Hello, I am having some routing troubles with my Xen setup. I have two domUs, one running as a firewall and another running as a dmz: The dom0 has the following: - eth0 bridge (10.0.0.3/24) The domU-firewall has the following: - Direct passthrough PCI NIC (Public Internet) - Virtual NIC connected to the eth0 bridge on dom0 (10.0.0.1/24) - Bridge called brdmz for the dmz zone (10.0.2.1/24) The domU-dmz has the following: - Virtual NIC connected to the brdmz in domU-firewall (10.0.2.2/24) So far can I can make the domU-firewall and domU-dmz talk to each other without problem. Using IPTables/NAT on domU-firewall I can route to the public internet from dom0/Local Lan and from the domU-dmz. But I can''t communicate from the domU-dmz to local lan and viceversa. I''ve made sure that there are no IPTables rules blocking this kind of traffic, so all I am left is with the possiblity of a routing problem: domU-firewall not forwarding packets from the local lan to the dmz bridge for some reason. Anyone has any idea of what could I do to troubleshoot this problem? Thanks, Pepe _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
> > > So far can I can make the domU-firewall and domU-dmz talk to each other > without problem. Using IPTables/NAT on domU-firewall I can route to the > public internet from dom0/Local Lan and from the domU-dmz. But I can''t > communicate from the domU-dmz to local lan and viceversa. I''ve made sure > that there are no IPTables rules blocking this kind of traffic, so all I am > left is with the possiblity of a routing problem: domU-firewall not > forwarding packets from the local lan to the dmz bridge for some reason. > > Anyone has any idea of what could I do to troubleshoot this problem? >I just wanted to make sure that you are aware of the Ubuntu bugs: https://bugs.launchpad.net/ubuntu/+source/xen-3.2/+bug/204010 https://bugs.launchpad.net/ubuntu/+source/linux/+bug/218126 There are a number of troubleshooting techniques discuss in those bugs including: *using ethtool commands *looking at the bridges in more detail with brctl commands etc. *manually tracing the traffic with tools like wireshark and tcpdump *any of general networking debugging that you can think of Cheers, Todd _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On May 9, 2008, at 12:45 PM, Todd Deshane wrote:> I just wanted to make sure that you are aware of the Ubuntu bugs: > https://bugs.launchpad.net/ubuntu/+source/xen-3.2/+bug/204010 > https://bugs.launchpad.net/ubuntu/+source/linux/+bug/218126Yeah, I as aware of those problems and I have used the suggested solutions (Hirano''s Kernel) with success. After that everything I wanted to do has been working with Xen, until now.> There are a number of troubleshooting techniques discuss in those bugs > including: > > *using ethtool commands > *looking at the bridges in more detail with brctl commands etc. > *manually tracing the traffic with tools like wireshark and tcpdump > *any of general networking debugging that you can think ofI''ve used tcpdump to trace the traffic. What I have seen is the following. Traffic outgoing from from domU-dmz traverses successfully to the brdmz bridge in domU-firewall and from there it goes to the eth0 interface that is part of the eth0 bridge in dom0. But no traffic shows in the eth0 bridge in dom0 or through vif1.0. Traffic going from dom0 to domU-dmz reaches successfully but again any replies or acks don''t come back. Thus I am not able to connect successfully. I''ve flushed the iptables in dom0 to make sure nothing could be affecting it, but it help anything. dom0 etho or vif1.0 do work, at least partially, as I am using those interfaces for LAN forwarding to do NAT in domU-firewall. There is no problem with that. Any ideas of what other step or where in the Linux system I could to see what is going on with the eth0 bridge or vif1.0 interface in dom0? Thanks, Pepe _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Fri, May 9, 2008 at 2:50 PM, Pepe Barbe <elventear@gmail.com> wrote:> On May 9, 2008, at 12:45 PM, Todd Deshane wrote: > > I just wanted to make sure that you are aware of the Ubuntu bugs: >> https://bugs.launchpad.net/ubuntu/+source/xen-3.2/+bug/204010 >> https://bugs.launchpad.net/ubuntu/+source/linux/+bug/218126 >> > > Yeah, I as aware of those problems and I have used the suggested solutions > (Hirano''s Kernel) with success. After that everything I wanted to do has > been working with Xen, until now. > > There are a number of troubleshooting techniques discuss in those bugs >> including: >> >> *using ethtool commands >> *looking at the bridges in more detail with brctl commands etc. >> *manually tracing the traffic with tools like wireshark and tcpdump >> *any of general networking debugging that you can think of >> > > I''ve used tcpdump to trace the traffic. What I have seen is the following. > > Traffic outgoing from from domU-dmz traverses successfully to the brdmz > bridge in domU-firewall and from there it goes to the eth0 interface that is > part of the eth0 bridge in dom0. But no traffic shows in the eth0 bridge in > dom0 or through vif1.0. > > Traffic going from dom0 to domU-dmz reaches successfully but again any > replies or acks don''t come back. Thus I am not able to connect successfully. > > I''ve flushed the iptables in dom0 to make sure nothing could be affecting > it, but it help anything. dom0 etho or vif1.0 do work, at least partially, > as I am using those interfaces for LAN forwarding to do NAT in > domU-firewall. There is no problem with that. > > Any ideas of what other step or where in the Linux system I could to see > what is going on with the eth0 bridge or vif1.0 interface in dom0? >There is a couple of things that I would take a look at that can be found here: http://wiki.xensource.com/xenwiki/XenNetworking In particular, I know there were sometimes issues with: /proc/sys/net/ipv4/ip_forward You may also want to get a better understanding for ebtables and its interaction with things. A link off of that page is: http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html We also may have some links that you would find useful from our Networking chapter: http://runningxen.com/chapters/chapter10/ Hope that gives you some places to look. Cheers, Todd _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Pepe Barbe wrote:> Hello, > > I am having some routing troubles with my Xen setup. > > I have two domUs, one running as a firewall and another running as a dmz: > > The dom0 has the following: > - eth0 bridge (10.0.0.3/24) > > The domU-firewall has the following: > - Direct passthrough PCI NIC (Public Internet) > - Virtual NIC connected to the eth0 bridge on dom0 (10.0.0.1/24) > - Bridge called brdmz for the dmz zone (10.0.2.1/24) > > The domU-dmz has the following: > - Virtual NIC connected to the brdmz in domU-firewall (10.0.2.2/24) > > So far can I can make the domU-firewall and domU-dmz talk to each > other without problem. Using IPTables/NAT on domU-firewall I can route > to the public internet from dom0/Local Lan and from the domU-dmz. But > I can''t communicate from the domU-dmz to local lan and viceversa. I''ve > made sure that there are no IPTables rules blocking this kind of > traffic, so all I am left is with the possiblity of a routing problem: > domU-firewall not forwarding packets from the local lan to the dmz > bridge for some reason.Your domU-firewall is NAT''ing traffic to the public internet, right? In which case I would say that either you''re not fowarding traffic through the firewall (/proc/sys/net/ipv4/ip_forward contains ''0'' or your FORWARD chain in the firewall is blocking traffic. jch _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users