I just rented one quite hot machine (Root Server EQ 4) at Hetzner (Germany). As I wanted to set it up to run multiple virtual machines.
I installed the Squeeze version of Xen Hyperviser and started to set-up the regular bridged networking. Hu…..gggghrrrr!!! The pings to a virtual machine expired its TTL, the connection to the main machine was suddenly very unstable(broken up, losing packets, having to wait up to 1 minute for the connection to continue etc.). After Googling I finally found out the reason for this…at least some reason that helped me.
To avoid MAC addresses conflicts between freely given MAC addresses to virtual machines and other real or virtual machines, Hetzner has found a way to trash or ignore packets to/from unknown MAC address. It looks like it’s not that straight forward though, because I managed to have a forged MAC address from a virtual machine being accepted and bridged via the main machine but then the main machine connection had problems. So I found a tutorial written by a genius guy who finally solved this problem in a particular way which finally works very well and no more broken or unstable connections occurred. So I based the following solution mainly on his, but since my set-up is a bit different than his, I explain here what I wanted and how I did it. Thanks to whoever shared this solution to all of us at.
See the link at:
http://www.manchesterlifestyle.net/Darren-s-IT-Blog/howto-setup-a-hetzner-eq4-with-debian-lenny-xen-321-and-a-routed-network-configuration-plus-1-to-1-nat.html
Note:
At Hetzner you get one main IP and 3 free extra Internet IPs from the same subnet.
eg.
Main machine: 178.63.72.82
Extra IPs (used for xen virtual machines):
178.63.72.115
178.63.72.116
178.63.72.117
Netmask: 25.255.255.192
Gateway 178.63.72.65
What I wanted … and finally got!
– All real and virtual machines(all Linux) connected to the Internet via above IPs
– All real and virtual machines connected to each other via a private virtual network(192.168.1.0/24)
Since the Xen Bridged networking would not work in Hetzner network, Xen Routed networking is used.
This way Hetzner network only sees one MAC address for all External IP addresses used in the machine.
Just like the good old way of having one OS with multiple IPs in one physical machine.
IN DOM0:
Install Xen Hyperviser:
apt-get install xen-hypervisor-3.2-1-amd64 xen-linux-system-2.6.26-2-xen-amd64 xen-utils-3.2-1 xenstore-utils xenwatch xen-shell xen-tools linux-image-2.6.26-2-xen-amd64
Edit the file: /etc/network/interfaces
Content:
#########################
# device: eth0
#########################
auto eth0
iface eth0 inet static
address 178.63.72.82
# broadcast 178.63.72.127 <-- original setting(disabled)
# netmask 255.255.255.192 <-- original setting(disabled)
netmask 255.255.255.255 <-- the 255 at the end is important
gateway 178.63.72.65 <-- Hetzner gateway
pointopoint 178.63.72.65 <-- added Hetzner gateway again
|
###########################
# default route to access subnet
###########################
# (provided by Hetzner, disable it for our purpose)
#up route add -net 178.63.72.64 netmask 255.255.255.192 gw 178.63.72.65 eth0
|
###########################
# DNS Stuff (only if resolvconf package is installed
###########################
# dns-* options are implemented by the resolvconf package, if installed (Hetzner name servers)
dns-nameservers 213.133.98.98 213.133.99.99 213.133.100.100
|
###############################
# internal virtual LAN device: dummy0
###############################
auto dummy0
iface dummy0 inet static
address 192.168.1.1
netmask 255.255.255.0
Edit the file: /etc/sysctl.conf
Content:
### Hetzner Online AG installimage
# sysctl config
net.ipv4.ip_forward=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.conf.default.proxy_arp=1
Edit file: /etc/xen/scripts/vif-common.sh
(Here I copy the changes proposed by the genius tutorial)
Find the following function:
function ip_of()
{
Comment out the original line like so:
# ip addr show "$1" | awk "/^.*inet.*$1$/{print $2}" | sed -n '1 s,/.*,,p'
And insert the following line below the commented out one:
ip -4 -o addr show primary dev $1 | awk '$3 == "inet" {print $4; exit}' | sed 's#/.*##'
The complete function should now read:
ip_of()
{
# ip addr show "$1" | awk "/^.*inet.*$1\$/{print \$2}" | sed -n '1 s,/.*,,p'
ip -4 -o addr show primary dev $1 | awk '$3 == "inet" {print $4; exit}' | sed 's#/.*##'
}
Create the following wrapper script: /etc/xen/scripts/network-route-eth0-dummy0
touch /etc/xen/scripts/network-route-eth0-dummy0
chmod 755 /etc/xen/scripts/network-route-eth0-dummy0
Content:#!/bin/sh
/etc/xen/scripts/network-route "$@" netdev=eth0
sleep 4
/etc/xen/scripts/network-route "$@" netdev=dummy0
Edit the file:/etc/xen/xend-config.sxp
Disable the bridged and enable the routed networking
Content:
#(network-script network-dummy)
#(network-script network-bridge)
#(vif-script vif-bridge)
................
(network-script network-route-eth0-dummy0)
(vif-script vif-route)
................
Edit the file: /etc/modules
Content:loop max_loop=64
dummy
Edit the Virtual Machine configuration file:
(in my case /etc/xen/myvirt1.cfg)
Note: I show here only the networking section:
................
vif = [ 'ip=178.63.72.115,mac=00:16:3E:3D:6B:15' , 'ip=192.168.1.115,mac=00:16:3E:D7:9C:15']
................
IN DOMUs (Virtual Machine)
Edit the file: /etc/network/interfaces
Content:
############################
# The loopback network interface
############################
auto lo
iface lo inet loopback
|
############################
# The primary network interface
############################
auto eth0
iface eth0 inet static
address 178.63.72.115
netmask 255.255.255.192 <- Hetzner Netmask -- leave it as-is
#gateway 178.63.72.65 <- Hetzner gateway DISABLED
gateway 178.63.72.82 <- IP of the DOM0 as gateway
|
############################
# DNS Stuff (Only needed if you installed the package resolvconf
############################
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 213.133.98.98 213.133.99.99 213.133.100.100
|
#################################
# Internal Virtual private LAN device: eth1
#################################
auto eth1
iface eth1 inet static
address 192.168.1.115
netmask 255.255.255.0
REBOOT the DOM0 and start your virtual machines …
NOTE 1:
In case you didn’t create virtual machines yet, then you can do so by following the instructions starting in Chapter ‘3 Creating Image-Based Virtual Machines’ in the following link:
http://www.howtoforge.com/virtualization-with-xen-on-debian-lenny-amd64
NOTE 2:
As I tried to connect from DOM0 to any DOMU via the private virtual LAN I noticed that the source IP from DOM0 is not as expected (Internal LAN IP) but the external IP(Internet IP). Depending on your firewall settings in each machine this could be a bit tricky to handle especially if you want extra security. If you let this IP through the LAN to your DOMUs then an attacker could forge that its source is exactly your DOM0 external IP and he goes in. But here comes the question: is this really a security risk? I’ll let you figure that one out and please let me know if you found a viable solution to this one.
I hope this worked for you.