This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-users] XEN Bridged Network and NAT

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] XEN Bridged Network and NAT
From: Michael Grosseck <liox@xxxxxxxxxxxx>
Date: Sat, 25 Sep 2010 16:05:20 +0200
Delivery-date: Sat, 25 Sep 2010 07:06:59 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20100915 Mnenhy/0.8.3 Thunderbird/3.0.8

Hello everybody,

I have two physical machines running by a provider. Each of them has 2 physical network cards. Eth0 is connected to the internet and eth1 connects the two machines directly. As you may divine, we like to have a high available setup. But because the provider does not allow to take the IPs of one machine to the other and for security reason I decided to run the virtual machines with a bridged private network on eth1 and masquerade virtual machines which needs internet access or where the outside world needs access. The idea behind it. If the machine where the webserver resides fails, the server moves to the other machine and there heartbeat starts an emergency nameserver as well, which provides the new official IPs. The nameservers have a short TTL, so after about 10 minutes the new IPs should be known by everyone. So far everthing works fine. But I have two problems. The first one. I can not access the service which is running on the virtual machine with its official IP on the same machine or in dom0. e.g. the virtual machine runs a webserver and has the IP It has to be reachable by the outsite world with the IP
On dom0 I do a
-A PREROUTING -d -p tcp -m tcp --dport 80 -j DNAT --to-destination
to assign the official address to the virtual machine and a
-A POSTROUTING -s -d ! -j SNAT --to-source
so that the virtual machine gets internet access.
If I now try to access the website with lynx on the virtual machine with the IP I get a timeout. On dom0 lynx tells me, the site is not reachable.
On the other site a ping or traceroute is working.
The second problem affects the mailserver which is running on a virtual machine as well. Some clients tell me now, they are sometimes not able to send eMails with an attachment. The attachment is not that big. May 1-4MB. But if the client tries to send the mail, he gets a timeout after a while. Sometimes after 10%, sometimes after 99% of the upload and sometimes the same mail gets through. I can not reproduce the problem. If I try to send a eMail with an attachment it gets through all the time. But it seems to have something to do with the masquerading. On another machine with XEN and the same setting of the mailserver but without masquerading the clients have no problem to send mails with huge attachments.
May somebody has an idea what I'm doing wrong.
Thanks in advance.

By Michael

Xen-users mailing list

<Prev in Thread] Current Thread [Next in Thread>