[CentOS] Xen "bridged" networking config

Thu Aug 21 15:23:55 UTC 2008
David Dyer-Bennet <dd-b at dd-b.net>

I've got a Centos guest and a Windows 2003 server guest running in Xen
under Centos (5.2 in both cases), and they can get out to the network, and
I can ping them from dom0.  This is my first Xen install, and I haven't
used Linux as a router before (I'm very familiar with it as a webserver
and development platform) so I'm a bit weak on the bridging code and NAT /
IP masquerading.  (Amusingly, I was a voting member of IEEE 802.1 and
worked on the .d standard for bridging; that was back when it was new,
more than a decade ago, and my memories from then may be doing more harm
than good now.)

The problem is, I can't originate a connection to either guest from outside.

Dom0 is getting IP 192.168.1.91 (from our enterprise DHCP server), which
is a reasonable address.  There are two bridges created, xenbr0 and
virbr0.  Virbr0 has an IP of 192.168.122.1 assigned to it, which evidence
suggests did *not* come from our DHCP server.  The interfaces for the two
guest domains have 192.168.122.185 and .198 assigned, also not from our
DHCP server.  The IPs plus the behavior (can't connect in, can connect
out) make it look very much like NAT has been setup, but I can't find any
evidence like a "MASQUERADE" target in the dom0 iptables or anything (I've
never run NAT on Linux, I could be looking for the wrong thing in the
wrong place).

This setup does not look anything like the "default" bridging config I
find documented on various Xen websites (particularly
<http://wiki.xensource.com/xenwiki/XenNetworking>).  None of them have
"virbr0".  I've seen a number of reports that people's working
configurations broke when the upgraded to Centos 5.2, so I'm suspecting
that what I'm seeing here is how Centos 5.2 chooses to package Xen.  And
hence I'm asking on a Centos list :-).

I created these guests in virt-manager.  I selected the "bridging" network
configuration.

Oh, ip forwarding is on in dom0; that was one of the things several places
I looked said was an obvious fix for my problem, but it was already on in
the default config, and it wasn't helping.

I'm currently not using either vlan or bonding, though I believe both are
in my future.  One thing at a time; and if I understand the basics I think
I just might be able to take it to the next stage.

This has gotta be simple; I want the most basic bridged configuration,
with the guests directly visible to the outside world.  Any ideas?

-- 
David Dyer-Bennet, dd-b at dd-b.net; http://dd-b.net/
Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/
Photos: http://dd-b.net/photography/gallery/
Dragaera: http://dragaera.info