[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] masquarading traffic from domU

  • To: xen-users@xxxxxxxxxxxxxxxxxxx
  • From: "Christian Hobelsberger" <hobi1972@xxxxxxxxx>
  • Date: Thu, 9 Mar 2006 21:37:49 +0100
  • Delivery-date: Thu, 09 Mar 2006 20:38:52 +0000
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=nK8oHmKDIfNyzccBV8kFEd6wLfRR+x+uEqvLb7YQLRE2mJqdquySmNFLVLyBedsWynVoKLdgaaU4yjk4ACRV4Tm4NUFv9rEfEI54DV9z3z7S9KJUQ8NsMTuaaoXYHIwu6XatnWtgRux8HkcDrdTH7v1qbqBGGHiV3x8dieDasqU=
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

hello, i'm having a firewall / xen-networking problem where i got stuck ... any help would be very appreciated!

My dom0 has a openvpn connection to a openvpn-server, which gives access to a network. Accessing from dom0 works without a problem.

In a domU i'd like to access, too ... therefore i added the IP of dom0 as gateway for packages to this network. If i try to ping any host in the network, i get no response - as the hosts see the original IP of the domU (which is and for that IP there is no route back ... so far, so good.

If i access a host in the remote network from dom0, the connection can be established - as the remote hosts see the IP which was assigned from openVPN to dom0 - and for these IPs there is a route back.

Now i tried to use shorewall, to have all traffic originating in domU, with destination at, masquararded with the openVPN-IP of dom0.
I tried a line like that in /etc/shorewall/masq:
But for any reason the traffic is not masquaraded ... the remote hosts still see the original IP fo domU.

For fun i tried to use in shorewall/masq
In that case a ping from domU to a host in does not even arrive - strange enough, a tcpdump on xenbr0 shows the original IP of domU, but on eth0 i see the openVPN IP ... so masquarading occured ... but then the packages seem to vanish, at least they don't reach tun0.

Just to mention:
The shorewall rules/policies are all to "accept". Logs show no strange messages, all seems to be ok.

I assumed this to be a simple task - as the szenario should be almost the same as in a common "eth0 connected to LAN and eth1 to the internet" szenario ... but i don't get it working.

What am i missing? What do i need to do, to have may traffic from domU masquaraded ...

Thanks for any help!
Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.