Re: [Xen-users] XEN Bridged Network and NAT
[Note: I don't usually do this, but I'm leaving a full quote below
because I'm not going to give answers to specific sentences]
What Dom0 kernel are you using? The old non-pvops Dom0 kernel (unless
it has changed in the meantime) had some non-standard hacks to avoid
unnecessary checksumming of the packets between the Dom0 and DomU's.
These hacks unfortunately broke Dom0 NAT. I believe the problem was
that outgoing packets (the packets leaving Dom0 on an actual network
card) had the wrong checksum or something like that.
In case you are using such a kernel and still want to use this kind of
NAT setup without changing the kernel, I can try to dig up the kernel
patch that I made for this. It adds some Xen-specific hacks to the NAT
code to fix things up.
> Hello everybody,
> I have two physical machines running by a provider. Each of them has 2
> physical network cards. Eth0 is connected to the internet and eth1
> connects the two machines directly. As you may divine, we like to have a
> high available setup. But because the provider does not allow to take
> the IPs of one machine to the other and for security reason I decided to
> run the virtual machines with a bridged private network on eth1 and
> masquerade virtual machines which needs internet access or where the
> outside world needs access. The idea behind it. If the machine where the
> webserver resides fails, the server moves to the other machine and there
> heartbeat starts an emergency nameserver as well, which provides the new
> official IPs. The nameservers have a short TTL, so after about 10
> minutes the new IPs should be known by everyone. So far everthing works
> fine. But I have two problems.
> The first one. I can not access the service which is running on the
> virtual machine with its official IP on the same machine or in dom0.
> e.g. the virtual machine runs a webserver and has the IP 192.168.1.10.
> It has to be reachable by the outsite world with the IP 10.0.0.10.
> On dom0 I do a
> -A PREROUTING -d 10.0.0.10/32 -p tcp -m tcp --dport 80 -j DNAT
> --to-destination 192.168.1.10
> to assign the official address to the virtual machine and a
> -A POSTROUTING -s 192.168.1.10/32 -d ! 192.168.1.0/24 -j SNAT
> --to-source 10.0.0.10
> so that the virtual machine gets internet access.
> If I now try to access the website with lynx on the virtual machine with
> the IP 10.0.0.10 I get a timeout. On dom0 lynx tells me, the site is not
> On the other site a ping or traceroute is working.
> The second problem affects the mailserver which is running on a virtual
> machine as well.
> Some clients tell me now, they are sometimes not able to send eMails
> with an attachment. The attachment is not that big. May 1-4MB. But if
> the client tries to send the mail, he gets a timeout after a while.
> Sometimes after 10%, sometimes after 99% of the upload and sometimes the
> same mail gets through. I can not reproduce the problem. If I try to
> send a eMail with an attachment it gets through all the time. But it
> seems to have something to do with the masquerading. On another machine
> with XEN and the same setting of the mailserver but without masquerading
> the clients have no problem to send mails with huge attachments.
> May somebody has an idea what I'm doing wrong.
> Thanks in advance.
> By Michael
Xen-users mailing list