On Jul 14, 2006 at 1729 -0700, tbrown@xxxxxxxxxxxxx appeared and said:
>
> Has anyone managed to combine bridged network model and SNAT?
No, but I stumbled into the same problem.
> [...] Looking at TCPdump output, my packets were going out of the domU
> correctly, being nat'd correctly by dom0 (to the dom0 ip address), being
> sent across the wire to a target box, which was replying. On dom0, I could
> see the replies on peth0, but not eth0 ... so of course dom0 never got
> them to nat back to domU. The MAC addresses for the returning packets
> appeared to be correct.
I have two bridges - one for the external IPs and one for DomUs in a
LAN. The Dom0 is an IPsec and OpenVPN gateway linking the DomU LAN with
a remote office and roadwarriors. This works all fine. The only thing
that needs to be done is a SNAT for the DomU LAN. I used the standard
SNAT rule
iptables -t nat -A POSTROUTING -s 10.0.2.0/24 -d ! 10.0.1.0/24 -m
physdev ! --physdev-is-bridged --jump SNAT --to-source 11.22.33.44
which does SNAT, but the return packets get dropped inside Dom0. tcpdump
shows TCP SYNs getting out, NATted correctly, only the return packets
disappear. I also tried the ethtool checksum magick, it makes no
difference. It's a recent Xen 3.0.2 on Gentoo Linux.
Ideas anyone?
Best,
René,
melting in Vienna.
--
"From the delicate strands,
between minds we weave our mesh:
a blanket to warm the soul."
--- Lady Deirdre Skye (SMAC) ---
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
Home