On 11.5.2010 3.40, Gordon Messmer wrote:
Routing policy is definitely required for a multi-homed system such as Jussi presented, but NAT is totally superfluous. It adds an extra layer of complexity that makes the system more difficult to diagnose and configure, and contributes nothing of value in return.
Funny, this morning I came to the same conclusion after some googling. A xen box with two bridges should be considered normal, and it should not break anything inside or outside the box.
There are good instructions on the net for installing 2 virtual bridges on a xen box. But I have found no mention of this specific dual-bridge problem I have: that ip traffic goes in ok through any physical nic to the dom0 or domUs, but all replies are routed to only one nic (the default gateway). (I verified this with tcpdump.)
John Pierce's advice was simple and correct. If you don't want to set up ifup-post scripts of your own, you can use shorewall. Shorewall is actually more complex, but you don't have to understand much about the "ip" tool to use it.
I am going to try this first without Shorewall (simpler, I hope).
John, could you elaborate a little on this (I never had to adjust routing before):
On 10.5.2010 21.15, John R Pierce wrote:
something like...
[after setting up network 1 the 'normal' way, we add these rules for network 2...]
NET2=xxx.yyy.zzz.www/26 NET2GWY=xxx.yyy.zzz.wwx ip rule add from $NET2 table 200 ip route add default via $NET2GWY dev eth1 table 200 ip route flush cacheso... any packet thats 'from' the subnet $NET2 is tagged to use ip routing table '200' (quite arbitrary), and in turn route table 200 specifies a different default gateway.
Where should I put that script? network-scripts/ifup-post? What would your "table 200" look like, and where should I put that?
- Jussi