This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] XEN Bridged Network and NAT

To: Michael Grosseck <liox@xxxxxxxxxxxx>
Subject: Re: [Xen-users] XEN Bridged Network and NAT
From: Christophe Saout <christophe@xxxxxxxx>
Date: Sat, 25 Sep 2010 16:15:26 +0200
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Sat, 25 Sep 2010 07:16:45 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=saout.de; s=default; t=1285424122; bh=+SZQxO83ZfgVhlG4vv/Iq8k146ru/7apMxVEnSYTKpA=; h=Subject:From:In-Reply-To:References:Date:Message-ID; b=rJ1E17ZXvJB6or+w1FEcHwaofMbcf0IN4lQSiP1+qguL5ZYgUDCUHLluTYPlhRsW4 1i5DywpxU6f+4+1/nUwKJU0gb0kpO2S0U/42P/xdH0Q8fYwYSHr5oSttMQhguHjZUE fEndLES6dOsllaIyY+veG/y6SCCNsorboyCnfFgg=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4C9E01A0.1030601@xxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <4C9E01A0.1030601@xxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Hi Michael,

[Note: I don't usually do this, but I'm leaving a full quote below
 because I'm not going to give answers to specific sentences]

What Dom0 kernel are you using?  The old non-pvops Dom0 kernel (unless
it has changed in the meantime) had some non-standard hacks to avoid
unnecessary checksumming of the packets between the Dom0 and DomU's.
These hacks unfortunately broke Dom0 NAT.  I believe the problem was
that outgoing packets (the packets leaving Dom0 on an actual network
card) had the wrong checksum or something like that.

In case you are using such a kernel and still want to use this kind of
NAT setup without changing the kernel, I can try to dig up the kernel
patch that I made for this.  It adds some Xen-specific hacks to the NAT
code to fix things up.


> Hello everybody,
> I have two physical machines running by a provider. Each of them has 2 
> physical network cards. Eth0 is connected to the internet and eth1 
> connects the two machines directly. As you may divine, we like to have a 
> high available setup. But because the provider does not allow to take 
> the IPs of one machine to the other and for security reason I decided to 
> run the virtual machines with a bridged private network on eth1 and 
> masquerade virtual machines which needs internet access or where the 
> outside world needs access. The idea behind it. If the machine where the 
> webserver resides fails, the server moves to the other machine and there 
> heartbeat starts an emergency nameserver as well, which provides the new 
> official IPs. The nameservers have a short TTL, so after about 10 
> minutes the new IPs should be known by everyone. So far everthing works 
> fine. But I have two problems.
> The first one. I can not access the service which is running on the 
> virtual machine with its official IP on the same machine or in dom0.
> e.g. the virtual machine runs a webserver and has the IP 
> It has to be reachable by the outsite world with the IP
> On dom0 I do a
> -A PREROUTING -d -p tcp -m tcp --dport 80 -j DNAT 
> --to-destination
> to assign the official address to the virtual machine and a
> -A POSTROUTING -s -d ! -j SNAT 
> --to-source
> so that the virtual machine gets internet access.
> If I now try to access the website with lynx on the virtual machine with 
> the IP I get a timeout. On dom0 lynx tells me, the site is not 
> reachable.
> On the other site a ping or traceroute is working.
> The second problem affects the mailserver which is running on a virtual 
> machine as well.
> Some clients tell me now, they are sometimes not able to send eMails 
> with an attachment. The attachment is not that big. May 1-4MB. But if 
> the client tries to send the mail, he gets a timeout after a while. 
> Sometimes after 10%, sometimes after 99% of the upload and sometimes the 
> same mail gets through. I can not reproduce the problem. If I try to 
> send a eMail with an attachment it gets through all the time. But it 
> seems to have something to do with the masquerading. On another machine 
> with XEN and the same setting of the mailserver but without masquerading 
> the clients have no problem to send mails with huge attachments.
> May somebody has an idea what I'm doing wrong.
> Thanks in advance.
> By Michael

Xen-users mailing list

<Prev in Thread] Current Thread [Next in Thread>