Dear All, I have installed xen 3.0 on debian sarge, dom0 is sarge, domu (vm01) is sarge as well. Since I only have one ip address, so I set up the system using network bridge and routing. I have the xend and xendomains started automatically at the boot time, at this point, I can ssh to dom0 from a remote client, then I used the /etc/xen/scripts/network-bridge and /etc/xen/scripts/network-nat scripts to start the netwrok, running the following scripts which I found on your mailing list: ifconfig xenbr0 192.168.3.1 netmask 255.255.255.0 up iptables --flush iptables --delete-chain iptables --table nat --delete-chain iptables --table nat --append POSTROUTING --out-interface xenbr0 -j MASQUERADE iptables --append FORWARD --in-interface xenbr0 -j ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward route add -net 192.168.3.0 netmask 255.255.255.0 dev xenbr0 Then I have domu and dom0 running, however I can have ssh connection to my remote client from both dom0 and domu, but I couldn''t have ssh access to dom0 and domu from the remote client. What could be the problem? Thanks Bin _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Am Dienstag, 17. Januar 2006 15:24 schrieb B. Liu:> Dear All, > > I have installed xen 3.0 on debian sarge, dom0 is sarge, domu (vm01) is > sarge as well. Since I only have one ip address, so I set up the system > using network bridge and routing. > > I have the xend and xendomains started automatically at the boot time, at > this point, I can ssh to dom0 from a remote client, > > then I used the /etc/xen/scripts/network-bridge and > /etc/xen/scripts/network-nat scripts to start the netwrok, running the > following scripts which I found on your mailing list: > > ifconfig xenbr0 192.168.3.1 netmask 255.255.255.0 up > iptables --flush > iptables --delete-chain > iptables --table nat --delete-chain > iptables --table nat --append POSTROUTING --out-interface xenbr0 -j > MASQUERADE > iptables --append FORWARD --in-interface xenbr0 -j ACCEPT > echo 1 > /proc/sys/net/ipv4/ip_forward > route add -net 192.168.3.0 netmask 255.255.255.0 dev xenbr0 > > Then I have domu and dom0 running, however I can have ssh connection to my > remote client from both dom0 and domu, but I couldn''t have ssh access to > dom0 and domu from the remote client. > > What could be the problem?You don''t need a bridge when you want to NAT the domUs. So maybe the solution is as easy as just don''t use the bridge scripts at all. I never used the NAT scrips for a domainU myself, so I can give no addional help, sorrry. --Ralph> > Thanks > > Bin > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
> > > You don''t need a bridge when you want to NAT the domUs. So maybe the > solution > is as easy as just don''t use the bridge scripts at all. >That is right. You need not use bridge if you are using NAT. If you could post your routing tables, that could give some clue. Just do ''route -n'' in both dom0 and domU. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
OK, I stopped using the /etc/xen/scripts/network-bridge file, without the bridge scripts, it started the network fine, but the problem is still there, can''t ssh to the dom0 and vm01 from the remote client. the route -n on dom0 as following: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 xenbr0 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 xenbr0 182.111.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 0.0.0.0 182.111.30.190 0.0.0.0 UG 0 0 0 eth0 and the route -n from vm01 is shown as following: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 192.168.3.1 0.0.0.0 UG 0 0 0 eth0 Any suggestions? By the way, how to name the vm01? For example, my dom0 has a hostname tom.localdomain, do I have to name the vm01 hostname as cat.tom.localdomain or cat.localdomain? What should I do to make the remote client know the existing of cat? Thanks Bin _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Your dom0 routing table is still routing the traffic to your bridge from old setup. use brctl to remove xenbr0 you have. Then try: ifconfig vifx.y 192.168.3.1 netmask 255.255.255.0 up (Alternatively after removing xenbr0 if you create a new domU the ifconfig will have done this step automatically, picking up some IP address for new vif) This step should also have corrected your routing table. Then you will have to update your domU routing table so that it now routes the traffic to the new gateway. If you run into problems while doing this, post output of your ifconfig and route -n at that point. On 1/18/06, B. Liu <bl246@hermes.cam.ac.uk> wrote:> > OK, I stopped using the /etc/xen/scripts/network-bridge file, without the > bridge scripts, it started the network fine, but the problem is still > there, can''t ssh to the dom0 and vm01 from the remote client. > > the route -n on dom0 as following: > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 > xenbr0 > 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 > xenbr0 > 182.111.0.0 0.0.0.0 255.255.0.0 U 0 0 0 > eth0 > 0.0.0.0 182.111.30.190 0.0.0.0 UG 0 0 0 > eth0 > > and the route -n from vm01 is shown as following: > > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 > eth0 > 0.0.0.0 192.168.3.1 0.0.0.0 UG 0 0 0 > eth0 > > Any suggestions? > > By the way, how to name the vm01? For example, my dom0 has a hostname > tom.localdomain, do I have to name the vm01 hostname as > cat.tom.localdomain or cat.localdomain? What should I do to make the > remote client know the existing of cat? > > Thanks > > Bin > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >-- Jayesh _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
