Xen users - Jun 2010 - Domain with openvpn-server-bridge to Dom0-bridge problem

Hi,

i have a problem with bridging. I have a Openvpn Domain, with server bridge.

...........internet..........eth0.......,''''''''''''''''''''''''''|

                             real card   |             |

                                         | Openvpn     |

                                         |  Domain     |

                                         |             |

     __________                          |             |

    |          |  ,eth1.........br0 .... |             |

    | Dom0     | / virtual      tap0     |             |

    |          ,''                       
''`''''''''''''''''''''''''

    |          ''-.

    |          |  `-.

    |          |     `-._

    |          |         `._

    ''----------''            `._+----------------b

                               |Switch/Network  |

                               |192.168.100.x   |

                              
''`''''''''''''''''''''''''''''''''

with this constellation i can''t connect/ping to the real Network with
an external VPN Connection. The Openvpn Domain itself can ping
and connect to services in real network. An external VPN User can only ping and
use Dom0 and other Domains Services.
I can''t find the error.....








_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Sun, Jun 20, 2010 at 5:47 PM, Tegger <xen@tegger.de>
wrote:
> Hi,
>
> i have a problem with bridging. I have a Openvpn Domain, with server
bridge.
I can''t read your ASCI art, so the information there does not make
sense to me. Sorry.
> with this constellation i can''t connect/ping to the real Network
with an
> external VPN Connection. The Openvpn Domain itself can ping
> and connect to services in real network. An external VPN User can only ping
> and use Dom0 and other Domains Services.
> I can''t find the error.....
Usually the errors are caused by openvpn-specific setup. I''d make sure
that you have a working openvpn setup first, possibly using a phisical
machine. A common pitfall it that you''re using openvpn bridge, with
tap interface on domU, but you forgot to create a bridge connecting
the tap interface to domU''s eth0 interface.

Another possible pitfall is that you want to make the domU act as
router, but you forgot to setup iptables on domU.

-- 
Fajar

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

I think i have a working openvpn, i can connect to openvpn without errors.
I have at the moment 2 Domains and Dom0. After succesful vpn connection, 
i can connect to the other Domain and Dom0, with SSH and RDP.
So the Bridge from eth0(real Card,internet connection) to eth1 (XEN) 
seem to be working. But i can''t connect to real Network thats connected
to the Network Card at Dom0. All Domains and Dom0 can ping and connect 
to the PC''s in the network.


The real Network is     192.168.100.x
Dom0                         192.168.100.201
WindowsDomain         192.168.100.19
OpenvpnDomain         192.168.100.205     eth1 -- br0 -- tap0
                                    192.168.0.10          eth0
Router                        192.168.0.1


Openvpnclient             192.168.100.210

Openvpnclient can connect 192.168.100.201 and 192.168.100.19, but not 
192.168.100.1, this is a physical PC in network


Am 21.06.2010 03:36, schrieb Fajar A. Nugraha:
> On Sun, Jun 20, 2010 at 5:47 PM, Tegger<xen@tegger.de>  wrote:
>    
>> Hi,
>>
>> i have a problem with bridging. I have a Openvpn Domain, with server
bridge.
>>      
> I can''t read your ASCI art, so the information there does not make
> sense to me. Sorry.
>
>    
>> with this constellation i can''t connect/ping to the real
Network with an
>> external VPN Connection. The Openvpn Domain itself can ping
>> and connect to services in real network. An external VPN User can only
ping
>> and use Dom0 and other Domains Services.
>> I can''t find the error.....
>>      
> Usually the errors are caused by openvpn-specific setup. I''d make
sure
> that you have a working openvpn setup first, possibly using a phisical
> machine. A common pitfall it that you''re using openvpn bridge,
with
> tap interface on domU, but you forgot to create a bridge connecting
> the tap interface to domU''s eth0 interface.
>
> Another possible pitfall is that you want to make the domU act as
> router, but you forgot to setup iptables on domU.
>
>    

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Mon, Jun 21, 2010 at 8:05 PM, Tegger <xen@tegger.de>
wrote:
> Openvpnclient can connect 192.168.100.201 and 192.168.100.19, but not
> 192.168.100.1, this is a physical PC in network
start with tcpdump on dom0''s eth0 then. Something like "tcpdump -n
-i
eth0 host 192.168.100.1". What happens if:
- from openvpn domain, you ping to 192.168.100.1 -> you should see
packets going through both ways
- from openvpn client, ping to 192.168.100.1 -> you might see packets
going both ways, one way, or none at all

That would help you determine where the problem is.

