0

I have a server running with XenServer 7 installed.

Currently the XenServer only has a single VM (FW01) which is my Firewall solution and router, what i would like to do is connect the XenServer to the WAN over ETH0 and forward all traffic received on ETH0 directly to the FW01 VM without the XenServer itself looking at the packages received, so this VM can handle all security threaths without the XenServer itself being compromised.

Side note. The FW01 VM is also the Firewall for the XenServer itself, which is why it is important that the XenServer forwards all the packages received on ETH0 directly to the FW01 VM.

Or is their like an official XenServer way of archiving this?

description01

Community
  • 1
Cristian Matthias Ambæk
  • 257
  • 1
  • 13
  • I have been looking into Felix's suggestion and other ways one might be able to solve this issue. Question: wouldnt it also be possible to solve this by creating an iptables rule directly in the XenServer VM that forwards all traffic to the FW01 VM from eth0? – Cristian Matthias Ambæk Sep 18 '17 at 12:03

1 Answers1

0

As typical with hypervisor networking, XenServer creates a Virtual Ethernet Switch that virtual machines connect to. These virtual switches essential act as a middleman between the physical NIC and the virtual NIC in your VM. Therefore, XenServer will attempt to inspect the packets and route them appropriately.

Since you are using a VM as your primarily firewall, a good solution would be to pick up a dual-port NIC, and use hardware passthrough directly to your FW01 VM. This would relinquish control of the entire NIC to the VM, and XenServer would not touch any of the incoming packets.

One port on the NIC would be served as an incoming WAN connection, and the other port would be used to loop back (with an ethernet cable or switch) to the XenServer host. With this setup, it is as if you have a dedicated Firewall appliance, instead of running as a VM.

Felix Jen
  • 403
  • 4
  • 17
  • Thank you for your reply Felix, is it possible you know of any articles that describe doing this that is worth reading? Also as a side thought, would it be possible to make this solution with software, such as using the DVS-controller VM or something else directly within XenServer? – Cristian Matthias Ambæk Sep 18 '17 at 09:11
  • Do keep in mind that I only mentioned one (more secure) method of doing what you are looking for. You can find additional methods here: https://community.spiceworks.com/how_to/103601-configure-xenserver-6-2-to-host-a-virtual-firewall – Felix Jen Sep 19 '17 at 16:50
  • For a general guide on PCIe pass through with XS7, see here: https://xenserver.org/blog/entry/pci-pass-through-on-xenserver-7-0.html – Felix Jen Sep 19 '17 at 16:51