[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Advanced Networking


  • To: "Steffen Heil" <lists@xxxxxxxxxxxxxxx>
  • From: "Enderson Maia" <endersonmaia@xxxxxxxxx>
  • Date: Thu, 16 Mar 2006 14:27:22 -0300
  • Cc: xen-users@xxxxxxxxxxxxxxxxxxx
  • Delivery-date: Thu, 16 Mar 2006 17:28:40 +0000
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=aj8F/NzWLZ/hGcbj8zIwZVptXxiJQHxpmRHZw4xFIXdsQo1YihQzIIuj4ytmtmeP0UqkXPrLOqVwRSe7awPq9c9huJfWfV8dvCwAQKp57D5qN/B3e366bqJx6dqeo3IprmH+Vv+LHfDPZNIGeKbJJENWjhytj8TpKInWWvqKwHA=
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

I have the same problem here.

I have snat and masquerading for internet working with script-nat, but
with bridgind, I can't make it work.

If someone finds the solution, let me know.

On 3/10/06, Steffen Heil <lists@xxxxxxxxxxxxxxx> wrote:
> Hi
>
> I have a fairly complex networking issue with xen, which I need to get
> runnning.
> My biggest problem obviously does not arise from xen directly, but more from
> linux networking, but I assume someone here might have had the same
> problem(s).
>
> So, here we go:
>
> Given hardware:
> I have 1 server with 4 public IPs which need to have the same MAC.
> Say, $mac for $ip1, $ip2, $ip3, $ip4. All IPs have subnet /24, with $ip3 and
> $ip4 residing in the same subnet, and $ip1 and $ip2 in different subnets
> each.
>
> Required installations:
> I want to run dom0 with as few as possible services for domain admin only.
> I need to run two domUs for ISP services.
> I want to keep one IP for testing purposes.
> I need to run one domU for backuppc.
> I propably want to run one domU for monitoring of the other domUs and some
> external systems.
>
> My first step was to get dom0 running. Done at $ip1.
> Then I created the backuppc domU (was most important). Done at $ip2.
>
> I use network/vif-bridge for that purpose and I got the problem, that my
> provider only accepts ONE MAC.
> I solved this using ebtables:
>
> server02:~# ebtables -t nat -L
> Bridge table: nat
>
> Bridge chain: PREROUTING, entries: 6, policy: ACCEPT
> -p IPv4 -d $mac -i peth0 --ip-dst $2 -j dnat --to-dst 0:16:3e:0:16:1
> --dnat-target ACCEPT
> -p ARP -d $mac -i peth0 --arp-ip-dst $2 -j dnat --to-dst 0:16:3e:0:16:1
> --dnat-target ACCEPT
> -p IPv4 -d $mac -i peth0 --ip-dst $3 -j dnat --to-dst 0:16:3e:0:16:2
> --dnat-target ACCEPT
> -p ARP -d $mac -i peth0 --arp-ip-dst $3 -j dnat --to-dst 0:16:3e:0:16:2
> --dnat-target ACCEPT
> -p IPv4 -d $mac -i peth0 --ip-dst $4 -j dnat --to-dst 0:16:3e:0:16:3
> --dnat-target ACCEPT
> -p ARP -d $mac -i peth0 --arp-ip-dst $4 -j dnat --to-dst 0:16:3e:0:16:3
> --dnat-target ACCEPT
>
> Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
>
> Bridge chain: POSTROUTING, entries: 6, policy: ACCEPT
> -p IPv4 -s 0:16:3e:0:16:1 -o peth0 --ip-src $2 -j snat --to-src $mac
> --snat-target ACCEPT
> -p ARP -s 0:16:3e:0:16:1 -o peth0 --arp-ip-src $2 -j snat --to-src $mac
> --snat-target ACCEPT
> -p IPv4 -s 0:16:3e:0:16:2 -o peth0 --ip-src $3 -j snat --to-src $mac
> --snat-target ACCEPT
> -p ARP -s 0:16:3e:0:16:2 -o peth0 --arp-ip-src $3 -j snat --to-src $mac
> --snat-target ACCEPT
> -p IPv4 -s 0:16:3e:0:16:3 -o peth0 --ip-src $4 -j snat --to-src $mac
> --snat-target ACCEPT
> -p ARP -s 0:16:3e:0:16:3 -o peth0 --arp-ip-src $4 -j snat --to-src $mac
> --snat-target ACCEPT
>
> This is basically SNAT at MAC-level for $ip2, $ip3 and $ip4.
> $ip1 is the ip of the dom0, which inherits it's mac from the real hardware,
> which already has $mac.
>
> That works. I can access backuppc, it can access other systems.
> I see that there is still a problem with access between dom0 and backuppc,
> since because they are in different subnets, every information is sent over
> the providers router, which makes few sense for two systems runnung on the
> same hardware. But I will come back on this later. I will propably add
> direct routes.
>
> Everything until here is (except for MAC-NAT) xen-default. xen creates the
> xenbr0 bridge, moves eth0 there (renamed to peth0) and connects a virtual
> eth0 in dom0.
>
> Now I finally get to my problem.
>
> At dom0 I set up another bridge xenintbr and give it the ip 192.168.1.1/24.
> Then I set up another domU called test and give it 192.168.1.2.
>
> This works. I can ping it and access services from dom0.
>
> BUT I cannot get ip forwarding working.
>
> I tried:
> - iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT
> --to-source $ip1
> - iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> - iptables -t nat -A POSTROUTING -o peth0 -s 192.168.1.0/24 -j SNAT
> --to-source $ip1
> - iptables -t nat -A POSTROUTING -o peth0 -j MASQUERADE
>
> None of these work.
> If the test-domU sends DNS-requests, they ARE translated to source=$ip1 and
> send out. The DNS-Server replies to $ip1, which I can see tcpdumping peth0.
> And those packets dest-mac is really $mac, which means they should be
> delivered to dom0, which should do NAT and forward them to test-domU.
> However, that does not work. The DNS-response never reaches dom0, they do
> not even apper on tcpdumping eth0, neighter correctly nor incorrectly. They
> simple don't.
>
> So, over to you.
> Anyone any guess?
>
> (Please, as my mailing list subscription seems not to be completed yet, send
> answers as direct copy to me. Thanks.)
>
> Regards,
>   Steffen
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users
>
>
>


--
--
Enderson Maia

ICQ: 8817986
MSN: endersonmaia[arroba]gmail[ponto]com
Linux User: 286130
=============================

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.