|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Can't access the domU's from the LAN (only from the dom0)
Try specifying a MAC address within the dom-u. Depending on the router you have and size of the network (looks large?) it could take from 10 - 90 seconds for the router to arp the new mac. Also don't forget the brigde learning curve before you say ARG its not working :) HTH --Tim On Mon, 2006-09-11 at 12:55 +0200, Jaume Sabater wrote: > Hello everyone! > > I have a machine with two network interfaces, eth0 and eth1. Eth0 is > connected to the LAN (192.168.1.0/24) and eth1 to my router > (ip:80.36.214.x, gw: 80.36.214.y). This server is acting as a > proxy-cache as well. I also have a VPN between the two > subnets 192.168.0.0/24 and 192.168.1.0/24. > > I have a running kernel 2.6.16.19 with Xen 3.0.2 on a Debian x86_64 Sid > (custom kernel). I want to use Xen virtual machines only internally (as > any other normal PC inside the 192.168.1.0/24 network, but with no need > to be accessed from the Internet). So, I have created a virtual machine > using the xen-tools package provided by Steve: > > [1] http://packages.debian.org/unstable/utils/xen-tools > > These are the parameters of /etc/xen-tools/xen-tools.conf: > > dir = /home/xen > debootstrap = 1 > size = 2Gb > memory = 128Mb > swap = 256Mb > fs = ext3 > dist = etch > image = sparse > gateway = 192.168.1.3 > netmask = 255.255.255.0 > passwd = 1 > kernel = /boot/xen0-linux-2.6.16.19-xen > initrd = > mirror = http://ftp.se.debian.org/debian/ > > I created the image with this command: > > xen-create-image --hostname=xen01 --ip=192.168.1.10 --passwd > > The /etc/network/interfaces in the virtual machine (dom1): > > auto lo > iface lo inet loopback > > auto eth0 > iface eth0 inet static > address 192.168.1.10 > gateway 192.168.1.3 > netmask 255.255.255.0 > > Everything went fine: > > - I can connect to the virtual machine from the host (192.168.1.3) > - I can connect to the Internet from inside the virtual machine. > > But: > > - I can't ping the virtual machine 192.168.1.10 from any other PC in the > 192.168.1.0/24 network (but the host 192.168.1.3). It says "Destination > Host Unreachable". > - I can't ping any host in the 192.168.1.0/24 network from inside the > virtual machine 192.168.1.10. It does not complain, though. > > I have set up /etc/xen/xend-config.sxp using: > > (network-script network-route) > (vif-script vif-route) > > Honestly, I don't have any other reason to choose routing instead of > bridging except the fact that I tried for days and days with the > bridging thing and I could make it work, so I said "next try another > option". > > When I was using bridging, I could ping from inside a VM to a PC, but > not from a PC to the VM. Again, I could really tell what was wrong (I am > not an expert with iptables, I admit it). > > My firewall looks like this (short version): > > BOF ---------------------------- > > iptables --policy INPUT DROP > iptables --append INPUT --in-interface ! eth1 --jump ACCEPT > iptables --append INPUT --match state --state ESTABLISHED,RELATED \ > --jump ACCEPT > iptables --append INPUT --proto ICMP --jump ACCEPT > > # SSH > iptables --append INPUT --proto tcp --match state --dport ssh \ > --state NEW --source a.b.c.d --jump ACCEPT > > # VPN > iptables --append INPUT --in-interface eth1 --proto udp \ > --sport isakmp --dport isakmp --source 213.96.x.y \ > --destination ${VPN_SRC} --jump ACCEPT > iptables --append INPUT --in-interface eth1 --proto tcp \ > --sport isakmp --dport isakmp --source 213.96.x.y \ > --destination 80.36.x.y --jump ACCEPT > iptables --append INPUT --in-interface eth1 --proto ah \ > --source 213.96.x.y --destination 80.36.x.y --jump ACCEPT > iptables --append INPUT --in-interface eth1 --proto esp \ > --source 213.96.x.y --destination 80.36.x.y --jump ACCEPT > > # Transparent proxy > iptables --table nat --append PREROUTING --in-interface eth0 \ > --source 192.168.1.0/24 --destination ! 192.168.1.0/24 \ > --proto tcp --dport 80 --jump REDIRECT --to-port 3128 > > # Activate Network Address Translation > /bin/echo "1" > /proc/sys/net/ipv4/ip_forward > iptables --table nat --append POSTROUTING --source 192.168.1.0/24 \ > --destination ! 192.168.0.0/24 --out-interface eth1 \ > --jump MASQUERADE > > EOF ---------------------------- > > 80.36.x.y is the gateway in the machine (my end) > 213.96.x.y is the gateway of the other end of the VPN > > So, as far as I know, after reading as many docs as Google could provide > me with, I guess the problem is that traffic is not "routed" from the > eth0 to the vif. My ifconfig (summarized version) looks like this: > > eth0 Link encap:Ethernet HWaddr ------ > inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.0 > eth1 Link encap:Ethernet HWaddr ------ > inet addr:80.36.x.y Bcast:80.36.214.191 Mask:255.255.255.224 > lo Link encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > vif3.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF > inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.255 > > Also, as a final note, when I was attempting to make it work by using > bridging, my server stopped forwarding connections from the LAN to the > Internet, so that was one more reason to try the "routed" setup. At > least now I can let people work while I try to finish up this setup and > don't have to go to the office on Saturday :) > > Any hints? If you need any more information, please let me know. Thanks > in advance. > _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |