the domU to connect to the network in a working manner?

Answer 1

I'll assume that 91.121.x.x is routed across the internet to the gateway at gateway 188.165.X.254

The gateway then needs a route for 91.121.x.x to go to the VM host at 188.165.X.Y

This means that any traffic trying to get to 91.121.x.x will end up at your Xen server.

In the previous question, all of the interfaces were on the same network, and so everything could be bridged to the main interface - this is a layer 2 connection.

However, in this case, the guests are on a different network to the host. We need a layer 3 - routed - connection.

Two things need to happen on the host

1) It needs an interface in the 91.121.x.x network 2) It needs to become a router

For (1) we have a similar network setup as before, however the physical interface is kept out of the bridge. We create a bridge interface for the virtual machines to connect to, but give it its own address separate from the eth0 interface:

auto lo br0 eth0

iface lo inet loopback

iface br0 inet static
        bridge_ports none
        address 91.121.x.1
        netmask 255.255.255.0

iface eth0 inet static
       address 188.165.X.Y
       netmask 255.255.255.0
       network 188.165.X.0
       broadcast 188.165.X.255
       gateway 188.165.X.254

Once this comes up, the server will have two interfaces, and can act as a router. This is off by default. Change /etc/sysctl.conf and make sure the following line is uncommented:

 net.ipv4.ip_forward=1

You can enable this temporarily at the command line with the following, but the change above is needed to survive a reboot:

 sysctl -w net.ipv4.ip_forward=1

Now the server will route packets that arrive on eth0 destined for 91.121.x.x out of the br0 interface. So now we need to bridge the vms to this interface. This is exactly as you normally do it, just putting it here for completeness:

In the .cfg:

 vif = ['bridge=br0, mac=00:16:3E:12:16:19']

In the domU interfaces file:

auto eth0
iface eth0 inet static
    address 91.121.A.B
    gateway 91.121.x.x (this is the dom0 br0 interface address)
    netmask 255.255.255.0

You can test all is working correctly across the bridge by pinging 91.121.x.x from domU to ping dom0 and ping 91.121.x.254 to ping domU from dom0. Then ping the dom0 outside interface from domu: 188.165.X.Y

The first ping proves the bridge is working, and the second proves the routing is working.