-- 
Fajar

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

If I''m reading your information correctly, the bridge (br0) of your
Openvpn domain only connects to eth1 (XEN-Dom0) and to tap0 (Openvpn''s
virtual interface), but not to eth0 (pass-through real nic). If that was
true, your problem lies there.

Another point could be, that your routes are messed up. You seem to be
using 192.168.100.x as the real external network *and* the internal XEN
network. But by assigning two ip addresses to eth0 and eth1 in Openvpn
domain, you get two routes for 192.168.100.0/24, leaving the choice to
the operating system. There should be only one address assigned to the
bridge, I think.

I hope one of those points helps you.

Regards,
Felix Kuperjans

Am 21.06.2010 15:05, schrieb Tegger:
> I think i have a working openvpn, i can connect to openvpn without
> errors.
> I have at the moment 2 Domains and Dom0. After succesful vpn
> connection, i can connect to the other Domain and Dom0, with SSH and RDP.
> So the Bridge from eth0(real Card,internet connection) to eth1 (XEN)
> seem to be working. But i can''t connect to real Network thats
> connected to the Network Card at Dom0. All Domains and Dom0 can ping
> and connect to the PC''s in the network.
>
>
> The real Network is     192.168.100.x
> Dom0                         192.168.100.201
> WindowsDomain         192.168.100.19
> OpenvpnDomain         192.168.100.205     eth1 -- br0 -- tap0
>                                    192.168.0.10          eth0
> Router                        192.168.0.1
>
>
> Openvpnclient             192.168.100.210
>
> Openvpnclient can connect 192.168.100.201 and 192.168.100.19, but not
> 192.168.100.1, this is a physical PC in network
>
>
> Am 21.06.2010 03:36, schrieb Fajar A. Nugraha:
>> On Sun, Jun 20, 2010 at 5:47 PM, Tegger<xen@tegger.de>  wrote:
>>   
>>> Hi,
>>>
>>> i have a problem with bridging. I have a Openvpn Domain, with
server
>>> bridge.
>>>      
>> I can''t read your ASCI art, so the information there does not
make
>> sense to me. Sorry.
>>
>>   
>>> with this constellation i can''t connect/ping to the real
Network
>>> with an
>>> external VPN Connection. The Openvpn Domain itself can ping
>>> and connect to services in real network. An external VPN User can
>>> only ping
>>> and use Dom0 and other Domains Services.
>>> I can''t find the error.....
>>>      
>> Usually the errors are caused by openvpn-specific setup. I''d
make sure
>> that you have a working openvpn setup first, possibly using a phisical
>> machine. A common pitfall it that you''re using openvpn bridge,
with
>> tap interface on domU, but you forgot to create a bridge connecting
>> the tap interface to domU''s eth0 interface.
>>
>> Another possible pitfall is that you want to make the domU act as
>> router, but you forgot to setup iptables on domU.
>>
>>    
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
>
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Am 21.06.2010 15:16, schrieb Fajar A. Nugraha:
> On Mon, Jun 21, 2010 at 8:05 PM, Tegger<xen@tegger.de>  wrote:
>    
>> Openvpnclient can connect 192.168.100.201 and 192.168.100.19, but not
>> 192.168.100.1, this is a physical PC in network
>>      
> start with tcpdump on dom0''s eth0 then. Something like
"tcpdump -n -i
> eth0 host 192.168.100.1". What happens if:
> - from openvpn domain, you ping to 192.168.100.1 ->  you should see
> packets going through both ways
> - from openvpn client, ping to 192.168.100.1 ->  you might see packets
> going both ways, one way, or none at all
>
> That would help you determine where the problem is.
>
>    
hmm, seems to be working with tcpdump.....so it should work, but it
doesn''t

DOM0:~# tcpdump -n -i eth0 host 192.168.100.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
22:04:18.796413 arp who-has 192.168.100.1 tell 192.168.100.205
22:04:19.796300 arp who-has 192.168.100.1 tell 192.168.100.205
22:04:20.796303 arp who-has 192.168.100.1 tell 192.168.100.205
22:04:22.797323 arp who-has 192.168.100.1 tell 192.168.100.205
22:04:23.797228 arp who-has 192.168.100.1 tell 192.168.100.205
22:04:24.797207 arp who-has 192.168.100.1 tell 192.168.100.205
22:04:44.051085 arp who-has 192.168.100.1 tell 192.168.100.211
22:04:44.863426 arp who-has 192.168.100.1 tell 192.168.100.211
22:04:45.863227 arp who-has 192.168.100.1 tell 192.168.100.211


