Hi I have a fairly complex networking issue with xen, which I need to get runnning. My biggest problem obviously does not arise from xen directly, but more from linux networking, but I assume someone here might have had the same problem(s). So, here we go: Given hardware: I have 1 server with 4 public IPs which need to have the same MAC. Say, $mac for $ip1, $ip2, $ip3, $ip4. All IPs have subnet /24, with $ip3 and $ip4 residing in the same subnet, and $ip1 and $ip2 in different subnets each. Required installations: I want to run dom0 with as few as possible services for domain admin only. I need to run two domUs for ISP services. I want to keep one IP for testing purposes. I need to run one domU for backuppc. I propably want to run one domU for monitoring of the other domUs and some external systems. My first step was to get dom0 running. Done at $ip1. Then I created the backuppc domU (was most important). Done at $ip2. I use network/vif-bridge for that purpose and I got the problem, that my provider only accepts ONE MAC. I solved this using ebtables: server02:~# ebtables -t nat -L Bridge table: nat Bridge chain: PREROUTING, entries: 6, policy: ACCEPT -p IPv4 -d $mac -i peth0 --ip-dst $2 -j dnat --to-dst 0:16:3e:0:16:1 --dnat-target ACCEPT -p ARP -d $mac -i peth0 --arp-ip-dst $2 -j dnat --to-dst 0:16:3e:0:16:1 --dnat-target ACCEPT -p IPv4 -d $mac -i peth0 --ip-dst $3 -j dnat --to-dst 0:16:3e:0:16:2 --dnat-target ACCEPT -p ARP -d $mac -i peth0 --arp-ip-dst $3 -j dnat --to-dst 0:16:3e:0:16:2 --dnat-target ACCEPT -p IPv4 -d $mac -i peth0 --ip-dst $4 -j dnat --to-dst 0:16:3e:0:16:3 --dnat-target ACCEPT -p ARP -d $mac -i peth0 --arp-ip-dst $4 -j dnat --to-dst 0:16:3e:0:16:3 --dnat-target ACCEPT Bridge chain: OUTPUT, entries: 0, policy: ACCEPT Bridge chain: POSTROUTING, entries: 6, policy: ACCEPT -p IPv4 -s 0:16:3e:0:16:1 -o peth0 --ip-src $2 -j snat --to-src $mac --snat-target ACCEPT -p ARP -s 0:16:3e:0:16:1 -o peth0 --arp-ip-src $2 -j snat --to-src $mac --snat-target ACCEPT -p IPv4 -s 0:16:3e:0:16:2 -o peth0 --ip-src $3 -j snat --to-src $mac --snat-target ACCEPT -p ARP -s 0:16:3e:0:16:2 -o peth0 --arp-ip-src $3 -j snat --to-src $mac --snat-target ACCEPT -p IPv4 -s 0:16:3e:0:16:3 -o peth0 --ip-src $4 -j snat --to-src $mac --snat-target ACCEPT -p ARP -s 0:16:3e:0:16:3 -o peth0 --arp-ip-src $4 -j snat --to-src $mac --snat-target ACCEPT This is basically SNAT at MAC-level for $ip2, $ip3 and $ip4. $ip1 is the ip of the dom0, which inherits it''s mac from the real hardware, which already has $mac. That works. I can access backuppc, it can access other systems. I see that there is still a problem with access between dom0 and backuppc, since because they are in different subnets, every information is sent over the providers router, which makes few sense for two systems runnung on the same hardware. But I will come back on this later. I will propably add direct routes. Everything until here is (except for MAC-NAT) xen-default. xen creates the xenbr0 bridge, moves eth0 there (renamed to peth0) and connects a virtual eth0 in dom0. Now I finally get to my problem. At dom0 I set up another bridge xenintbr and give it the ip 192.168.1.1/24. Then I set up another domU called test and give it 192.168.1.2. This works. I can ping it and access services from dom0. BUT I cannot get ip forwarding working. I tried: - iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source $ip1 - iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE - iptables -t nat -A POSTROUTING -o