WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

[Xen-users] Solved: Re: Communication problem with virtual DMZ

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] Solved: Re: Communication problem with virtual DMZ
From: "Diego Alvarez" <arcane.lord@xxxxxxxxx>
Date: Fri, 28 Apr 2006 08:54:03 -0400
Delivery-date: Fri, 28 Apr 2006 05:54:41 -0700
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=H2ASlYDsnPsTaCT0J00pXLMMZQJg9Ast+5d3YijIn4idMUPPB1wN/AQ4enqm228Xsk5Bdteok0HA1OROjUN+S2ct74ODixPI32DZAfM1mWlCKv/8qqBV1v71JYSURR/bzkgfmrXEA9BEm+jA2rPd72xK1cAXFm5UMyAIGJB0dKA=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Once again I was mistaken, the real problema was an incorrect TCP
Checksum (discovered with tcpdump), so the solution was to use
"ethtool -K eth0 tx off" on agustina.
I learned this from the list archives.

On 4/27/06, Diego Alvarez <arcane.lord@xxxxxxxxx> wrote:
> Hi all,
> I am running Xen 3.0.2-2 (taken from XenSource) with Linux kernel
> 2.6.16 (taken from Debian Sid), I compiled Xen and 2 kernels
> (dom0 and domU).
>
> Here is the ascii-art of my setup:
>
>   ------------                        -------------
>   |    LAN   |------------------------|   waste   | 192.168.0.94/24
>   ------------                        -------------
>        |
> ·····························
> ·      |                    ·
> ·      |        Dom0        ·
> ·      |                    ·
> ·  ---------                ·    ································
> ·  | peth0 |                ·    ·                              ·
> ·  ---------                ·    ·         DomU hades           ·
> ·      |                    ·    ·         (Firewall)           ·
> ·      |                    ·    ·                              ·
> · -----------   ----------  ·    ·    --------                  ·
> · | br-inet |---| hades0 |============| eth0 |  192.168.0.34/24 ·
> · -----------   |  (vif) |  ·    ·    --------                  ·
> ·      |        ----------  ·    ·                              ·
> ·      |                    ·    ·    --------                  ·
> · -----------               ·    ·    | eth1 |  192.168.0.34/32 ·
> · | vif0.0  |               ·    ·    --------                  ·
> · -----------               ·    ·       ||                     ·
> ·     ||                    ·    ········||······················
> ·     ||                    ·            ||
> ·     ||                    ·············||···········
> ·     ||                                 ||          ·
> ·  --------                              ||          ·
> ·  | eth0 | 192.168.0.22/24          ----------      ·
> ·  --------                          | hades1 |      ·
> ·                                    |  (vif) |      ·
> ·                                    ----------      ·
> ·                                        |           ·
> ·                -----------         ----------      ·
> ·                | pdummy0 |---------| br-dmz |      ·
> ·                -----------         ----------      ·
> ·                                        |           ·
> ·                                   -------------    ·
> ·                                   | agustina0 |    ·
> ·                                   |   (vif)   |    ·
> ·                                   -------------    ·
> ·                                        ||          ·
> ·                                        ||          ·
> ·········································||···········
>                                          ||
>                       ·-·-·-·-·-·-·-·-·-·||·-·-·-·-·-·-·-·-·
>                       ·                  ||                ·
>                       |        ··········||········        |
>                       ·        ·         ||       ·        ·
>                       |        ·     --------     ·        |
>                       ·        ·     | eth0 |     ·        ·
>                       |        ·     --------     ·        |
>                       ·        · 192.168.0.39/32  ·        ·
>                       |        ·                  ·        |
>                       ·        ·   DomU agustina  ·        ·
>                       |        ·    (DMZ Server)  ·        |
>                       ·        ·                  ·        ·
>                       |        ····················        |
>                       ·                                    ·
>                       |             Virtual DMZ            |
>                       ·                                    ·
>                       ·-·-·-·-·-·-·-·-·-·-·-·-·-·-·-·-·-·-·-
>
> --------
>
> Network configuration for Dom0:
>
> auto eth0
> iface eth0 inet static
>         address 192.168.0.22
>         netmask 255.255.255.0
>         gateway 192.168.0.2
>
> auto dummy0
> iface dummy0 inet static
>         address 10.1.1.1
>         netmask 255.255.255.255
