This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-users] Source NAT problems

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] Source NAT problems
From: Steve Brueckner <steve@xxxxxxxxxxxxxx>
Date: Wed, 14 Feb 2007 15:47:30 -0500
Delivery-date: Wed, 14 Feb 2007 12:47:03 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
I'm using Xen 3.0 on an FC5 ( kernel) box with multiple
interfaces, bridges, and domUs.  I'm using the bridging setup, but also need

to source NAT traffic through its dom0 between two other boxes.  Here is the

portion in question:

 (internal network)
|   |    domUx |
|   |   /      |
| xenbr1-domUy |
|   |          |
| (v)eth1      |
|   |          |
|  dom0        |
|   |          |
| (v)eth0      |
|   |          |
| xenbr0-domUz |
|   |          |
 (external network)

I've got to nat traffic from box1 on the internal network to box2 on the 
external network.  So I enabled ip forwarding and source nat on dom0:
# sysctl -w net.ipv4.ip_forward=1
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to <dom0ip>

This nearly works, but returning packets disappear after they hit peth0.  

For example, I ping from box1 to box2.  tcpdump on dom0 sees the echo
packets arriving via peth1 and xenbr1, and leaving with the new SNATted 
address via eth0, xenbr0, and peth0.  So far, so good.

tcpdump also sees the echo reply packets coming back from box2 on peth0, 
but they never appear on xenbr0.  This is the problem.

The echo request and reply packets have the same IPs and MACs as they do
I successfully ping directly from dom0 to box2.  So what could be causing
the packets do disappear only when they've been SNATted?

I've searched the xen-users archives and tried a few things.  I tried using 
ethtool to turn off checksumming at xenbr0, vif0.0, and eth0, but that
help.  I've been struggling with ebtables but having trouble understanding 
them in the context of xen networking.

Any help would be appreciated.

Steve Brueckner, ATC-NY

Xen-users mailing list

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-users] Source NAT problems, Steve Brueckner <=