You do not need to set up anything beside your existing bridges on Dom0.

On the router DomU you need to set up masquerading with iptables. I use the following line:
iptables -t nat -A POSTROUTING -s -o ppp0 -j MASQUERADE
ppp0 is connected to the internet via the xen1 interface (eth0 in your case) and the rest of the network is connected to xen0 (eth1 in your case) with the ip range of

On the rest of your network you need to set the default route to the address of the eth1 interface of your router DomU and add a DNS server to your resolv.conf.
Alternatively you might want to install a DNS and DHCP server on your router (dnsmasq can handle both).

Gabor Hudiczius

On 2016-04-24 19:12, John Pearson wrote:
I have a physical Server with two NICs eth0 and eth1. 

I am running Xen 4.4.1 with Debian Jesse.

eth0 is bridged to xenbr0 which receives it's IP address, dns etc through an upstream DHCP server on a Gateway.

eth1 is bridged to xenbr1

I am creating a Xen VM (DomU) with two virtual interfaces that are bridged to xenbr0 & xenbr1 respectively. 

I want to run a router + NAT configuration on that DomU. 

I have several computers connected to eth1 through a physical managed switch.

I want computers connected to eth1 access the internet.

I want other DomU VMs to also use DomU as a router and access the internet. 

Gateway <-> eth0 <-> xenbr0 <-> vif0 

eth1 <-> xenbr1 <-> vif1 <-> Switch <-> Computers

So far I've created the DomU and IPTables on it so that computers connected to the switch on eth1 are able to ping each other.

I am unable to traverse from the computers connected to the switch on eth1 to the internet. 

How do I bridge the traffic from eth1 to eth0? 
Do I need to setup forwarding or IPTables on Dom0? 
How do I setup DomU as the router and Gateway for other DomU VMs?