peth0 -s 192.168.1.0/24 -j SNAT --to-source $ip1 - iptables -t nat -A POSTROUTING -o peth0 -j MASQUERADE None of these work. If the test-domU sends DNS-requests, they ARE translated to source=$ip1 and send out. The DNS-Server replies to $ip1, which I can see tcpdumping peth0. And those packets dest-mac is really $mac, which means they should be delivered to dom0, which should do NAT and forward them to test-domU. However, that does not work. The DNS-response never reaches dom0, they do not even apper on tcpdumping eth0, neighter correctly nor incorrectly. They simple don''t. So, over to you. Anyone any guess? (Please, as my mailing list subscription seems not to be completed yet, send answers as direct copy to me. Thanks.) Regards, Steffen _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi I have a fairly complex networking issue with xen, which I need to get runnning. My biggest problem obviously does not arise from xen directly, but more from linux networking, but I assume someone here might have had the same problem(s). So, here we go: Given hardware: I have 1 server with 4 public IPs which need to have the same MAC. Say, $mac for $ip1, $ip2, $ip3, $ip4. All IPs have subnet /24, with $ip3 and $ip4 residing in the same subnet, and $ip1 and $ip2 in different subnets each. Required installations: I want to run dom0 with as few as possible services for domain admin only. I need to run two domUs for ISP services. I want to keep one IP for testing purposes. I need to run one domU for backuppc. I propably want to run one domU for monitoring of the other domUs and some external systems. My first step was to get dom0 running. Done at $ip1. Then I created the backuppc domU (was most important). Done at $ip2. I use network/vif-bridge for that purpose and I got the problem, that my provider only accepts ONE MAC. I solved this using ebtables: server02:~# ebtables -t nat -L Bridge table: nat Bridge chain: PREROUTING, entries: 6, policy: ACCEPT -p IPv4 -d $mac -i peth0 --ip-dst $2 -j dnat --to-dst 0:16:3e:0:16:1 --dnat-target ACCEPT -p ARP -d $mac -i peth0 --arp-ip-dst $2 -j dnat --to-dst 0:16:3e:0:16:1 --dnat-target ACCEPT -p IPv4 -d $mac -i peth0 --ip-dst $3 -j dnat --to-dst 0:16:3e:0:16:2 --dnat-target ACCEPT -p ARP -d $mac -i peth0 --arp-ip-dst $3 -j dnat --to-dst 0:16:3e:0:16:2 --dnat-target ACCEPT -p IPv4 -d $mac -i peth0 --ip-dst $4 -j dnat --to-dst 0:16:3e:0:16:3 --dnat-target ACCEPT -p ARP -d $mac -i peth0 --arp-ip-dst $4 -j dnat --to-dst 0:16:3e:0:16:3 --dnat-target ACCEPT Bridge chain: OUTPUT, entries: 0, policy: ACCEPT Bridge chain: POSTROUTING, entries: 6, policy: ACCEPT -p IPv4 -s 0:16:3e:0:16:1 -o peth0 --ip-src $2 -j snat --to-src $mac --snat-target ACCEPT -p ARP -s 0:16:3e:0:16:1 -o peth0 --arp-ip-src $2 -j snat --to-src $mac --snat-target ACCEPT -p IPv4 -s 0:16:3e:0:16:2 -o peth0 --ip-src $3 -j snat --to-src $mac --snat-target ACCEPT -p ARP -s 0:16:3e:0:16:2 -o peth0 --arp-ip-src $3 -j snat --to-src $mac --snat-target ACCEPT -p IPv4 -s 0:16:3e:0:16:3 -o peth0 --ip-src $4 -j snat --to-src $mac --snat-target ACCEPT -p ARP -s 0:16:3e:0:16:3 -o peth0 --arp-ip-src $4 -j snat --to-src $mac --snat-target ACCEPT This is basically SNAT at MAC-level for $ip2, $ip3 and $ip4. $ip1 is the ip of the dom0, which inherits it''s mac from the real hardware, which already has $mac. That works. I can access backuppc, it can access other systems. I see that there is still a problem with access between dom0 and backuppc, since because they are in different subnets, every