Xen users - Aug 2006 - 3.0.2 NAT headaches

Hi John,

Have you applied the fix for the potential packed header corruption on Xen
DomU interfaces?

root@harpseal:~# cat /etc/network/if-up.d/fix-xen
#!/bin/bash
if [ $IFACE != "lo" ] ; then
        ethtool -K $IFACE tx off
fi

root@harpseal:~#

I have to have this script on all my DomUs to make the networking reliable.

- Roger
> -----Original Message-----
> From: xen-users-bounces@lists.xensource.com [mailto:xen-users-
> bounces@lists.xensource.com] On Behalf Of John Wells
> Sent: 08 August 2006 17:48
> To: xen-users@lists.xensource.com
> Subject: [Xen-users] 3.0.2 NAT headaches
> 
> Guys,
> 
> I''m struggling to make NAT work on Debian Sarge. Bridging works
fine, but
> when I try to switch to NAT, I can''t ping anything.
> 
> Here is what I have done:
> 
> Switch /etc/xen/xend-config.sxp network-script and vif-script from
> network-route and vif-route to:
> 
> (network-script network-nat)
> (vif-script vif-nat)
> 
> In my domU config:
> vif=[ ''ip=10.0.0.1'' ]
> dhcp="off"
> hostname="vm01.example.com"
> ip="10.0.0.1"
> netmask="255.0.0.0"
> gateway="10.0.0.254"
> extra="3"
> 
> When I boot the domU, I set eth0 to be 10.0.0.1/8 and the default route as
> 10.0.0.254. I cannot ping out at all.
> 
> When I look at dom0 after booting the domU, I see the following
> interfaces:
> 
> eth0      Link encap:Ethernet  HWaddr 00:0E:0C:68:64:37
>           inet addr:72.232.35.21  Bcast:72.232.35.31  Mask:255.255.255.248
>           inet6 addr: fe80::20e:cff:fe68:6437/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:1708 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:2325 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:176884 (172.7 KiB)  TX bytes:200160 (195.4 KiB)
> 
> lo        Link encap:Local Loopback
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           inet6 addr: ::1/128 Scope:Host
>           UP LOOPBACK RUNNING  MTU:16436  Metric:1
>           RX packets:20 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:1560 (1.5 KiB)  TX bytes:1560 (1.5 KiB)
> 
> peth0     Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
>           inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
>           UP BROADCAST RUNNING NOARP MULTICAST  MTU:1500  Metric:1
>           RX packets:26668 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:17706 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:3907182 (3.7 MiB)  TX bytes:2379910 (2.2 MiB)
> 
> vif0.0    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
>           inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:5218 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:6337 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:632298 (617.4 KiB)  TX bytes:585057 (571.3 KiB)
> 
> vif7.0    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
>           inet addr:10.0.0.128  Bcast:0.0.0.0  Mask:255.255.255.255
>           inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:1496 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:191 errors:0 dropped:6 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:85219 (83.2 KiB)  TX bytes:8022 (7.8 KiB)
> 
> xenbr0    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
>           inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:259 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:66206 (64.6 KiB)  TX bytes:468 (468.0 b)
> 
> Can anyone tell me what I''m missing/doing wrong? I really
appreciate any
> help you may provide.
> 
> Thanks!
> 
> John
> 
> 
> 
> 
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Guys,

I''m struggling to make NAT work on Debian Sarge. Bridging works fine,
but
when I try to switch to NAT, I can''t ping anything.

Here is what I have done:

Switch /etc/xen/xend-config.sxp network-script and vif-script from
network-route and vif-route to:

(network-script network-nat)
(vif-script vif-nat)

In my domU config:
vif=[ ''ip=10.0.0.1'' ]
dhcp="off"
hostname="vm01.example.com"
ip="10.0.0.1"
netmask="255.0.0.0"
gateway="10.0.0.254"
extra="3"

When I boot the domU, I set eth0 to be 10.0.0.1/8 and the default route as
10.0.0.254. I cannot ping out at all.

When I look at dom0 after booting the domU, I see the following interfaces:

eth0      Link encap:Ethernet  HWaddr 00:0E:0C:68:64:37
          inet addr:72.232.35.21  Bcast:72.232.35.31  Mask:255.255.255.248
          inet6 addr: fe80::20e:cff:fe68:6437/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1708 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2325 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:176884 (172.7 KiB)  TX bytes:200160 (195.4 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:20 errors:0 dropped:0 overruns:0 frame:0
          TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1560 (1.5 KiB)  TX bytes:1560 (1.5 KiB)

peth0     Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
          inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
          UP BROADCAST RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:26668 errors:0 dropped:0 overruns:0 frame:0
          TX packets:17706 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3907182 (3.7 MiB)  TX bytes:2379910 (2.2 MiB)

vif0.0    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
          inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5218 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6337 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:632298 (617.4 KiB)  TX bytes:585057 (571.3 KiB)

vif7.0    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
          inet addr:10.0.0.128  Bcast:0.0.0.0  Mask:255.255.255.255
          inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1496 errors:0 dropped:0 overruns:0 frame:0
          TX packets:191 errors:0 dropped:6 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:85219 (83.2 KiB)  TX bytes:8022 (7.8 KiB)

xenbr0    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
          inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:259 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:66206 (64.6 KiB)  TX bytes:468 (468.0 b)

Can anyone tell me what I''m missing/doing wrong? I really appreciate
any
help you may provide.

Thanks!

John




_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Roger Lucas said:
> Hi John,
>
> Have you applied the fix for the potential packed header corruption on Xen
> DomU interfaces?
>
> root@harpseal:~# cat /etc/network/if-up.d/fix-xen
> #!/bin/bash
> if [ $IFACE != "lo" ] ; then
>         ethtool -K $IFACE tx off
> fi
Roger,

Thanks...I have tried this, but doesn''t seem to change things. I can
still
not ping out to anything.

Thanks!
John


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

John Wells said:
> I''m struggling to make NAT work on Debian Sarge. Bridging works
fine,
but
> when I try to switch to NAT, I can''t ping anything.
Guys,

I found at least part of my problem. I was only testing from one DomU to
the outside internet...creating another DomU revealed that I am able to
ping between DomUs...I just can''t ping external addresses.

I assumed my use of apf (ipfilters wrapper) in Dom0 might be complicating
things, so I flushed the rules, restarted xend, but still no avail.

So, hoping someone might tell me what iptables rules I need to enter to
allow traffic from my domUs (10.0.0.1, 10.0.0.2, etc) to access the public
internet. I''ve done it before for home routing, but Xen has me a little
turned around.

Thank you for the help!
John




_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

John Wells said:
> So, hoping someone might tell me what iptables rules I need to enter to
allow traffic from my domUs (10.0.0.1, 10.0.0.2, etc) to access the
public
> internet. I''ve done it before for home routing, but Xen has me a
little
turned around.

I ran a tcpdump on eth0 on dom0 while pinging an external host from a
domU. I noticed:

14:54:18.376525 IP 10.0.0.2 > 72.36.190.2: icmp 64: echo request seq 1
14:54:19.375706 IP 10.0.0.2 > 72.36.190.2: icmp 64: echo request seq 2
14:54:20.375782 IP 10.0.0.2 > 72.36.190.2: icmp 64: echo request seq 3
14:54:21.375805 IP 10.0.0.2 > 72.36.190.2: icmp 64: echo request seq 4
14:54:22.375799 IP 10.0.0.2 > 72.36.190.2: icmp 64: echo request seq 5

Which looked like the internal ip wasn''t being MASQ''d
appropriately. I
then set up the following rule:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

The dump changed to:

14:55:02.481531 IP 72.232.35.26 > 72.36.190.2: icmp 64: echo request seq 1
14:55:03.486494 IP 72.232.35.26 > 72.36.190.2: icmp 64: echo request seq 2
14:55:04.486541 IP 72.232.35.26 > 72.36.190.2: icmp 64: echo request seq 3
14:55:05.496515 IP 72.232.35.26 > 72.36.190.2: icmp 64: echo request seq 4
14:55:06.496574 IP 72.232.35.26 > 72.36.190.2: icmp 64: echo request seq 5

But the domU is still not receiving any traffic back.

If I dump on the vif, I get:

port:/etc/xen# tcpdump -i vif8.0 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vif8.0, link-type EN10MB (Ethernet), capture size 96 bytes
14:57:33.519040 IP 10.0.0.2 > 72.36.190.2: icmp 64: echo request seq 152
14:57:34.518987 IP 10.0.0.2 > 72.36.190.2: icmp 64: echo request seq 153
14:57:35.519023 IP 10.0.0.2 > 72.36.190.2: icmp 64: echo request seq 154
14:57:36.519027 IP 10.0.0.2 > 72.36.190.2: icmp 64: echo request seq 155
14:57:37.519054 IP 10.0.0.2 > 72.36.190.2: icmp 64: echo request seq 156

I keep seeing this in the syslog:
--
Aug  8 14:55:38 port kernel: Performing cross-bridge DNAT requires IP
forwarding to be enabled
--

Am I still missing something? Does NAT''ing this way only work for
communication between domUs?

Thanks guys.

John


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Someone noted that I wasn''t receiving a reply from the host I was
pinging
on eth0. That appears to be the case...I''m seeing replies on peth0, but
they never make it to eth0. Here''s peth0:

/etc/xen# tcpdump -ni peth0 port ! 22 and host 72.36.190.2
16:02:42.104599 IP 72.232.35.26 > 72.36.190.2: icmp 64: echo request seq 181
16:02:42.105137 IP 72.36.190.2 > 72.232.35.26: icmp 64: echo reply seq 181
16:02:43.104515 IP 72.232.35.26 > 72.36.190.2: icmp 64: echo request seq 182
16:02:43.105164 IP 72.36.190.2 > 72.232.35.26: icmp 64: echo reply seq 182

and here''s eth0:
/etc/xen# tcpdump -ni peth0 port ! 22 and host 72.36.190.2
16:02:42.104599 IP 72.232.35.26 > 72.36.190.2: icmp 64: echo request seq 181
16:02:42.105137 IP 72.36.190.2 > 72.232.35.26: icmp 64: echo reply seq 181
16:02:43.104515 IP 72.232.35.26 > 72.36.190.2: icmp 64: echo request seq 182
16:02:43.105164 IP 72.36.190.2 > 72.232.35.26: icmp 64: echo reply seq 182

Additionally, I do indeed have ip_forward enabled:
/etc/xen# cat /proc/sys/net/ipv4/ip_forward
1

Any ideas what I''m missing?

Thanks,
John



_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

John Wells said:
> and here''s eth0:
Crap...pasted the wrong eth0 output. Here''s the proper eth0:

16:25:19.147307 IP 72.232.35.26 > 72.36.190.2: icmp 64: echo request seq 1538
16:25:20.147332 IP 72.232.35.26 > 72.36.190.2: icmp 64: echo request seq 1539
16:25:21.147261 IP 72.232.35.26 > 72.36.190.2: icmp 64: echo request seq 1540
16:25:22.147270 IP 72.232.35.26 > 72.36.190.2: icmp 64: echo request seq 1541

In other words, the reply is seen on peth0 and not on eth0...

Thanks,
John


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users