>         up ifconfig dummy0 0.0.0.0 up
>
> --------
>
> Network configuration for DomU agustina (DMZ Server):
>
> auto eth0
> iface eth0 inet static
>         address 192.168.0.39
>         netmask 255.255.255.255
>         up route add -host 192.168.0.34 dev eth0
>         up route add default gw 192.168.0.34 dev eth0
>
> -------
>
> Network configuration for DomU hades (Firewall):
>
> auto eth0
> iface eth0 inet static
>   address 192.168.0.34
>   netmask 255.255.255.0
>   gateway 192.168.0.2
>   up arp -Ds 192.168.0.39 eth0 pub
>
> auto eth1
> iface eth1 inet static
>   address 192.168.0.34
>   netmask 255.255.255.255
>   up route add -host 192.168.0.39 dev eth1
>
> It also have ip_forward activated by sysctl
>
> ------
>
> In dom0, I do the following things:
>
> In /etc/xen/xend-config.sxp I have:
>
> (network-script 'network-bridge bridge=br-inet')
> (vif-script 'vif-bridge bridge=br-inet')
>
>
> I also have a script which brings up br-dmz bridge on dummy0
>
> # brctl show:
> bridge name     bridge id               STP enabled     interfaces
>
> br-dmz          8000.feffffffffff       no              agustina0
>                                                         hades1
>                                                         pdummy0
>
> br-inet         8000.feffffffffff       no              hades0
>                                                         peth0
>                                                         vif0.0
>
> Here is the configuration for hades and agustina:
>
> /etc/xen/auto/hades:
> name="hades"
> memory=128
> kernel="/boot/vmlinuz-2.6.16-xenU"
> vif = [ 'mac=00:16:3e:00:01:01,bridge=br-inet,vifname=hades0',
> 'mac=00:16:3e:00:00:02,bridge=br-dmz,vifname=hades1' ]
> disk=['phy:/dev/xen/hades-OS,hda1,w','phy:/dev/xen/hades-SWAP,hda2,w']
> root="/dev/hda1 ro"
> on_crash="restart"
>
> /etc/xen/auto/agustina:
> name="agustina"
> memory=64
> kernel="/boot/vmlinuz-2.6.16-xenU"
> vif = [ 'mac=00:16:3e:00:00:07,bridge=br-dmz,vifname=agustina0' ]
> disk=['phy:/dev/xen/Agustina-OS,hda1,w','phy:/dev/xen/Agustina-SWAP,hda2,w']
> root="/dev/hda1 ro"
> on_crash="restart"
>
> -------
>
> So.... what is the problem?
> well:
>  - routing is Ok
>  - ping works in all directions
>  - ssh from waste (lan machine) to Dom0 works
>  - ssh from Dom0 to waste works
>  - ssh from waste to hades works
>  - ssh from hades to waste works
>  - ssh from Dom0 to agustina works
>  - ssh from hades to agustina works
>  - ssh from agustina to Dom0 works
>  - ssh from agustina to hades works
>
> but:
>  - ssh from waste to agustina does not work
>  - ssh from agustina to waste does not work
>
> Here are is a tcpdump taken from agustina's eth0:
>
> agustina:~# tcpdump -i eth0 -n host waste
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 19:45:15.242301 IP waste.4331 > agustina.22: S 30038281:30038281(0)
> win 5840 <mss 1460,sackOK,timestamp 23876432 0,nop,wscale 2>
> 19:45:15.251956 IP agustina.22 > waste.4331: S
> 3550608405:3550608405(0) ack 30038282 win 5792 <mss
> 1460,sackOK,timestamp 867394 23876432,nop, wscale 1>
> 19:45:15.245850 IP waste.4331 > agustina.22: . ack 1 win 1460
> <nop,nop,timestamp 23876783 867394>
> 19:45:15.255867 IP agustina.22 > waste.4331: P 1:42(41) ack 1 win 2896
> <nop,nop,timestamp 867394 23876783>
> 19:45:15.468349 IP agustina.22 > waste.4331: P 1:42(41) ack 1 win 2896
> <nop,nop,timestamp 867417 23876783>
> 19:45:15.888650 IP agustina.22 > waste.4331: P 1:42(41) ack 1 win 2896
> <nop,nop,timestamp 867459 23876783>
> 19:45:16.728328 IP agustina.22 > waste.4331: P 1:42(41) ack 1 win 2896
> <nop,nop,timestamp 867543 23876783>
> 19:45:18.408341 IP agustina.22 > waste.4331: P 1:42(41) ack 1 win 2896
> <nop,nop,timestamp 867711 23876783>
> 19:45:21.768338 IP agustina.22 > waste.4331: P 1:42(41) ack 1 win 2896
> <nop,nop,timestamp 868047 23876783>
> 19:45:28.491449 IP agustina.22 > waste.4331: P 1:42(41) ack 1 win 2896
> <nop,nop,timestamp 868719 23876783>
>
> And that goes and goes until timeout.
>
> Those packets from 'agustina' _are_ received by 'waste' in the same way
> (I verified that with tcpdump too), and then are dropped by 'waste'
> (netfilter conntrack say they are INVALID), so TCP socket is established,
> but there is no communication.
>
> The problem I see there is the tcp window size of agustina's reply,
> which is bigger than waste first ACK packet, or I am wrong?
>
> The strange thing is that agustina does not have any strange
> configuration, and if I connect it to 'br-inet' bridge and change his
> netmask and gateway, it work as expected.
>
> There is no firewall on Dom[0U].
>
> Does any of you have any idea of what could be the problem?
>
> Regards,
> Diego.
>
> PS1: sorry for the large mail.
>
> PS2: I have also tried packages from
> http://packages.debianbase.de/sid/i386/xen3,
>      with xen-3.0.1 and kernel 2.6.12, and have the same results.
>

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>