WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

[Xen-users] Trouble using NAT with multiple bridges

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] Trouble using NAT with multiple bridges
From: Steven Brown <swbrown@xxxxxxxxxxxx>
Date: Mon, 26 Jun 2006 02:24:33 -0700
Delivery-date: Mon, 26 Jun 2006 02:30:50 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 1.5.0.4 (X11/20060619)
I've got a network set up with xen where I have a chain of
dom0<->domU<->domU<->etc. to simulate a multi-hop network path and
implemented with multiple bridges (one per hop to keep them isolated).
It works nicely locally, except that now I'm trying to have dom0 do NAT
for that last hop out to internet and am running into problems (I've
already fixed the ethtool/tx problem afaik).  Something simple like this:

iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -j MASQUERADE

Will result in dom0 being able to ping into the domU chain at any number
of hops, but the domUs won't be able to ping each other.  Only the first
domU in the chain (so only traversing one bridge) can get out to
internet through the NAT.

The closest I've come to making it work is this (assumed that
POSTROUTING is being hit by each bridge traversal):

iptables -m physdev ! --physdev-is-bridged -t nat -A POSTROUTING -s
192.168.0.0/16 -j MASQUERADE

In which case, the dom0 can ping into the domUs, the domUs can ping each
other, but again, only the first domU in the chain can get out to
internet through the NAT despite the other domUs having a working path
to that working domU.

I figure it's something simple I'm missing, but I'm totally out of
clues, so hoping y'all can help.  Some extra details below in case
they're of use.



(This is the route view at dom0; internet-br0 is the first bridge
between the dom0 and chain of domUs and contains a single interface -
that of the first domU in the chain of domUs (192.168.6.1).  eth0 is the
path out to internet.  All the domUs in the chain are in the
192.168.0.0/16 subnet.  The other bridges have two interfaces and no
directly assigned IP, unlike this one.)
root@fictition:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
192.168.6.1     0.0.0.0         255.255.255.255 UH    0      0        0
internet-br0
72.130.176.0    0.0.0.0         255.255.248.0   U     0      0        0 eth0
192.168.0.0     192.168.6.1     255.255.0.0     UG    0      0        0
internet-br0
0.0.0.0         72.130.176.1    0.0.0.0         UG    0      0        0 eth0


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>