information is sent over the providers router, which makes few sense for two systems runnung on the same hardware. But I will come back on this later. I will propably add direct routes. Everything until here is (except for MAC-NAT) xen-default. xen creates the xenbr0 bridge, moves eth0 there (renamed to peth0) and connects a virtual eth0 in dom0. Now I finally get to my problem. At dom0 I set up another bridge xenintbr and give it the ip 192.168.1.1/24. Then I set up another domU called test and give it 192.168.1.2. This works. I can ping it and access services from dom0. BUT I cannot get ip forwarding working. I tried: - iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source $ip1 - iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE - iptables -t nat -A POSTROUTING -o peth0 -s 192.168.1.0/24 -j SNAT --to-source $ip1 - iptables -t nat -A POSTROUTING -o peth0 -j MASQUERADE None of these work. If the test-domU sends DNS-requests, they ARE translated to source=$ip1 and send out. The DNS-Server replies to $ip1, which I can see tcpdumping peth0. And those packets dest-mac is really $mac, which means they should be delivered to dom0, which should do NAT and forward them to test-domU. However, that does not work. The DNS-response never reaches dom0, they do not even apper on tcpdumping eth0, neighter correctly nor incorrectly. They simple don''t. So, over to you. Anyone any guess? Regards, Steffen _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
I have the same problem here. I have snat and masquerading for internet working with script-nat, but with bridgind, I can''t make it work. If someone finds the solution, let me know. On 3/10/06, Steffen Heil <lists@steffen-heil.de> wrote:> Hi > > I have a fairly complex networking issue with xen, which I need to get > runnning. > My biggest problem obviously does not arise from xen directly, but more from > linux networking, but I assume someone here might have had the same > problem(s). > > So, here we go: > > Given hardware: > I have 1 server with 4 public IPs which need to have the same MAC. > Say, $mac for $ip1, $ip2, $ip3, $ip4. All IPs have subnet /24, with $ip3 and > $ip4 residing in the same subnet, and $ip1 and $ip2 in different subnets > each. > > Required installations: > I want to run dom0 with as few as possible services for domain admin only. > I need to run two domUs for ISP services. > I want to keep one IP for testing purposes. > I need to run one domU for backuppc. > I propably want to run one domU for monitoring of the other domUs and some > external systems. > > My first step was to get dom0 running. Done at $ip1. > Then I created the backuppc domU (was most important). Done at $ip2. > > I use network/vif-bridge for that purpose and I got the problem, that my > provider only accepts ONE MAC. > I solved this using ebtables: > > server02:~# ebtables -t nat -L > Bridge table: nat > > Bridge chain: PREROUTING, entries: 6, policy: ACCEPT > -p IPv4 -d $mac -i peth0 --ip-dst $2 -j dnat --to-dst 0:16:3e:0:16:1 > --dnat-target ACCEPT > -p ARP -d $mac -i peth0 --arp-ip-dst $2 -j dnat --to-dst 0:16:3e:0:16:1 > --dnat-target ACCEPT > -p IPv4 -d $mac -i peth0 --ip-dst $3 -j dnat --to-dst 0:16:3e:0:16:2 > --dnat-target ACCEPT > -p ARP -d $mac -i peth0 --arp-ip-dst $3 -j dnat --to-dst 0:16:3e:0:16:2 > --dnat-target ACCEPT > -p IPv4 -d $mac -i peth0 --ip-dst $4 -j dnat --to-dst 0:16:3e:0:16:3 > --dnat-target ACCEPT > -p ARP -d $mac -i peth0 --arp-ip-dst $4 -j dnat --to-dst 0:16:3e:0:16:3 > --dnat-target ACCEPT > > Bridge chain: OUTPUT, entries: 0, policy: ACCEPT > > Bridge chain: POSTROUTING, entries: 6, policy: ACCEPT > -p IPv4 -s 0:16:3e:0:16:1 -o peth0 --ip-src $2 -j snat --to-src $mac > --snat-target ACCEPT > -p ARP -s 0:16:3e:0:16:1 -o peth0 --arp-ip-src $2 -j snat --to-src $mac > --snat-target ACCEPT > -p IPv4 -s 0:16:3e:0:16:2 -o peth0 --ip-src $3 -j snat --to-src $mac > --snat-target ACCEPT > -p ARP -s 0:16:3e:0:16:2 -o peth0 --arp-ip-src $3 -j snat --to-src $mac > --snat-target ACCEPT > -p IPv4 -s 0:16:3e:0:16:3 -o peth0 --ip-src $4 -j snat --to-src $mac > --snat-target ACCEPT > -p ARP -s 0:16:3e:0:16:3 -o peth0 --arp-ip-src $4 -j snat --to-src $mac > --snat-target ACCEPT > > This is basically SNAT at MAC-level for $ip2, $ip3 and $ip4. > $ip1 is the ip of the dom0, which inherits it''s mac from the real hardware, > which already has $mac. > > That works. I can access backuppc, it can access other systems. > I see that there is still a problem with access between dom0 and backuppc, > since because they are in different subnets, every information is sent over > the providers router, which makes few sense for two systems runnung on the > same hardware. But I will come back on this later. I will propably add > direct routes. > > Everything until here is (except for MAC-NAT) xen-default. xen creates the > xenbr0 bridge, moves eth0 there (renamed to peth0) and connects a virtual > eth0 in dom0. > > Now I finally get to my problem. > > At dom0 I set up another bridge xenintbr and give it the ip 192.168.1.1/24. > Then I set up another domU called test and give it 192.168.1.2. > > This works. I can ping it and access services from dom0. > > BUT I cannot get ip forwarding working. > > I tried: > - iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT > --to-source $ip1 > - iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > - iptables -t nat -A POSTROUTING -o peth0 -s 192.168.1.0/24 -j SNAT > --to-source $ip1 > - iptables -t nat -A POSTROUTING -o peth0 -j MASQUERADE > > None of these work. > If the test-domU sends DNS-requests, they ARE translated to source=$ip1 and > send out. The DNS-Server replies to $ip1, which I can see tcpdumping peth0. > And those packets dest-mac is really $mac, which means they should be > delivered to dom0, which should do NAT and forward them to test-domU. > However, that does not work. The DNS-response never reaches dom0, they do > not even apper on tcpdumping eth0, neighter correctly nor incorrectly. They > simple don''t. > > So, over to you. > Anyone any guess? > > (Please, as my mailing list subscription seems not to be completed yet, send > answers as direct copy to me. Thanks.) > > Regards, > Steffen > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users > > >-- -- Enderson Maia ICQ: 8817986 MSN: endersonmaia[arroba]gmail[ponto]com Linux User: 286130 ============================ _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
if you dont get dns responses you have to install "ethtool" on every domU then disable checksum on trasmission with ethtool in this way: ethtool -K ethX tx off where X is the number of the interface bye, Enrico>From: "Enderson Maia" <endersonmaia@gmail.com> >To: "Steffen Heil" <lists@steffen-heil.de> >CC: xen-users@lists.xensource.com >Subject: Re: [Xen-users] Advanced Networking >Date: Thu, 16 Mar 2006 14:27:22 -0300 > >I have the same problem here. > >I have snat and masquerading for internet working with script-nat, but >with bridgind, I can''t make it work. > >If