[CentOS-virt] routing problem with domU bridged to two networks
Ed at Heron-ent.com
Wed Mar 7 15:13:26 EST 2012
On Wed, 2012-03-07 at 20:41 +0200, Peter Peltonen wrote:
> As I received no response on the general CentOS list, I'll repost it
> here as the question is about Xen virtual machine routing.
> This is my network setup:
> Lets assume my dom0's eth2 public ip is 126.96.36.199 and my dmz network
> 188.8.131.52/255.255.255.224 . I have created NAT from my LAN with
> iptables. You can see my /etc/sysconfig/iptables here:
> And this is my dom0 routing table:
> My goal:
> To access NFS shares on a (non-virtualized) file server in the LAN
> network from the domU web server in the DMZ network.
> What I tried:
> I attached the domU to both bridges using this Xen config:
> vif = [ "mac=00:0c:29:de:3a:fe,bridge=xenbr0","mac=00:0C:29:76:19:85,bridge=xenbr1"
> and then created two eth interfaces inside the domU mapping to the MAC
> addresses above, giving eth1 an IP from the DMZ (184.108.40.206) and
> giving eth2 an IP from the LAN (192.168.0.12). After this I mounted
> the NFS share from the file server (192.168.0.2).
> My problem:
> If my domU web server is connected to both LAN and DMZ using the two
> bridges xenbr0 and xenbr1, I can access the NFS share from the domU
> web server and everything else works as expected, except for one thing
> -- my workstations in the LAN cannot anymore access the web server:
> web pages do not open anymore and from the workstations I cannot ping
> the domU. If the web server domU is only connected to DMZ via xenbr0,
> the workstations can access it ok.
> Any advice what I am doing wrong and I could fix my setup?
The postrouting command uses -o eth2. To NAT LAN requests to your DMZ
web server, shouldn't you be using xenbr0?
Though, I would bridge eth2, as well, and create a virtual firewall
with eth0 (DMZ?), eth1 (LAN) and eth2 (PUB). I wouldn't want the Dom0
to be directly compromised if my firewall was compromised.
> CentOS-virt mailing list
> CentOS-virt at centos.org
More information about the CentOS-virt