[CentOS] Not firewall, but what?

Mon May 10 12:48:52 UTC 2010
Les Mikesell <lesmikesell at gmail.com>

Jussi Hirvi wrote:
> On 9.5.2010 14.03, Kahlil Hodgson wrote:
>> Okay, that makes my head hurt.  Why two VLANs?  What's you mapping
>> between virtual interfaces and guests? And which guest is the bad one?
> 
> Ok, Kal, thank you for very useful ramblings!
> 
> This box is already in production, but I think the most useful approach 
> here is to reconsider my setup.
> 
> I have two public networks here, 62.220.237.x and 62.236.221.x. I want 
> to build a xen system, where some guests connect to one network, some 
> guest to the other one, and some to both. To reduce cabling, I would 
> like to do this with only two nics.
> 
> My solution now is two virtual bridges (I can post nearer details, if 
> needes). And I have now landed into routing difficulties.
> 
> Are there some simpler or otherwise better approaches?

How do you handle the default route on the 'connect to both' guests?  Normally 
you only want one default gateway and it should be the same one where the 
connections are coming in.  Otherwise you have to do some very tricky things to 
make return packets go back the same path they came in, although asymmetrical 
routes are supposed to work if you don't have NAT or stateful firewalls in the way.

-- 
   Les Mikesell
    lesmikesell at gmail.com