[CentOS-virt] routing problem with domU bridged to two networks

Wed Mar 7 18:41:05 UTC 2012
Peter Peltonen <peter.peltonen at gmail.com>

As I received no response on the general CentOS list, I'll repost it
here as the question is about Xen virtual machine routing.

This is my network setup:

Lets assume my dom0's eth2 public ip is and my dmz network . I have created NAT from my LAN with
iptables. You can see my /etc/sysconfig/iptables here:

And this is my dom0 routing table:

My goal:

To access NFS shares on a (non-virtualized) file server in the LAN
network from the domU web server in the DMZ network.

What I tried:

I attached the domU to both bridges using this Xen config:

vif = [ "mac=00:0c:29:de:3a:fe,bridge=xenbr0","mac=00:0C:29:76:19:85,bridge=xenbr1"

and then created two eth interfaces inside the domU mapping to the MAC
addresses above, giving eth1 an IP from the DMZ ( and
giving eth2 an IP from the LAN ( After this I mounted
the NFS share from the file server (

My problem:

If my domU web server is connected to both LAN and DMZ using the two
bridges xenbr0 and xenbr1, I can access the NFS share from the domU
web server and everything else works as expected, except for one thing
-- my workstations in the LAN cannot anymore access the web server:
web pages do not open anymore and from the workstations I cannot ping
the domU. If the web server domU is only connected to DMZ via xenbr0,
the workstations can access it ok.

Any advice what I am doing wrong and I could fix my setup?