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Tue, Jun 22, 2010 at 3:11 AM, Tegger <xen@tegger.de>
wrote:
>> start with tcpdump on dom0''s eth0 then. Something like
"tcpdump -n -i
>> eth0 host 192.168.100.1". What happens if:
>> - from openvpn domain, you ping to 192.168.100.1 ->  you should see
>> packets going through both ways
>> - from openvpn client, ping to 192.168.100.1 ->  you might see
packets
>> going both ways, one way, or none at all
>>
>> That would help you determine where the problem is.
>>
>>
>
> hmm, seems to be working with tcpdump.....so it should work, but it
doesn''t
>
> DOM0:~# tcpdump -n -i eth0 host 192.168.100.1
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 22:04:18.796413 arp who-has 192.168.100.1 tell 192.168.100.205
I''m assuming ping from dom0''s IP address correctly show up on
tcpdump,
and that you''re not having the config mistake that Felix suggested?

So packets arp packets go out of eth0, but no reply came back? Try
doing tcpdump on destination host (192.168.100.1), see if it gets the
arp queries.

-- 
Fajar

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

eth0, the real card, is online for connection to internet
so i need only a bridge between tap0 and eth1, the XEN Card.

so 192.168.100.x are used for real network and internal XEN network, but 
not for the connection to vpn.
So the virtual tap0 has 192.168.100.210-220
the eth1, XEN Card has 192.168.100.205
and Dom0 has 192.168.100.201

a Windows Domain has 192.168.100.19

and the rest is the real network....... i didn''t understand how i must 
change the routings....

Openvpn Dom

xen205:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use 
Iface
192.168.100.0     *               255.255.255.0   U     0      0        
0 br0
192.168.0.0         *               255.255.255.0   U     0      
0        0 eth0
default         fritz.box       0.0.0.0         UG    0      0        0 eth0


DOM0

DOM0:~# route
Kernel-IP-Routentabelle
Ziel                    Router          Genmask         Flags Metric 
Ref    Use Iface
192.168.100.0       *               255.255.255.0   U     0      
0        0 eth0
default              20710             0.0.0.0         UG    0      
0        0 eth0




Am 21.06.2010 15:33, schrieb Felix Kuperjans:
> If I''m reading your information correctly, the bridge (br0) of
your
> Openvpn domain only connects to eth1 (XEN-Dom0) and to tap0
(Openvpn''s
> virtual interface), but not to eth0 (pass-through real nic). If that was
> true, your problem lies there.
>
> Another point could be, that your routes are messed up. You seem to be
> using 192.168.100.x as the real external network *and* the internal XEN
> network. But by assigning two ip addresses to eth0 and eth1 in Openvpn
> domain, you get two routes for 192.168.100.0/24, leaving the choice to
> the operating system. There should be only one address assigned to the
> bridge, I think.
>
> I hope one of those points helps you.
>
> Regards,
> Felix Kuperjans
>    

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Am 22.06.2010 02:40, schrieb Fajar A. Nugraha:
> On Tue, Jun 22, 2010 at 3:11 AM, Tegger<xen@tegger.de>  wrote:
>    
>>> start with tcpdump on dom0''s eth0 then. Something like
"tcpdump -n -i
>>> eth0 host 192.168.100.1". What happens if:
>>> - from openvpn domain, you ping to 192.168.100.1 ->    you
should see
>>> packets going through both ways
>>> - from openvpn client, ping to 192.168.100.1 ->    you might see
packets
>>> going both ways, one way, or none at all
>>>
>>> That would help you determine where the problem is.
>>>
>>>
>>>        
>> hmm, seems to be working with tcpdump.....so it should work, but it
doesn''t
>>
>> DOM0:~# tcpdump -n -i eth0 host 192.168.100.1
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
>> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
>> 22:04:18.796413 arp who-has 192.168.100.1 tell 192.168.100.205
>>      
> I''m assuming ping from dom0''s IP address correctly show
up on tcpdump,
> and that you''re not having the config mistake that Felix
suggested?
>
> So packets arp packets go out of eth0, but no reply came back? Try
> doing tcpdump on destination host (192.168.100.1), see if it gets the
> arp queries.
>
>    
so i tried tcpdump on the Windows Host 192.168.100.1 with ping from 
Windows Openvpn Client 192.168.100.211
and the is a request


tcpdump: listening on \Device\{29B14D72-................}
23:02:16.406250 ARP, Request who-has 192.168.100.1 tell 192.168.100.211, 
length 46
23:02:16.406250 ARP, Reply 192.168.100.1 is-at 00:15:f2:xx:xx:xx, length 28

but nothing more



_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users