Pfsense HVM domU: bridging help
I've got pfsense2.0 running as an HVM domU with Debian as the dom0 on Xen4.0. My hardware doesn't support PCI-passthrough, so I'm trying to make do with just bridging. I have 4 physical NICs named wan, safe, unsafe, and wifi.
I have a few problems with networking:
I would like to dedicate wan to the pfsense domU. It has to obviously pass through the dom0, but I read that since it is simply bridged, there is no security threat (?). What I've done is create the bridge pfsense-wan from wan, which I then add to the xen cfg of the pfsense domU. The problem is that pfsense is unable to receive a dhcp lease on the wan NIC.
I would like the safe NIC to also be passed to the pfsense domU. I've created a xen-safe bridge from safe, and passed that to the xen cfg. I would also like the dom0 to be a DHCP client of the pfsense domU. I found that the tapX.1 interface that xen creates when the domU is created can receive a DHCP lease, but I couldn't ping it from the gateway.
Here is my /etc/network/interfaces on the dom0:
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # 3Com 100Mbit PCI NIC (wan) auto wan iface wan inet manual # Onboard Realtek Gigabit (safe) auto safe iface safe inet static address 22.214.171.124 #this is the LAN ip in pfsense (and safe is the LAN NIC) netmask 255.255.0.0 # DGE-530T Gigabit PCI NIC (unsafe) auto unsafe iface unsafe inet manual # Atheros Wireless-G PCI NIC (wifi) auto wifi iface wifi inet manual # Bridging for Xen # bridging wan to pfsense domU # no other interface has access to this bridge auto pfsense-wan iface pfsense-wan inet manual bridge_ports wan post-up /sbin/iptables -A INPUT -i wan -j DROP post-up /sbin/iptables -A INPUT -i pfsense-wan -j DROP # bridging safe for use by xen # more than one domU will be connected to this internal bridge auto xen-safe iface xen-safe inet manual bridge_ports safe
and the relevant part of the xen cfg for the pfsense domU:
vif = [ 'bridge=pfsense-wan', 'bridge=xen-safe' ]
If I can figure out these 2 NICs, I can figure out the other 2 on my own (I hope!)
You can assign other names to the bridge under debian. What is the config file in you made for the network-bridge? My example is like this but for xen 3.3.2 :-
"$dir/network-bridge" "$@" netdev=eth0
"$dir/network-bridge" "$@" netdev=eth1
"$dir/network-bridge" "$@" netdev=dummy0
hope this helps