someone finds the solution, let me know. > >On 3/10/06, Steffen Heil <lists@steffen-heil.de> wrote: > > Hi > > > > I have a fairly complex networking issue with xen, which I need to get > > runnning. > > My biggest problem obviously does not arise from xen directly, but more >from > > linux networking, but I assume someone here might have had the same > > problem(s). > > > > So, here we go: > > > > Given hardware: > > I have 1 server with 4 public IPs which need to have the same MAC. > > Say, $mac for $ip1, $ip2, $ip3, $ip4. All IPs have subnet /24, with $ip3 >and > > $ip4 residing in the same subnet, and $ip1 and $ip2 in different subnets > > each. > > > > Required installations: > > I want to run dom0 with as few as possible services for domain admin >only. > > I need to run two domUs for ISP services. > > I want to keep one IP for testing purposes. > > I need to run one domU for backuppc. > > I propably want to run one domU for monitoring of the other domUs and >some > > external systems. > > > > My first step was to get dom0 running. Done at $ip1. > > Then I created the backuppc domU (was most important). Done at $ip2. > > > > I use network/vif-bridge for that purpose and I got the problem, that my > > provider only accepts ONE MAC. > > I solved this using ebtables: > > > > server02:~# ebtables -t nat -L > > Bridge table: nat > > > > Bridge chain: PREROUTING, entries: 6, policy: ACCEPT > > -p IPv4 -d $mac -i peth0 --ip-dst $2 -j dnat --to-dst 0:16:3e:0:16:1 > > --dnat-target ACCEPT > > -p ARP -d $mac -i peth0 --arp-ip-dst $2 -j dnat --to-dst 0:16:3e:0:16:1 > > --dnat-target ACCEPT > > -p IPv4 -d $mac -i peth0 --ip-dst $3 -j dnat --to-dst 0:16:3e:0:16:2 > > --dnat-target ACCEPT > > -p ARP -d $mac -i peth0 --arp-ip-dst $3 -j dnat --to-dst 0:16:3e:0:16:2 > > --dnat-target ACCEPT > > -p IPv4 -d $mac -i peth0 --ip-dst $4 -j dnat --to-dst 0:16:3e:0:16:3 > > --dnat-target ACCEPT > > -p ARP -d $mac -i peth0 --arp-ip-dst $4 -j dnat --to-dst 0:16:3e:0:16:3 > > --dnat-target ACCEPT > > > > Bridge chain: OUTPUT, entries: 0, policy: ACCEPT > > > > Bridge chain: POSTROUTING, entries: 6, policy: ACCEPT > > -p IPv4 -s 0:16:3e:0:16:1 -o peth0 --ip-src $2 -j snat --to-src $mac > > --snat-target ACCEPT > > -p ARP -s 0:16:3e:0:16:1 -o peth0 --arp-ip-src $2 -j snat --to-src $mac > > --snat-target ACCEPT > > -p IPv4 -s 0:16:3e:0:16:2 -o peth0 --ip-src $3 -j snat --to-src $mac > > --snat-target ACCEPT > > -p ARP -s 0:16:3e:0:16:2 -o peth0 --arp-ip-src $3 -j snat --to-src $mac > > --snat-target ACCEPT > > -p IPv4 -s 0:16:3e:0:16:3 -o peth0 --ip-src $4 -j snat --to-src $mac > > --snat-target ACCEPT > > -p ARP -s 0:16:3e:0:16:3 -o peth0 --arp-ip-src $4 -j snat --to-src $mac > > --snat-target ACCEPT > > > > This is basically SNAT at MAC-level for $ip2, $ip3 and $ip4. > > $ip1 is the ip of the dom0, which inherits it''s mac from the real >hardware, > > which already has $mac. > > > > That works. I can access backuppc, it can access other systems. > > I see that there is still a problem with access between dom0 and >backuppc, > > since because they are in different subnets, every information is sent >over > > the providers router, which makes few sense for two systems runnung on >the > > same hardware. But I will come back on this later. I will propably add > > direct routes. > > > > Everything until here is (except for MAC-NAT) xen-default. xen creates >the > > xenbr0 bridge, moves eth0 there (renamed to peth0) and connects a >virtual > > eth0 in dom0. > > > > Now I finally