As xenbro starts automatically everytime I reboot the machine, so I have to comment off the network-bridge and vif-bridge, and uncomment the vif-nat in the xend-config.sxp, I modified the vif-nat file, change the the ip address to 192.168.3.0, but when I restarted the machine, the ifconfig shows as following: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.3.1 0.0.0.0 255.255.255.255 UH 0 0 0 vif1.0 192.168.3.2 0.0.0.0 255.255.255.255 UH 0 0 0 vif1.1 182.20.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 0.0.0.0 182.20.127.255 0.0.0.0 UG 0 0 0 eth0 I couldn''t find a way to change the netmask to 255.255.255.0, How Can I change the netmask address?. If I comment of the (vif-nat) in the xend-config.sxp, then xden domains won''t be able to start, claim can''t dinf device(0) for vif. When I run ifconfig vif1.0 192.168.3.1 netmask 255.255.255.0 up and ifconfig vif1.1 down, I got ifconfig as following: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 vif1.0 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 vif1.0 182.20.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 0.0.0.0 182.20.127.255 0.0.0.0 UG 0 0 0 eth0 When I login to vm01, no ssh connection to any remote client. The remote client still can ssh to dom0. On Wed, 18 Jan 2006, Jayesh Salvi wrote:> Date: Wed, 18 Jan 2006 10:12:17 -0600 > From: Jayesh Salvi <jayeshsalvi@gmail.com> > To: B. Liu <bl246@hermes.cam.ac.uk> > Cc: xen-users@lists.xensource.com > Subject: Re: [Xen-users] no ssh login > > Your dom0 routing table is still routing the traffic to your bridge from old > setup. use brctl to remove xenbr0 you have. > Then try: > ifconfig vifx.y 192.168.3.1 netmask 255.255.255.0 up (Alternatively after > removing xenbr0 if you create a new domU the ifconfig will have done this > step automatically, picking up some IP address for new vif) > This step should also have corrected your routing table. > > Then you will have to update your domU routing table so that it now routes > the traffic to the new gateway. > If you run into problems while doing this, post output of your ifconfig and > route -n at that point. >Bin _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On 1/19/06, B. Liu <bl246@hermes.cam.ac.uk> wrote:> > As xenbro starts automatically everytime I reboot the machine, so I have > to comment off the network-bridge and vif-bridge, and uncomment the > vif-nat in the xend-config.sxp, I modified the vif-nat file, change the > the ip address to 192.168.3.0, but when I restarted the machine, the > ifconfig shows as following: > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > 192.168.3.1 0.0.0.0 255.255.255.255 UH 0 0 0 > vif1.0 > 192.168.3.2 0.0.0.0 255.255.255.255 UH 0 0 0 > vif1.1 > 182.20.0.0 0.0.0.0 255.255.0.0 U 0 0 0 > eth0 > 0.0.0.0 182.20.127.255 0.0.0.0 UG 0 0 0 > eth0 > I couldn''t find a way to change the netmask to 255.255.255.0, How Can I > change the netmask address?.I guess you may not need to change ifconfig. This is how my ifconfig looks. If I comment of the (vif-nat) in the xend-config.sxp, then xden domains> won''t be able to start, claim can''t dinf device(0) for vif. > > When I run ifconfig vif1.0 192.168.3.1 netmask 255.255.255.0 up and > ifconfig vif1.1 down, I got ifconfig as following: > > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 > vif1.0 > 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 > vif1.0 > 182.20.0.0 0.0.0.0 255.255.0.0 U 0 0 0 > eth0 > 0.0.0.0 182.20.127.255 0.0.0.0 UG 0 0 0 > eth0 > > When I login to vm01, no ssh connection to any remote client. The remote > client still can ssh to dom0.Post your routing tables. And for verifying first try ping. For ssh connections to your domU make sure that sshd is running in domU. On Wed, 18 Jan 2006, Jayesh Salvi wrote:> > > Date: Wed, 18 Jan 2006 10:12:17 -0600 > > From: Jayesh Salvi <jayeshsalvi@gmail.com> > > To: B. Liu <bl246@hermes.cam.ac.uk> > > Cc: xen-users@lists.xensource.com > > Subject: Re: [Xen-users] no ssh login > > > > Your dom0 routing table is still routing the traffic to your bridge from > old > > setup. use brctl to remove xenbr0 you have. > > Then try: > > ifconfig vifx.y 192.168.3.1 netmask 255.255.255.0 up (Alternatively > after > > removing xenbr0 if you create a new domU the ifconfig will have done > this > > step automatically, picking up some IP address for new vif) > > This step should also have corrected your routing table. > > > > Then you will have to update your domU routing table so that it now > routes > > the traffic to the new gateway. > > If you run into problems while doing this, post output of your ifconfig > and > > route -n at that point. > > > Bin >-- Jayesh _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Jayesh, thanks for your help. I solved the problem, solution came from one of the email on the mailing list, it is very simple at the end, I commented out the lines (network-script network-bridge) (vif-script vif-bridge) and uncomment the lines (network-script network-nat) (vif-script vif-nat) in the xend-config.sxp file, and set vm01''s eth0 interface to 10.0.1.1 (as vif1.0''s default subnet) and its default gateway to 10.0.1.128, then it works!! But now I have aother problem, I can ssh between dom0 and domu, and I can ssh to remote client from dom0 and domu, I can ssh to dom0 from remote client too, but I can''t ssh to domu from remote client, apprently my remote client doesn''t know anything about domu, what should I do to make my remote client know domu? Thanks Bin _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
> > But now I have aother problem, I can ssh between dom0 and domu, and I can > ssh to remote client from dom0 and domu, I can ssh to dom0 from remote > client too, but I can''t ssh to domu from remote client, apprently my > remote client doesn''t know anything about domu, what should I do to make > my remote client know domu? >I haven''t tried this yet, but I think you can do it using some packet filtering in your dom0 router. Your domU traffic is being routed via your dom0. So you will have to write some NAT rules to filter the traffic. Here is one link that might help you: http://www.tw.openbsd.org/faq/pf/example1.html Sorry, I couldn''t be much help here. But I will be interested to know how you achieve it. Jayesh -- Jayesh _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users