isolated "internal" network?

Hi,

I'm planning to deploy a NetBSD/Xen based server with
several services
hosted in separate domains.  Not all domains (e.g. database
server(s),
build server) should have a public IP therefore I'd whish
to have two
separately bridged networks, a public network with public
IP's on bridge0
and an internal network with private IP's on bridge1.  But
I don't want to
connect bridge1 to any physical network device on the dom0. 
What (virtual)
network device can/should I use on the dom0 to communicate
with the private
LAN?  tap, tun, gif, ... ?  

	Geert

On Wed, Sep 13, 2006 at 10:01:48AM +0200, Geert Hendrickx
wrote:

> and an internal network with private IP's on bridge1. 
But I don't want to
> connect bridge1 to any physical network device on the
dom0.  What (virtual)
> network device can/should I use on the dom0 to
communicate with the private
> LAN?  tap, tun, gif, ... ?  

I think You should create a lo1 in dom0 and attach a bridge
to that,
then assign it to all domUs that are ought to see it and
also to one 
that acts as firewall/router.

at least I planned it that way, but I haven't put it
through a reality test 
yet 

florian

-- 

florian heigl			 http://deranfangvomen.de/
"ja, ja, ja, ja, ja, oh, oh, oh, oh scheise. oh. oh
fuck."
 -- the sound of a leased line multiplexer failing for the
second time 
    just after things looked ok again (via a workmate at the
phone)

On Wed, Sep 13, 2006 at 10:01:48AM +0200, Geert Hendrickx
wrote:

> and an internal network with private IP's on bridge1. 
But I don't want to
> connect bridge1 to any physical network device on the
dom0.  What (virtual)
> network device can/should I use on the dom0 to
communicate with the private
> LAN?  tap, tun, gif, ... ?  

I think You should create a lo1 in dom0 and attach a bridge
to that,
then assign it to all domUs that are ought to see it and
also to one 
that acts as firewall/router.

at least I planned it that way, but I haven't put it
through a reality test 
yet 

florian

-- 

florian heigl			 http://deranfangvomen.de/
"ja, ja, ja, ja, ja, oh, oh, oh, oh scheise. oh. oh
fuck."
 -- the sound of a leased line multiplexer failing for the
second time 
    just after things looked ok again (via a workmate at the
phone)

On Wed, Sep 13, 2006 at 11:26:00AM +0200, Florian Heigl
wrote:
> I think You should create a lo1 in dom0 and attach a
bridge to that, then
> assign it to all domUs that are ought to see it and
also to one that acts
> as firewall/router.

Good idea, I hadn't thought of using lo(4).  However, on my
test machine:

# ifconfig bridge0 create
# ifconfig bridge1 create
# ifconfig lo1 create
# ifconfig lo1 inet 10.0.0.1/24
# brconfig bridge0 add fxp0
# brconfig bridge1 add lo1
brconfig: add lo1: Invalid argument

...?

	Geert

Why do you need to bridge to another interface at all?  On
my dom0
box, I have fxp0 and xvifN.0 for 3 values of N.  In my case,
I have
them all bridged, and the xvifNs do not have addresses.  But
you could
just put an address on one of those in your private segment
and
routing should work.

Alternatively you could create a tap and write program that
reads and
discards frames, but you migth have to write them back if
they match
the address.

Probably lo(4) needs bridge support, and adding that would
be the
right thing really.




-- 

    Greg Troxel <gdtir.bbn.com>

On Wed, Sep 13, 2006 at 07:50:46AM -0400, Greg Troxel wrote:
> Why do you need to bridge to another interface at all? 


Because my dom0 must have access to the private LAN, so it
needs some
interface to be part of the bridge.

	Geert

On Wed, Sep 13, 2006 at 07:50:46AM -0400, Greg Troxel wrote:
> Why do you need to bridge to another interface at all? 
On my dom0
> box, I have fxp0 and xvifN.0 for 3 values of N.  In my
case, I have
> them all bridged, and the xvifNs do not have addresses.
 But you could
> just put an address on one of those in your private
segment and
> routing should work.

You mean I can give an IP to one of the xvif interfaces and
use that?  
Hmm, that looks like a pain to setup automatically at boot. 
And if that
particular domU goes down, I have to reconfigure my dom0 to
continue to
communicate with the other domU's over the private LAN... 
Not ideal.

> Probably lo(4) needs bridge support, and adding that
would be the right
> thing really.

That looks like the most elegant solution (already suggested
by Florian)
but doesn't work ATM.

	Geert

On Wed, Sep 13, 2006 at 11:26:00AM +0200, Florian Heigl
wrote:
> I think You should create a lo1 in dom0 and attach a
bridge to that, then
> assign it to all domUs that are ought to see it and
also to one that acts
> as firewall/router.

Good idea, I hadn't thought of using lo(4).  However, on my
test machine:

# ifconfig bridge0 create
# ifconfig bridge1 create
# ifconfig lo1 create
# ifconfig lo1 inet 10.0.0.1/24
# brconfig bridge0 add fxp0
# brconfig bridge1 add lo1
brconfig: add lo1: Invalid argument

...?

	Geert

Why do you need to bridge to another interface at all?  On
my dom0
box, I have fxp0 and xvifN.0 for 3 values of N.  In my case,
I have
them all bridged, and the xvifNs do not have addresses.  But
you could
just put an address on one of those in your private segment
and
routing should work.

Alternatively you could create a tap and write program that
reads and
discards frames, but you migth have to write them back if
they match
the address.

Probably lo(4) needs bridge support, and adding that would
be the
right thing really.




-- 

    Greg Troxel <gdtir.bbn.com>

On Wed, Sep 13, 2006 at 07:50:46AM -0400, Greg Troxel wrote:
> Why do you need to bridge to another interface at all? 


Because my dom0 must have access to the private LAN, so it
needs some
interface to be part of the bridge.

	Geert