How do I NAT a public interface in Xenserver 5.6?

[hawk82]

I've got a 1U server that has Citrix XenServer 5.6 installed on it. It has 2 physical ethernet interfaces, both connected to the same network switch, one interface has a public IP address on it and the 2nd interface has a private rfc1918 address on it (this can be changed if necessary). I use the private1918 interface to do administrative tasks, transfer data amongst the servers and guest VMs, etc. I'm given a /29 IP address allocation by a friend to use for my servers (using his FTTP internet connection). I want to set up a few guest VMs, but really most of them do not need to be using public IP addresses.

Is there a way to NAT the public interface on XenServer so that guest VMs can use rfc1918 addresses & get online, instead of using the few IP addresses I am given? Also how would I enable portforwards so that I can get applications to work like asterisk, SMTP, etc?

My google foo doesn't seem to be helping me find the answer.

Listing of interfaces on the Xenserver:

eth0      Link encap:Ethernet  HWaddr 00:30:48:92:AD:4E
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

eth1      Link encap:Ethernet  HWaddr 00:30:48:92:AD:4F
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1

vif1.0    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
          UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1

vif1.1    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
          UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1

xenbr0    Link encap:Ethernet  HWaddr 00:30:48:92:AD:4E
          inet addr:69.49.xxx.xxx  Bcast:69.49.xxx.xxx Mask:255.255.255.248
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

xenbr1    Link encap:Ethernet  HWaddr 00:30:48:92:AD:4F
          inet addr:10.0.0.5  Bcast:10.0.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

 

[corge]

Why are you letting one interface have a public IP address in the first place? You're exposing your actual server interface to the world. You need to NAT all of it and just have your router/firewall handle your NAT statements and let the outside world see your router/firewall, not your physical server interface.

If you continue to do it this way and you want access for the other VMs internally only, add another network interface to the server and set it up to be private and route accordingly.

 

[DlStreamnet]

Remove all public IP's from devices on the internal network

NAT on the router

 

[hawk82]

Why are you letting one interface have a public IP address in the first place? You're exposing your actual server interface to the world. You need to NAT all of it and just have your router/firewall handle your NAT statements and let the outside world see your router/firewall, not your physical server interface.

If you continue to do it this way and you want access for the other VMs internally only, add another network interface to the server and set it up to be private and route accordingly.

The way I understand how Citrix Xenserver works is that you assign an interface a public IP address and it bridges it to the guest VMs so that they can have public IP addresses if needed. You can't ping the public interface and no services can be connected to it (ssh, www, smtp, etc). I have a second interface where it has a private IP address that is the "management" interface. The private interface is where all of the services are running and can be accessed.

I don't currently have a router in place, as the /29 that is handed to me is off of an interface on my friend's Mikrotik router. That's why I want to NAT the bridged interface (if that is even possible).

 

[Nate7311]

My paranoia tells me that you have stones running like that.

 

[hawk82]

My paranoia tells me that you have stones running like that.

 

[/usr/home]

This is why God in collaboration with Cisco invented routers and NAT.