As I received no response on the general CentOS list, I'll repost it here as the question is about Xen virtual machine routing.
This is my network setup: http://pastebin.com/kyWpTQYU
Lets assume my dom0's eth2 public ip is 1.2.3.33 and my dmz network 11.22.33.96/255.255.255.224 . I have created NAT from my LAN with iptables. You can see my /etc/sysconfig/iptables here: http://pastebin.com/1FqSTvPH
And this is my dom0 routing table: http://pastebin.com/gNjTFHp5
My goal:
To access NFS shares on a (non-virtualized) file server in the LAN network from the domU web server in the DMZ network.
What I tried:
I attached the domU to both bridges using this Xen config:
vif = [ "mac=00:0c:29:de:3a:fe,bridge=xenbr0","mac=00:0C:29:76:19:85,bridge=xenbr1" ]
and then created two eth interfaces inside the domU mapping to the MAC addresses above, giving eth1 an IP from the DMZ (11.22.33.111) and giving eth2 an IP from the LAN (192.168.0.12). After this I mounted the NFS share from the file server (192.168.0.2).
My problem:
If my domU web server is connected to both LAN and DMZ using the two bridges xenbr0 and xenbr1, I can access the NFS share from the domU web server and everything else works as expected, except for one thing -- my workstations in the LAN cannot anymore access the web server: web pages do not open anymore and from the workstations I cannot ping the domU. If the web server domU is only connected to DMZ via xenbr0, the workstations can access it ok.
Any advice what I am doing wrong and I could fix my setup?
Regards, Peter
On Wed, 2012-03-07 at 20:41 +0200, Peter Peltonen wrote:
As I received no response on the general CentOS list, I'll repost it here as the question is about Xen virtual machine routing.
This is my network setup: http://pastebin.com/kyWpTQYU
Lets assume my dom0's eth2 public ip is 1.2.3.33 and my dmz network 11.22.33.96/255.255.255.224 . I have created NAT from my LAN with iptables. You can see my /etc/sysconfig/iptables here: http://pastebin.com/1FqSTvPH
And this is my dom0 routing table: http://pastebin.com/gNjTFHp5
My goal:
To access NFS shares on a (non-virtualized) file server in the LAN network from the domU web server in the DMZ network.
What I tried:
I attached the domU to both bridges using this Xen config:
vif = [ "mac=00:0c:29:de:3a:fe,bridge=xenbr0","mac=00:0C:29:76:19:85,bridge=xenbr1" ]
and then created two eth interfaces inside the domU mapping to the MAC addresses above, giving eth1 an IP from the DMZ (11.22.33.111) and giving eth2 an IP from the LAN (192.168.0.12). After this I mounted the NFS share from the file server (192.168.0.2).
My problem:
If my domU web server is connected to both LAN and DMZ using the two bridges xenbr0 and xenbr1, I can access the NFS share from the domU web server and everything else works as expected, except for one thing -- my workstations in the LAN cannot anymore access the web server: web pages do not open anymore and from the workstations I cannot ping the domU. If the web server domU is only connected to DMZ via xenbr0, the workstations can access it ok.
Any advice what I am doing wrong and I could fix my setup?
The postrouting command uses -o eth2. To NAT LAN requests to your DMZ web server, shouldn't you be using xenbr0?
Though, I would bridge eth2, as well, and create a virtual firewall with eth0 (DMZ?), eth1 (LAN) and eth2 (PUB). I wouldn't want the Dom0 to be directly compromised if my firewall was compromised.
Regards, Peter _______________________________________________ CentOS-virt mailing list CentOS-virt@centos.org http://lists.centos.org/mailman/listinfo/centos-virt
On Wed, 2012-03-07 at 13:13 -0700, Ed Heron wrote:
On Wed, 2012-03-07 at 20:41 +0200, Peter Peltonen wrote:
As I received no response on the general CentOS list, I'll repost it here as the question is about Xen virtual machine routing.
This is my network setup: http://pastebin.com/kyWpTQYU
Lets assume my dom0's eth2 public ip is 1.2.3.33 and my dmz network 11.22.33.96/255.255.255.224 . I have created NAT from my LAN with iptables. You can see my /etc/sysconfig/iptables here: http://pastebin.com/1FqSTvPH
And this is my dom0 routing table: http://pastebin.com/gNjTFHp5
My goal:
To access NFS shares on a (non-virtualized) file server in the LAN network from the domU web server in the DMZ network.
What I tried:
I attached the domU to both bridges using this Xen config:
vif = [ "mac=00:0c:29:de:3a:fe,bridge=xenbr0","mac=00:0C:29:76:19:85,bridge=xenbr1" ]
and then created two eth interfaces inside the domU mapping to the MAC addresses above, giving eth1 an IP from the DMZ (11.22.33.111) and giving eth2 an IP from the LAN (192.168.0.12). After this I mounted the NFS share from the file server (192.168.0.2).
My problem:
If my domU web server is connected to both LAN and DMZ using the two bridges xenbr0 and xenbr1, I can access the NFS share from the domU web server and everything else works as expected, except for one thing -- my workstations in the LAN cannot anymore access the web server: web pages do not open anymore and from the workstations I cannot ping the domU. If the web server domU is only connected to DMZ via xenbr0, the workstations can access it ok.
Any advice what I am doing wrong and I could fix my setup?
The postrouting command uses -o eth2. To NAT LAN requests to your DMZ web server, shouldn't you be using xenbr0?
Though, I would bridge eth2, as well, and create a virtual firewall with eth0 (DMZ?), eth1 (LAN) and eth2 (PUB). I wouldn't want the Dom0 to be directly compromised if my firewall was compromised.
I'd also add a fourth network interface for SAN, then you can connect 2 virtual servers together and use DRBD to replicate your disk space for fault tolerance. Your firewall could be started on either machine.
Regards, Peter _______________________________________________ CentOS-virt mailing list CentOS-virt@centos.org http://lists.centos.org/mailman/listinfo/centos-virt
Hi,
On Wed, Mar 7, 2012 at 10:13 PM, Ed Heron Ed@heron-ent.com wrote:
My goal:
To access NFS shares on a (non-virtualized) file server in the LAN network from the domU web server in the DMZ network.
<snip>
My problem:
If my domU web server is connected to both LAN and DMZ using the two bridges xenbr0 and xenbr1, I can access the NFS share from the domU web server and everything else works as expected, except for one thing -- my workstations in the LAN cannot anymore access the web server: web pages do not open anymore and from the workstations I cannot ping the domU. If the web server domU is only connected to DMZ via xenbr0, the workstations can access it ok.
Any advice what I am doing wrong and I could fix my setup?
The postrouting command uses -o eth2. To NAT LAN requests to your DMZ web server, shouldn't you be using xenbr0?
Thanks Ed for your advice, that was the thing I was missing. After adding a postrouting command for xenbr0 everything works as expected.
Cheers, Peter
-
Ed Heron -
Peter Peltonen