WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-users] Xen DomU and SNAT

from [Stephen Carpenter] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] Xen DomU and SNAT
From: "Stephen Carpenter" <thecarp@xxxxxxxxx>
Date: Tue, 7 Aug 2007 00:10:10 -0400
Delivery-date: Mon, 06 Aug 2007 21:07:56 -0700
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=uWSuNkDOXUDbMJ09ZPMSG3GuMIN0pNxijzrI0yrdEOrJwfUtrtmI9QG7QasJvHnPpkeIwfRlhskHmWJPXtw61MHJrLX7ZjR8tUSoaAoYFu3gtDM3WuiGLO1R8LVRCCzXvDePk1FCzSK3Um+AhD5Nl0m4ZCYUHSn/M5Mur3atUA0=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=mCxBGlY0k+UExsqCPDg2UWKccKsKk0It9120oP8JBn5k/rU8ISWMwLYTAm5VgUyQWpBS7C6G5pHrh2z+sVpNwdxXCjXKoFwwqdtDtGzYWjX4b0mys2Qa5I5N0wf4tuK7jYR+RTolorcOoiwj3C1OEPo7Ghmw7CPyhOjap2NP8xQ=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
So we are stumped. I setup a xen on my home firewall box. I setup a firewall domU and connected it to each of the three bridges defined in dom0:
[root@terminus ~]# brctl show
bridge name     bridge id               STP enabled     interfaces
xenbr0          8000.feffffffffff       no              vif0.0
                                                        pdummy0
                                                        vif1.0
                                                        vif4.0
xenbr1          8000.feffffffffff       no              vif0.1
                                                        peth1
                                                        vif1.1
xenbr2          8000.feffffffffff       no              vif0.2
                                                        peth2
                                                        vif1.2

dummy0    Link encap:Ethernet  HWaddr 12:C9:10:F5:3F:1D 
          inet addr:192.168.200.9  Bcast:192.168.200.255  Mask:255.255.255.0
eth1      Link encap:Ethernet  HWaddr 00:02:B3:AF:46:5B 
          inet addr:192.168.1.9  Bcast:192.168.1.255  Mask:255.255.255.0

eth2 has no IP, the firewall domU is the only guest connected to the same bridge as eth2. The firewall domU has had its mac for this interface set to the physical mac of the card, and uses DHCP to get an IP address.

I also setup a "dmz" domu which is connected to xenb2. It is 192.168.200.2 and the firewall domu has 192.168.1.1

the firewall domU is setup to masquerade out to the internet for any host on either the dmz or the LAN

Chain POSTROUTING (policy ACCEPT 357 packets, 28310 bytes)
 pkts bytes target     prot opt in     out     source               destination        
 131K 7746K MASQUERADE  0    --  any    eth2    anywhere             anywhere  

The upshot is... a host on the lan works fine. As the rules to prevent the dmz routing into the lan are not in place yet, domu hosts in the dmz and physical hosts on the lan can communicate fully (ssh works).

the domu in the dmz can fully communicate with dom0 on its dmz ip (only for testing, will be removed in final setup) and the firewall domu. It can communicate fully with hosts on the internal lan, using the firewall domU to route its packets to the other subnet. It can PING to hosts outside on the internet with no issue... but ssh doesn't work. dns doesn't respond (dns works fine if dns points at an internal host).

any ideas why this doesn't work? I really don't see anything. It works just fine for hosts on the lan. The hosts on the dmz should be treated the same?

-Steve


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] boot a existing windows in hvm domain, Brady Chen
Next by Date:  Re: [Xen-users] 64 bit dom0 and 32 bit HVM, Riccardo Veraldi
Previous by Thread:  Re: [Xen-users] GIGABYTE GA-M57SLI-S4 rev 2.0 motherboard HVM support, HyeGeek
Next by Thread:  RE: [Xen-users] Xen DomU and SNAT, Robert Lacroix
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy