Hugues Obolonsky
2007-Apr-04 02:27 UTC
[Xen-users] routing domU packet in the outside network
Hello, i''ve read a lot about xen networking, but there is a lot of confusing stuff. Anyway, i''m trying to get a simple configuration working, and here is my setup in 2 words. A single eth0 on my laptop Xen Ubuntu kernel 2.6.19-4-generic from Feisty dist Dom0 with a eth0 ip address that change every day DHCP or Wireless but located in the 192.168.1.0/24 network All DomU are configured with static IP in network 192.168.2.0/24 So i made the following config: (network-script ''network-bridge bridge=xen-intbr'') (vif-script vif-bridge) auto xen-intbr iface xen-intbr inet static pre-up brctl addbr xen-intbr post-down brctl delbr xen-intbr address 192.168.2.1 netmask 255.255.255.0 network 192.168.2.0 broadcast 192.168.2.255 bridge_fd 0 bridge_hello 0 bridge_stp off For the exemple On Dom0 eth0 192.168.1.3/24 gw 192.168.1.1 <- my internet gateway On DomU eth0 192.168.2.100/24 gw 192.168.2.1 Vif interface for domU are attached to the xen-intbr bridge Vif0.0 & peth0 to the xenbr0 bridge I''m also adding a iptables nat rules as follow iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE The strange behavior is the following from the DomU i can ping on the internet, fine, but i cannot use any other protocol. domain, http or ssh is not working. Cannot explain how icmp can work and no tcp/udp proto ? Here is some trace ------------------------------------------------------------------------ here is the iptables nat log for a working ping on internet Apr 4 04:04:43 thula kernel: [16132.991047] IN= OUT=eth0 PHYSIN=vif8.0 SRC=192.168.2.100 DST=195.1XX.2XX.166 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=43533 SEQ=1 Apr 4 04:04:43 thula kernel: [16132.991078] IN= OUT=xenbr0 PHYSIN=vif0.0 PHYSOUT=peth0 SRC=192.168.1.3 DST=195.1XX.2XX.166 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=0 SEQ=1 Nat log for a non working http attempt Apr 4 04:06:21 thula kernel: [16231.258293] IN= OUT=eth0 PHYSIN=vif8.0 SRC=192.168.2.100 DST=91.1XX.89.6 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=26793 DF PROTO=TCP SPT=4635 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Apr 4 04:06:21 thula kernel: [16231.258327] IN= OUT=xenbr0 PHYSIN=vif0.0 PHYSOUT=peth0 SRC=192.168.1.3 DST=91.1XX.89.6 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=26793 DF PROTO=TCP SPT=4635 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 TCPDUMP from the eth0 on dom0 when testing http from the domU: 04:09:33.797916 IP thula.4639 > forster.canonical.com.www: S 592124:592124(0) win 5840 <mss 1460,sackOK,timestamp 1039865 0,nop,wscale 1> 04:09:33.835704 IP forster.canonical.com.www > thula.4639: S 2685827776:2685827776(0) ack 592125 win 5792 <mss 1460,sackOK,timestamp 1863773122 1039865,nop,wscale 8> 04:09:33.835799 IP thula.4639 > forster.canonical.com.www: . ack 1 win 2920 <nop,nop,timestamp 1039876 1863773122> 04:09:33.836005 IP thula.4639 > forster.canonical.com.www: P 1:752(751) ack 1 win 2920 <nop,nop,timestamp 1039876 1863773122> ... got ack 1 but no http session, and non update from canonical in domU :( ... ----------------------------------------------------------------------- Cannot figured out my mistake, Did anyone get a similar configuration working ? Best Regards Hugues _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Carsten Aulbert
2007-Apr-04 05:45 UTC
Re: [Xen-users] routing domU packet in the outside network
Hugues Obolonsky wrote:> Cannot figured out my mistake, > Did anyone get a similar configuration working ?I had the same problem last week, and found a solution deeply hidden in the mailing list archives. Try to run a tcpdump and/or wireshark on your http connection. You will very likely see that the TCP checksums are wrong. If so, run ethtool -K eth0 tx off on the domU client. This simple line fixed it for me. HTH Carsten PS: If someone with much more network experience than me reads this, I''d like to understand what''s wrong here. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hugues Obolonsky
2007-Apr-04 08:39 UTC
Re: [Xen-users] routing domU packet in the outside network
This work for me too ! Anyway, i found your tips in the http://www.shorewall.net/XenMyWay-Routed.html. Just can''t figure out why we need this ? Thank you for help Hugues Le mercredi 04 avril 2007 à 07:45 +0200, Carsten Aulbert a écrit :> Hugues Obolonsky wrote: > > > > Cannot figured out my mistake, > > Did anyone get a similar configuration working ? > > I had the same problem last week, and found a solution deeply hidden in > the mailing list archives. > > Try to run a tcpdump and/or wireshark on your http connection. You will > very likely see that the TCP checksums are wrong. If so, run > > ethtool -K eth0 tx off > > on the domU client. This simple line fixed it for me. > > HTH > > Carsten > > PS: If someone with much more network experience than me reads this, I''d > like to understand what''s wrong here._______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users