I'm attempting a fairy complex Xen/Shorewall install and would greatly
appreciate some advice:
I have a physical server with four interfaces. Dom0 and all the domU's are
running CentOS 5.1 x64 (2.6.18). Dom0 will have Shorewall to taking care of
the firewall/routing functions of our network. One domU will be running
Asterisk for VoIP and a second will serve up a basic website. I also intend
to eventually bring up another domU running SER (a SIP proxy) to assist
external VoIP clients who are behind a NAT gateway. I am planning on using
the four physical interfaces as follows:
eth0 (192.168.0.0 /24): Connected to our LAN.
eth1 (192.168.2.0 /24 or public space): DMZ. This zone will contain a)
Cisco PIX to provide legacy access to our VPN (which is in the process of
being replaced with OpenVPN), b) public interface for the Asterisk domU to
accept incoming SIP calls c) public web server. I don't know if I want to
use static NAT or bridge the traffic and give the interfaces public IPs.
Static mappings will be easier to setup and maintain, but SIP (VoIP
signaling protocol) has problems with NAT (especially when both the client
and server are NATed) since the SIP header contains the source IP which
isn't normally translated by the firewall.
eth2 (192.168.1.0 /24): Internal VoIP network. In the office we have a
physically separate LAN (separate cabling, switch, etc) which will
interconnect the internal VoIP phones to the internal virtual interface on
the Asterisk domU.
eth3 (public /29) : Our T1 connection to the Internet. Our telecom provider
is also providing our voice trunking via SIP handoff, so both voice and data
will be coming in on this interface.
Once I get my head wrapped around all of this and get a stable config
working, I'd also like to swap out the dual-port NIC with a quad-port. I'd
then add in two additional zones for a backup DSL connection and wifi
access.
I'm very comfortable with Asterisk and moderately experienced with
Shorewall, but still rather new to Xen and am having difficulty visualizing
the proper network config to use. Bridged? Routed? With a handful of
servers and switches I'm sure I'd manage much better, but that's not very
efficient. :-) Anyone have any suggestions? Thanks!
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
