[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] XEN Bridged Network and NAT

Hi Michael,

[Note: I don't usually do this, but I'm leaving a full quote below
 because I'm not going to give answers to specific sentences]

What Dom0 kernel are you using?  The old non-pvops Dom0 kernel (unless
it has changed in the meantime) had some non-standard hacks to avoid
unnecessary checksumming of the packets between the Dom0 and DomU's.
These hacks unfortunately broke Dom0 NAT.  I believe the problem was
that outgoing packets (the packets leaving Dom0 on an actual network
card) had the wrong checksum or something like that.

In case you are using such a kernel and still want to use this kind of
NAT setup without changing the kernel, I can try to dig up the kernel
patch that I made for this.  It adds some Xen-specific hacks to the NAT
code to fix things up.


> Hello everybody,
> I have two physical machines running by a provider. Each of them has 2 
> physical network cards. Eth0 is connected to the internet and eth1 
> connects the two machines directly. As you may divine, we like to have a 
> high available setup. But because the provider does not allow to take 
> the IPs of one machine to the other and for security reason I decided to 
> run the virtual machines with a bridged private network on eth1 and 
> masquerade virtual machines which needs internet access or where the 
> outside world needs access. The idea behind it. If the machine where the 
> webserver resides fails, the server moves to the other machine and there 
> heartbeat starts an emergency nameserver as well, which provides the new 
> official IPs. The nameservers have a short TTL, so after about 10 
> minutes the new IPs should be known by everyone. So far everthing works 
> fine. But I have two problems.
> The first one. I can not access the service which is running on the 
> virtual machine with its official IP on the same machine or in dom0.
> e.g. the virtual machine runs a webserver and has the IP 
> It has to be reachable by the outsite world with the IP
> On dom0 I do a
> -A PREROUTING -d -p tcp -m tcp --dport 80 -j DNAT 
> --to-destination
> to assign the official address to the virtual machine and a
> -A POSTROUTING -s -d ! -j SNAT 
> --to-source
> so that the virtual machine gets internet access.
> If I now try to access the website with lynx on the virtual machine with 
> the IP I get a timeout. On dom0 lynx tells me, the site is not 
> reachable.
> On the other site a ping or traceroute is working.
> The second problem affects the mailserver which is running on a virtual 
> machine as well.
> Some clients tell me now, they are sometimes not able to send eMails 
> with an attachment. The attachment is not that big. May 1-4MB. But if 
> the client tries to send the mail, he gets a timeout after a while. 
> Sometimes after 10%, sometimes after 99% of the upload and sometimes the 
> same mail gets through. I can not reproduce the problem. If I try to 
> send a eMail with an attachment it gets through all the time. But it 
> seems to have something to do with the masquerading. On another machine 
> with XEN and the same setting of the mailserver but without masquerading 
> the clients have no problem to send mails with huge attachments.
> May somebody has an idea what I'm doing wrong.
> Thanks in advance.
> By Michael

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.