WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

[Xen-users] routing in xen 3.0: icmp gets routed, but tcp/ip only partia

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] routing in xen 3.0: icmp gets routed, but tcp/ip only partially
From: Peter Fokkinga <peter@xxxxxxxxxxx>
Date: Sat, 01 Apr 2006 15:18:16 +0200
Delivery-date: Mon, 03 Apr 2006 09:54:42 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Internet Messaging Program (IMP) H3 (4.0.1)
Hello folks,

I have this really strange routing problem that no amount of
googling and experimenting has been able to solve. Then again,
I'm new to Xen and "advanced" networking, so I could be missing
something very basic.

Summary: an unprivileged domU with PCI frontend for a NIC
is used as a router; icmp gets routed, but tcp/ip only
partially. I'm using a xen-unstable snapshot, dated March 31,
running on Ubuntu Dapper Drake.

Warning: this is a long post ;-)

Here's the network topology:

    +---------------+
    |      ext      |
    | (192.168.2.1) |
    +---------------+
            |
            |
         (eth2)
     +-------------+               +---------------+
     |  fw  (domU) | (eth1) -+-----|  dmz (domU)   |
     +-------------+         |     | (172.17.17.2) |
         (eth0)            xenbr1  +---------------+
            |
            +-- xenbr0
            |
    +---------------+
    |  xeno (dom0)  |
    |   (10.0.0.1)  |
    +---------------+


The domU host "fw" has the e100 (Intel EtherPro 100) driver
loaded for eth2 (the PCI device was hidden from dom0). Hosts
"xeno" and "fw" are connected to bridge "xenbr0", hosts
"dmz" and "dmz" are connected through bridge "xenbr1".

Routing tables are at the end of this post.

Note that there's no firewall installed (yet); it's just
plain routing at the moment. All hosts have inetd running,
with services "daytime" and "echo" active; these services
are great diagnostics; they're simple and when "echo" works
then more complicated things like ssh will too.

What works?
 * ping from everywhere to everywhere (traceroute too)
 * full access from everywhere to "fw"
 * full access from "fw" to everywhere
 * full access from "dmz" to "xeno"
 * from "dmz": `telnet ext daytime`
 * from "xeno": `telnet ext daytime`

If I disable ip_forwarding on "fw" then it's not possible to
connect from "dmz" to "xeno" or vice versa; so traffic really
is going through "fw".

What does NOT work?
 * from "ext": `telnet dmz daytime`
 * from "ext": `telnet dmz echo`
 * from "dmz": `telnet ext echo`
 * from "xeno": `telnet ext echo`
In all these cases I get connected, but no output; however, I
do get output when I connect to a specific interface on "fw"
(iow, if host "fw0" is the ip-address of eth0 on "fw" then
`telnet fw0 echo` works fine from "ext").

It's as if no IP data (as opposed to syn/ack) wants to go from
"fw" to "ext"?

Routes defined on all hosts:
(192.168.1.1 is the gateway connected to my ADSL modem)

host "fw"
Destination     Gateway         Genmask         Flags  Iface
172.17.17.0     0.0.0.0         255.255.255.0   U      eth1
10.0.0.0        0.0.0.0         255.255.0.0     U      eth0
192.168.0.0     0.0.0.0         255.255.0.0     U      eth2
0.0.0.0         192.168.1.1     0.0.0.0         UG     eth2

host "xeno"
Destination     Gateway         Genmask         Flags  Iface
172.17.18.0     0.0.0.0         255.255.255.0   U      xenbr1
10.0.0.0        0.0.0.0         255.255.0.0     U      eth2
0.0.0.0         10.0.1.1        0.0.0.0         UG     eth2

host "dmz"
Destination     Gateway         Genmask         Flags  Iface
172.17.17.0     0.0.0.0         255.255.255.0   U      eth0
0.0.0.0         172.17.17.1     0.0.0.0         UG     eth0

host "ext" (not xen, separate machine on my LAN)
Destination     Gateway         Genmask         Flags  Iface
172.17.17.0     192.168.8.1     255.255.255.0   UG     eth0
192.168.0.0     0.0.0.0         255.255.0.0     U      eth0
10.0.0.0        192.168.8.1     255.0.0.0       UG     eth0
0.0.0.0         192.168.1.1     0.0.0.0         UG     eth0


Help me, Obi-Wan Xenobi; you're my only hope.

Regards, Peter Fokkinga

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>