Hi all.
I'm running in a strange situtation. I've the following schema.
FW1 (firewall 1)
====
#more fw1
kernel = "/boot/vmlinuz-xenpae"
ramdisk = "/boot/initrd-javera-reiserfs.gz"
memory = 64
root = "/dev/hda1"
name = "fw1"
disk = ['phy:xen2_vg/fw1_lv,hda1,w']
#disk = ['file:/var/tmp/xen/fw1.vmdisk,hda1,w']
vif = ['mac=aa:cc:00:00:00:22, bridge=xenbr-FW', '
mac=aa:cc:00:00:00:20, bridge=xenbr-E', 'mac=aa:cc:00:00:00:21,
bridge=xenbr-E' ]
fw1:ext3/root:#route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
172.26.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.33.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 172.26.0.1 0.0.0.0 UG 0 0 0 eth0
FW2 (firewall 2)
===========
# more fw2
kernel = "/boot/vmlinuz-xenpae"
ramdisk = "/boot/initrd-javera-reiserfs.gz"
memory = 64
root = "/dev/hda1"
name = "fw2"
disk = ['phy:xen2_vg/fw2_lv,hda1,w']
#disk = ['file:/var/tmp/xen/fw1.vmdisk,hda1,w']
vif = ['mac=aa:cc:00:00:00:41, bridge=xenbr-FW', '
mac=aa:cc:00:00:00:40, bridge=xenbr-SERVERS', mac=aa:cc:00:00:00:42,
bridge=xenbr-I' ]
fw2:ext3/var/log:#route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
192.168.33.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.41.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
1.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth2
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.33.1 0.0.0.0 UG 0 0 0 eth0
WWW (Web server)
# more www.sant-adria.net.EXTERNA
kernel = "/boot/vmlinuz-xenpae"
ramdisk = "/boot/initrd-javera-reiserfs.gz"
memory = 128
name = "www_sant_adria_net"
disk = ['phy:xen2_vg/www_externa_lv,hda1,w']
root = "/dev/hda1"
vif = [ 'mac=aa:cc:00:00:00:11, bridge=xenbr-E' ]
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
192.168.33.1 172.26.0.3 255.255.255.255 UGH 0 0 0 eth0
192.168.33.2 172.26.0.3 255.255.255.255 UGH 0 0 0 eth0
172.26.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 172.26.0.1
______
| |
| ADSL |
| |
--------
|
|
| 172.26.0.1
______________________________________ 172.26.0.0/16
|
|
eth0 |
-----------------------------------------------------------------------------------------------------------
|
------------
| -------------- |
| |
| www |
| xenbr-E |
----------------- | 172.26.0.50 |
------------
|___________ |
|
172.26.0.3
------------
| |
| fw1 |
------------
| 192.168.33.1
------------
| |
| xenbr-FW |
------------
| 192.168.33.2
|
------------
| |
| fw2 |
------------
| 1.1.2.1
|
|
|
|
|
------------
| -------------- |
| |
| servbbdd |
| xenbr-I |
----------------- | 1.100.0.78 |
------------
|___________|
|
|
|
|
-----------------------------------------------------------------------------------------------------------
eth1 |
|
___________________________________________________________________
LAN (1.0.0.0/8)
|
|
------------
| |
| 1.100.0.66 |
------------
Fw1 and FW2 have iptables with MASQUERADE, so LAN appears to fw1 like
192.168.33.2 and fw2 appears to ADSL router like 172.26.0.3 (double NAT).
So, I can do ping from servbbdd (1.100.0.78) to WWW (172.26.0.50) and
from 1.100.0.66 to WWW too (all seems OK).
From 1.100.0.78, I execute the following
servbbdd:~ # telnet 172.26.0.50 143
Trying 172.26.0.50...
Connected to 172.26.0.50.
Escape character is '^]'.
* OK blah, blah, blah Cyrus IMAP4 v2.2.12 server ready
From 172.26.0.50 we can look the established connection
www:reiserfs/root:#netstat -an | grep 143
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN
tcp 0 0 172.26.0.50:143 172.26.0.3:60547
ESTABLISHED
tcp 0 0 :::143 :::* LISTEN
Note that all connections are masqueraded and appears to be from
172.26.0.3 (It's OK).
But when I try do the same from 1.100.0.66, the connection never
finished good
telnet 172.26.0.50 143
Trying 172.26.0.50...
Connected to 172.26.0.50.
Escape character is '^]'.
And from 172.26.0.50 we can look an established connection, but doesn't
work.
netstat -an | grep 143
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN
tcp 0 0 172.26.0.50:143 172.26.0.3:60547
TIME_WAIT
tcp 0 59 172.26.0.50:143 172.26.0.3:3879
ESTABLISHED
tcp 0 0 :::143 :::* LISTEN
The following are the brctl output
xen2:XEN2:/root#brctl show
bridge name bridge id STP enabled interfaces
xenbr-E 8000.feffffffffff no vif0.1
peth1
vif9.2
vif13.0
xenbr-I 8000.feffffffffff no vif0.0
peth0
vif1.2
vif5.0
xenbr-DMZ 8000.feffffffffff no vif9.1
xenbr-FW 8000.feffffffffff no vif1.0
vif9.0
xenbr-SERVERS 8000.feffffffffff no vif1.1
vif3.0
xen2:XEN2:/root#brctl showmacs xenbr-E
port no mac addr is local? ageing timer
2 00:12:a9:d5:48:e4 no 0.15
4 aa:cc:00:00:00:11 no 13.72
3 aa:cc:00:00:00:21 no 0.04
1 fe:ff:ff:ff:ff:ff yes 0.00
xen2:XEN2:/root#brctl showmacs xenbr-I
port no mac addr is local? ageing timer
2 00:00:48:98:8e:ff no 9.28
2 00:00:48:9f:c7:35 no 1.29
2 00:00:48:9f:c7:8a no 9.24
2 00:00:48:9f:d3:8e no 9.24
2 00:00:48:9f:d4:2b no 9.27
2 00:00:48:b3:bd:b8 no 10.98
2 00:00:48:b8:e4:2b no 8.09
2 00:00:48:b8:e4:75 no 42.60
2 00:00:48:b8:e4:a9 no 34.16
2 00:00:48:b8:e4:b1 no 1.42
2 00:00:48:bc:fe:50 no 0.64
2 00:00:48:bf:57:c2 no 56.53
2 00:00:74:78:4a:e6 no 58.83
2 00:00:74:82:8f:86 no 2.70
2 00:00:74:9b:1a:72 no 227.31
2 00:00:74:9b:4f:02 no 134.31
2 00:00:85:42:47:6f no 70.84
2 00:00:e8:78:b9:f0 no 85.56
2 00:00:e8:88:59:a7 no 56.96
2 00:00:f8:10:d3:e4 no 3.09
2 00:01:6c:2c:17:dc no 109.13
2 00:01:e6:34:8f:ec no 23.54
2 00:04:23:40:2a:ed no 59.35
2 00:04:23:40:2c:09 no 77.52
2 00:04:23:40:6f:e7 no 13.12
2 00:04:76:cd:60:4f no 11.61
2 00:05:1a:0a:cd:84 no 1.74
2 00:06:4f:16:fb:27 no 10.71
2 00:08:54:07:f9:ce no 21.78
2 00:08:c7:69:42:ce no 18.75
2 00:0b:cd:27:5c:9a no 47.96
2 00:0b:cd:d0:12:e0 no 281.18
2 00:0c:76:06:a7:46 no 45.41
2 00:0c:76:08:21:ca no 0.52
2 00:0c:76:08:24:3d no 67.38
2 00:0c:76:61:5c:95 no 294.94
2 00:0c:76:61:5c:b8 no 97.45
2 00:0f:fe:10:f8:a7 no 290.36
2 00:0f:fe:11:01:f7 no 9.65
2 00:0f:fe:11:01:fd no 162.32
2 00:10:5a:a1:10:26 no 166.30
2 00:10:dc:d0:bb:5d no 82.50
1 00:12:79:94:79:20 no 0.00
2 00:13:21:1c:e7:82 no 258.92
2 00:13:72:9d:69:b1 no 86.61
2 00:13:72:9d:6b:bc no 166.45
2 00:13:d4:3a:a5:af no 0.00
2 00:16:35:76:6f:3d no 237.86
2 00:16:35:77:58:51 no 120.25
2 00:16:35:77:58:ed no 256.57
2 00:20:18:39:85:6c no 0.56
2 00:20:18:39:93:9d no 9.11
2 00:20:18:39:94:3f no 2.23
2 00:20:18:3a:04:48 no 88.23
2 00:20:18:3a:d8:db no 101.97
2 00:20:18:3a:dd:c4 no 82.93
2 00:20:18:3b:22:10 no 125.62
2 00:20:18:3b:5e:c0 no 283.91
2 00:20:18:b9:34:08 no 182.79
2 00:20:18:b9:35:0a no 137.80
2 00:30:05:52:9c:0e no 14.68
2 00:30:05:52:9c:3f no 185.35
2 00:30:05:52:df:59 no 38.65
2 00:30:05:52:df:5c no 115.78
2 00:30:05:52:df:68 no 185.26
2 00:30:05:52:df:75 no 32.49
2 00:30:05:52:df:8a no 0.58
2 00:30:05:52:e0:19 no 0.91
2 00:30:05:52:e0:1a no 65.11
2 00:30:05:52:e0:2d no 85.19
2 00:30:05:52:e0:30 no 127.25
2 00:30:05:52:e0:3b no 94.06
2 00:30:05:52:e0:45 no 28.04
2 00:30:05:52:e0:48 no 0.42
2 00:30:05:52:e0:57 no 116.83
2 00:30:05:52:e0:5d no 43.86
2 00:30:c1:ae:20:9b no 23.51
2 00:40:95:30:16:7c no 62.71
2 00:4f:49:0d:43:7f no 110.99
2 00:4f:49:0d:86:dc no 11.70
2 00:4f:4e:10:33:d3 no 70.87
2 00:4f:4e:11:72:8e no 268.55
2 00:50:fc:62:cc:31 no 65.30
2 00:50:fc:a8:7b:0a no 2.57
2 00:50:fc:aa:58:2f no 101.34
2 00:c0:a8:f2:80:71 no 0.20
2 00:c0:a8:f2:80:75 no 47.28
2 00:c0:a8:f2:fc:9c no 43.27
2 00:c0:a8:f3:02:37 no 223.92
2 00:e0:29:9d:2b:96 no 43.62
4 aa:cc:00:00:00:04 no 124.69
3 aa:cc:00:00:00:42 no 0.32
1 fe:ff:ff:ff:ff:ff yes 0.00
Are there any problems about mixed bridges and real switches ?. Why i
can't establish a TCP session ?
Thanks in advanced.
--
Juan Antonio Vera
javera.vcf
Description: Vcard
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
| 
Home