[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] Networking issue between bridges (Xen 4.3)

I am setting up my firewall and have found that I cannot ping or communicate on 
any port
between my bridged interfaces on different subnets (and bridges).
Everything else as far as the networking is fine.

I'm not 100% sure it is a Xen issue but I think it may be something to do with 
the bridge set up.

Here is the layout, I am using PCI passthrough so the ethernet is passed to 
DomU-gw
DomU-gw can ping both DomU-DB and DomU-web
Dom) can also ping both DomU-DB and DomU-web
but DomU-DB and DomU-web can't ping each other
The firewall is off and net.ipv4.ip_forward = 1
is enabled on both Dom0 and DomU-gw
All machines are running Debian Wheezy

networks are:

DomU-DB
address 10.1.1.20
netmask 255.255.255.0
gateway 10.0.1.11

DomU-web
address 10.1.2.30
netmask 255.255.255.0
gateway 10.0.2.11

Routes on DomU-gw are:
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         100.100.0.1     0.0.0.0         UG    0      0        0 br3net
10.1.0.0        *               255.255.255.0   U     0      0        0 eth2
10.1.1.0        *               255.255.255.0   U     0      0        0 eth0
10.1.2.0        *               255.255.255.0   U     0      0        0 eth3
100.100.0.0     *               255.255.255.0   U     0      0        0 br3net
100.100.0.2     *               255.255.255.248 U     0      0        0 br3net


/-------------------------------------------------------------------\
|  Dom0                                                             |
|                                                                   |
|                                                                   |
|                                                                   |   
|                                                                   |
|                                                                   |
|                         10.1.0.23                                 |
\------------<br0net>-----<br2mx>-----<br1loc>---------<br4dmz>-----/
                ||          ||           ||               ||    
                ||          ||           ||  /---------\  ||   /---------\
                ||          ||           ||  |DomU-DB  |  ||   |DomU-web |      
                ||          ||           ||==|eth0     |  ||===|eth0     |
                ||          ||           ||  |10.1.1.20|  ||   |10.1.2.30|      
                ||          ||           ||  \---------/  ||   \---------/
---------------eth1--------<eth2>-----<eth0>------------<eth3>-----\
|               |         10.1.0.11   10.1.1.11         10.1.2.11  |
|               |                                                  |
|               |                                                  |
|  DomU-gw      |                                                  |
|               |                                                  |
|    /--br3net--/                                                  |
|    |                                                             |
|    100.100.0.5                                                   |
\--eth4------------------------------------------------------------/
   (net)         
    ||
   external gw: 100.100.0.1        
             

ps. I know br3net is not doing anything at the moment as far as a bridged
route but it is there in case I want to bypass the firewall for a VM (it works).
also, I have replaced the ip addesses below so the subnets for my external 
interfaces may not be
correct (please ignore as they are working fine)



Here are the bridges on DomU
--------------------------------

auto br0net
        iface br0net inet manual
        bridge_stp on
        pre-up    brctl addbr $IFACE
        up        ifconfig    $IFACE up
        down      ifconfig    $IFACE down
        post-down brctl delbr $IFACE

auto br1loc
        iface br1loc inet manual
        bridge_stp on
        pre-up    brctl addbr $IFACE
        up        ifconfig    $IFACE up
        down      ifconfig    $IFACE down
        post-down brctl delbr $IFACE

auto br2mx
        iface br2mx inet static
        bridge_stp on
        bridge_ports none
        address 10.0.0.23
        netmask 255.255.255.0
        gateway 10.0.0.11

auto br4dmz
        iface br4dmz inet manual
        bridge_stp on
        pre-up    brctl addbr $IFACE
        up        ifconfig    $IFACE up
        down      ifconfig    $IFACE down
        post-down brctl delbr $IFACE

dns-nameservers 100.100.1.130 100.100.1.140


and the bridge/interfaces on DomU-gw
--------------------------------------

# interface connected to br0net on Dom0
iface eth1 inet manual

# interface via PCI passthrough
iface eth4 inet manual

# bridge interface for passing net traffic
auto br3net
iface br3net inet static
 bridge_ports eth1 eth4
 address 100.100.0.5
 gateway 100.100.0.1
 netmask 255.255.255.248
 broadcast 100.100.0.159

 bridge_stp on          # enable Spanning Tree Protocol

iface br3net inet static
 address 100.100.0.6
 netmask 255.255.255.0

iface br3net inet static
 address 100.100.0.7
 netmask 255.255.255.0

iface br3net inet static
 address 100.100.0.8
 netmask 255.255.255.0

dns-nameservers 100.100.1.130 100.100.1.140

# gateway interface (via br1dmz)
# for inter-DomU traffic
auto eth0
iface eth0 inet static
 address 10.1.1.11
 netmask 255.255.255.0

# gateway interface (via br2mx)
# for management traffic
auto eth2
iface eth2 inet static
 address 10.1.0.11
 netmask 255.255.255.0

# gateway interface (via br4dmz)
auto eth3
iface eth3 inet static
 address 10.1.2.11
 netmask 255.255.255.0


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.