get to my problem. > > > > At dom0 I set up another bridge xenintbr and give it the ip >192.168.1.1/24. > > Then I set up another domU called test and give it 192.168.1.2. > > > > This works. I can ping it and access services from dom0. > > > > BUT I cannot get ip forwarding working. > > > > I tried: > > - iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT > > --to-source $ip1 > > - iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > > - iptables -t nat -A POSTROUTING -o peth0 -s 192.168.1.0/24 -j SNAT > > --to-source $ip1 > > - iptables -t nat -A POSTROUTING -o peth0 -j MASQUERADE > > > > None of these work. > > If the test-domU sends DNS-requests, they ARE translated to source=$ip1 >and > > send out. The DNS-Server replies to $ip1, which I can see tcpdumping >peth0. > > And those packets dest-mac is really $mac, which means they should be > > delivered to dom0, which should do NAT and forward them to test-domU. > > However, that does not work. The DNS-response never reaches dom0, they >do > > not even apper on tcpdumping eth0, neighter correctly nor incorrectly. >They > > simple don''t. > > > > So, over to you. > > Anyone any guess? > > > > (Please, as my mailing list subscription seems not to be completed yet, >send > > answers as direct copy to me. Thanks.) > > > > Regards, > > Steffen > > > > > > _______________________________________________ > > Xen-users mailing list > > Xen-users@lists.xensource.com > > http://lists.xensource.com/xen-users > > > > > > > > >-- >-- >Enderson Maia > >ICQ: 8817986 >MSN: endersonmaia[arroba]gmail[ponto]com >Linux User: 286130 >============================> >_______________________________________________ >Xen-users mailing list >Xen-users@lists.xensource.com >http://lists.xensource.com/xen-users_________________________________________________________________ MSN Messenger. Il modo più divertente di comunicare online. Provalo subito, è Gratis! http://www.msn.it/messenger/v7 _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 BugOne S wrote:> if you dont get dns responses you have to install "ethtool" on every domU > then disable checksum on trasmission with ethtool in this way: > > ethtool -K ethX tx off > > where X is the number of the interface > > > bye, > > Enrico >Are there plans to fix this? Or is this simply something that will always happen? Has anyone isolated the root cause of this? Rather than simply applying a bandaid it might be nice to know what really causes it. Not that I''m a l33t haxx0r enough to fix it :/ Thanks, - -- David Kowis ISO Team Lead - www.sourcemage.org Source Mage GNU/Linux Progress isn''t made by early risers. It''s made by lazy men trying to find easier ways to do something. - Robert Heinlein Any sufficiently advanced technology is indistinguishable from magic. - Arthur C. Clarke -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iQGVAwUBRBnE2cnf+vRw63ObAQrU6QwAq4YS20+dQ7UMUaJ4To/HcJZFFpuan1f0 AU/hQf0D5L0eGtqUCvCvgK2cqoT46Nd36R2YCYobo7WTYtezktQf9CjRGwrswszf dprqR55m9Ge3uHqdhqg/W+oPwI5gUu1SBeBtZ2N+G3ymxqETvrkGZunEXUvFSW7H To3UoQ4i8ov3qFWW7EwG5bb99yZfU9ttkYolL8UHinbwFL2kWxjeDW/1pY6aejg+ HEr3xOyOTcJXu9ayMvdvc5pNH9Eel63KgcnHtuDyObOVHCj1xA5WesDUktHjFmaQ ZD+940ckgL29hZ2EeQCavWv50IzIn7dPhU1jlbm9Ym9qi93WsmU3TvICwMDjoX8h 87D25e9tFxCs6hC1Q79J0UuoKE8q/qQIoVWZpbiCsBfqc4AxXXMCrsWZLSucp/Fr rh7sPbWnMEnM8ef48IMx58Zem9boPUt95FP1jopIuIjH85TAboV+PppcJ/hl2gj2 UNHHYAXWe/vhHwhE4K/cyiQihxard0nt =oDIg -----END PGP SIGNATURE----- _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users