Xen users - Aug 2007 - Xen DomU and SNAT

So we are stumped. I setup a xen on my home firewall box. I setup a firewall
domU and connected it to each of the three bridges defined in dom0:
[root@terminus ~]# brctl show
bridge name     bridge id               STP enabled     interfaces
xenbr0          8000.feffffffffff       no              vif0.0
                                                        pdummy0
                                                        vif1.0
                                                        vif4.0
xenbr1          8000.feffffffffff       no              vif0.1
                                                        peth1
                                                        vif1.1
xenbr2          8000.feffffffffff       no              vif0.2
                                                        peth2
                                                        vif1.2

dummy0    Link encap:Ethernet  HWaddr 12:C9:10:F5:3F:1D
          inet addr:192.168.200.9  Bcast:192.168.200.255  Mask:255.255.255.0
eth1      Link encap:Ethernet  HWaddr 00:02:B3:AF:46:5B
          inet addr:192.168.1.9  Bcast:192.168.1.255  Mask:255.255.255.0

eth2 has no IP, the firewall domU is the only guest connected to the same
bridge as eth2. The firewall domU has had its mac for this interface set to
the physical mac of the card, and uses DHCP to get an IP address.

I also setup a "dmz" domu which is connected to xenb2. It is
192.168.200.2and the firewall domu has
192.168.1.1

the firewall domU is setup to masquerade out to the internet for any host on
either the dmz or the LAN

Chain POSTROUTING (policy ACCEPT 357 packets, 28310 bytes)
 pkts bytes target     prot opt in     out     source
destination
 131K 7746K MASQUERADE  0    --  any    eth2    anywhere
anywhere

The upshot is... a host on the lan works fine. As the rules to prevent the
dmz routing into the lan are not in place yet, domu hosts in the dmz and
physical hosts on the lan can communicate fully (ssh works).

the domu in the dmz can fully communicate with dom0 on its dmz ip (only for
testing, will be removed in final setup) and the firewall domu. It can
communicate fully with hosts on the internal lan, using the firewall domU to
route its packets to the other subnet. It can PING to hosts outside on the
internet with no issue... but ssh doesn''t work. dns doesn''t
respond (dns
works fine if dns points at an internal host).

any ideas why this doesn''t work? I really don''t see anything.
It works just
fine for hosts on the lan. The hosts on the dmz should be treated the same?

-Steve


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Try

 

ethtool -K eth0 tx off

 

on the NAT-ed DomU, if that doesn''t help on all interfaces of all
DomU''s and
Dom0.

 

/robert

 



_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Stephen Carpenter wrote:
> 
> the domu in the dmz can fully communicate with dom0 on its dmz ip (only 
> for testing, will be removed in final setup) and the firewall domu. It 
> can communicate fully with hosts on the internal lan, using the firewall 
> domU to route its packets to the other subnet. It can PING to hosts 
> outside on the internet with no issue... but ssh doesn''t work. dns
> doesn''t respond (dns works fine if dns points at an internal
host).
> 
> any ideas why this doesn''t work? I really don''t see
anything. It works
> just fine for hosts on the lan. The hosts on the dmz should be treated 
> the same?
Try "ethtool -K eth0 tx off" on all nics in all domUs.

Regards,
Bjoern


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users