[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] Trouble using NAT with multiple bridges

I've got a network set up with xen where I have a chain of
dom0<->domU<->domU<->etc. to simulate a multi-hop network path and
implemented with multiple bridges (one per hop to keep them isolated).
It works nicely locally, except that now I'm trying to have dom0 do NAT
for that last hop out to internet and am running into problems (I've
already fixed the ethtool/tx problem afaik).  Something simple like this:

iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -j MASQUERADE

Will result in dom0 being able to ping into the domU chain at any number
of hops, but the domUs won't be able to ping each other.  Only the first
domU in the chain (so only traversing one bridge) can get out to
internet through the NAT.

The closest I've come to making it work is this (assumed that
POSTROUTING is being hit by each bridge traversal):

iptables -m physdev ! --physdev-is-bridged -t nat -A POSTROUTING -s
192.168.0.0/16 -j MASQUERADE

In which case, the dom0 can ping into the domUs, the domUs can ping each
other, but again, only the first domU in the chain can get out to
internet through the NAT despite the other domUs having a working path
to that working domU.

I figure it's something simple I'm missing, but I'm totally out of
clues, so hoping y'all can help.  Some extra details below in case
they're of use.



(This is the route view at dom0; internet-br0 is the first bridge
between the dom0 and chain of domUs and contains a single interface -
that of the first domU in the chain of domUs (192.168.6.1).  eth0 is the
path out to internet.  All the domUs in the chain are in the
192.168.0.0/16 subnet.  The other bridges have two interfaces and no
directly assigned IP, unlike this one.)
root@fictition:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
192.168.6.1     0.0.0.0         255.255.255.255 UH    0      0        0
internet-br0
72.130.176.0    0.0.0.0         255.255.248.0   U     0      0        0 eth0
192.168.0.0     192.168.6.1     255.255.0.0     UG    0      0        0
internet-br0
0.0.0.0         72.130.176.1    0.0.0.0         UG    0      0        0 eth0


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.