WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] Can't access the domU's from the LAN (only from the dom0

from [Tim Post] [Permanent Link][Original]
To: Jaume Sabater <jsabater@xxxxxxxxxxxxx>
Subject: Re: [Xen-users] Can't access the domU's from the LAN (only from the dom0)
From: Tim Post <tim.post@xxxxxxxxxxxxxxx>
Date: Mon, 11 Sep 2006 22:39:37 +0800
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Mon, 11 Sep 2006 07:40:32 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <4505408C.2050006@xxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Organization: Net Kinetics
References: <4505408C.2050006@xxxxxxxxxxxxx>
Reply-to: tim.post@xxxxxxxxxxxxxxx
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx 
Try specifying a MAC address within the dom-u. Depending on the router
you have and size of the network (looks large?) it could take from 10 -
90 seconds for the router to arp the new mac.

Also don't forget the brigde learning curve before you say ARG its not
working :) 

HTH
--Tim

On Mon, 2006-09-11 at 12:55 +0200, Jaume Sabater wrote:
> Hello everyone!
> 
> I have a machine with two network interfaces, eth0 and eth1. Eth0 is 
> connected to the LAN  (192.168.1.0/24) and eth1 to my router 
> (ip:80.36.214.x, gw: 80.36.214.y). This server is acting as a 
> proxy-cache as well. I also have a VPN between the two
> subnets 192.168.0.0/24 and 192.168.1.0/24.
> 
> I have a running kernel 2.6.16.19 with Xen 3.0.2 on a Debian x86_64 Sid
> (custom kernel). I want to use Xen virtual machines only internally (as 
> any other normal PC inside the 192.168.1.0/24 network, but with no need 
> to be accessed from the Internet). So, I have created a virtual machine 
> using the xen-tools package provided by Steve:
> 
> [1] http://packages.debian.org/unstable/utils/xen-tools
> 
> These are the parameters of /etc/xen-tools/xen-tools.conf:
> 
> dir         = /home/xen
> debootstrap = 1
> size        = 2Gb
> memory      = 128Mb
> swap        = 256Mb
> fs          = ext3
> dist        = etch
> image       = sparse
> gateway     = 192.168.1.3
> netmask     = 255.255.255.0
> passwd      = 1
> kernel      = /boot/xen0-linux-2.6.16.19-xen
> initrd      =
> mirror      = http://ftp.se.debian.org/debian/
> 
> I created the image with this command:
> 
> xen-create-image --hostname=xen01 --ip=192.168.1.10 --passwd
> 
> The /etc/network/interfaces in the virtual machine (dom1):
> 
> auto lo
> iface lo inet loopback
> 
> auto eth0
> iface eth0 inet static
>   address 192.168.1.10
>   gateway 192.168.1.3
>   netmask 255.255.255.0
> 
> Everything went fine:
> 
> - I can connect to the virtual machine from the host (192.168.1.3)
> - I can connect to the Internet from inside the virtual machine.
> 
> But:
> 
> - I can't ping the virtual machine 192.168.1.10 from any other PC in the
> 192.168.1.0/24 network (but the host 192.168.1.3). It says "Destination
> Host Unreachable".
> - I can't ping any host in the 192.168.1.0/24 network from inside the
> virtual machine 192.168.1.10. It does not complain, though.
> 
> I have set up /etc/xen/xend-config.sxp using:
> 
> (network-script network-route)
> (vif-script     vif-route)
> 
> Honestly, I don't have any other reason to choose routing instead of
> bridging except the fact that I tried for days and days with the
> bridging thing and I could make it work, so I said "next try another
> option".
> 
> When I was using bridging, I could ping from inside a VM to a PC, but
> not from a PC to the VM. Again, I could really tell what was wrong (I am
> not an expert with iptables, I admit it).
> 
> My firewall looks like this (short version):
> 
> BOF ----------------------------
> 
> iptables --policy INPUT DROP
> iptables --append INPUT --in-interface ! eth1 --jump ACCEPT
> iptables --append INPUT --match state --state ESTABLISHED,RELATED \
>              --jump ACCEPT
> iptables --append INPUT --proto ICMP --jump ACCEPT
> 
> # SSH
> iptables --append INPUT --proto tcp --match state --dport ssh \
>              --state NEW --source a.b.c.d --jump ACCEPT
> 
> # VPN
> iptables --append INPUT --in-interface eth1 --proto udp \
>              --sport isakmp --dport isakmp --source 213.96.x.y \
>              --destination ${VPN_SRC} --jump ACCEPT
> iptables --append INPUT --in-interface eth1 --proto tcp \
>              --sport isakmp --dport isakmp --source 213.96.x.y \
>              --destination 80.36.x.y --jump ACCEPT
> iptables --append INPUT --in-interface eth1 --proto ah \
>              --source 213.96.x.y --destination 80.36.x.y --jump ACCEPT
> iptables --append INPUT --in-interface eth1 --proto esp \
>              --source 213.96.x.y --destination 80.36.x.y --jump ACCEPT
> 
> # Transparent proxy
> iptables --table nat --append PREROUTING --in-interface eth0 \
>           --source 192.168.1.0/24 --destination ! 192.168.1.0/24 \
>           --proto tcp --dport 80 --jump REDIRECT --to-port 3128
> 
> # Activate Network Address Translation
> /bin/echo "1" > /proc/sys/net/ipv4/ip_forward
> iptables --table nat --append POSTROUTING --source 192.168.1.0/24 \
>           --destination ! 192.168.0.0/24 --out-interface eth1 \
>           --jump MASQUERADE
> 
> EOF ----------------------------
> 
> 80.36.x.y is the gateway in the machine (my end)
> 213.96.x.y is the gateway of the other end of the VPN
> 
> So, as far as I know, after reading as many docs as Google could provide
> me with, I guess the problem is that traffic is not "routed" from the
> eth0 to the vif. My ifconfig (summarized version) looks like this:
> 
> eth0   Link encap:Ethernet  HWaddr ------
>         inet addr:192.168.1.3  Bcast:192.168.1.255  Mask:255.255.255.0
> eth1   Link encap:Ethernet  HWaddr ------
>         inet addr:80.36.x.y  Bcast:80.36.214.191  Mask:255.255.255.224
> lo     Link encap:Local Loopback
>         inet addr:127.0.0.1  Mask:255.0.0.0
> vif3.0 Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
>         inet addr:192.168.1.3  Bcast:192.168.1.255  Mask:255.255.255.255
> 
> Also, as a final note, when I was attempting to make it work by using
> bridging, my server stopped forwarding connections from the LAN to the
> Internet, so that was one more reason to try the "routed" setup. At
> least now I can let people work while I try to finish up this setup and
> don't have to go to the office on Saturday :)
> 
> Any hints? If you need any more information, please let me know. Thanks
> in advance.
> 


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] Xen does not load kernel at system boot, Tim Post
Next by Date:  Re: [Xen-users] DomU install using Yast2 xen can't find CDROM installation source (HDIO_GET_IDENTITY failed), XenResu
Previous by Thread:  [Xen-users] Can't access the domU's from the LAN (only from the dom0), Jaume Sabater
Next by Thread:  Re: [Xen-users] Can't access the domU's from the LAN (only from the dom0), Jaume Sabater
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy