[CentOS-virt] routing problem with domU bridged to two networks

Wed Mar 7 20:18:00 UTC 2012
Ed Heron <Ed at Heron-ent.com>

On Wed, 2012-03-07 at 13:13 -0700, Ed Heron wrote:
> On Wed, 2012-03-07 at 20:41 +0200, Peter Peltonen wrote:
> > As I received no response on the general CentOS list, I'll repost it
> > here as the question is about Xen virtual machine routing.
> > 
> > 
> > This is my network setup:
> > http://pastebin.com/kyWpTQYU
> > 
> > 
> > Lets assume my dom0's eth2 public ip is 1.2.3.33 and my dmz network
> > 11.22.33.96/255.255.255.224 . I have created NAT from my LAN with
> > iptables. You can see my /etc/sysconfig/iptables here:
> > http://pastebin.com/1FqSTvPH
> > 
> > 
> > And this is my dom0 routing table:
> > http://pastebin.com/gNjTFHp5
> > 
> > 
> > My goal:
> > 
> > To access NFS shares on a (non-virtualized) file server in the LAN
> > network from the domU web server in the DMZ network.
> > 
> > 
> > What I tried:
> > 
> > I attached the domU to both bridges using this Xen config:
> > 
> > vif = [ "mac=00:0c:29:de:3a:fe,bridge=xenbr0","mac=00:0C:29:76:19:85,bridge=xenbr1"
> > ]
> > 
> > and then created two eth interfaces inside the domU mapping to the MAC
> > addresses above, giving eth1 an IP from the DMZ (11.22.33.111) and
> > giving eth2 an IP from the LAN (192.168.0.12). After this I mounted
> > the NFS share from the file server (192.168.0.2).
> > 
> > 
> > My problem:
> > 
> > If my domU web server is connected to both LAN and DMZ using the two
> > bridges xenbr0 and xenbr1, I can access the NFS share from the domU
> > web server and everything else works as expected, except for one thing
> > -- my workstations in the LAN cannot anymore access the web server:
> > web pages do not open anymore and from the workstations I cannot ping
> > the domU. If the web server domU is only connected to DMZ via xenbr0,
> > the workstations can access it ok.
> > 
> > 
> > Any advice what I am doing wrong and I could fix my setup?
> 
>   The postrouting command uses -o eth2.  To NAT LAN requests to your DMZ
> web server, shouldn't you be using xenbr0?
> 
>   Though, I would bridge eth2, as well, and create a virtual firewall
> with eth0 (DMZ?), eth1 (LAN) and eth2 (PUB).  I wouldn't want the Dom0
> to be directly compromised if my firewall was compromised.

  I'd also add a fourth network interface for SAN, then you can connect
2 virtual servers together and use DRBD to replicate your disk space for
fault tolerance.  Your firewall could be started on either machine.

> > Regards,
> > Peter
> > _______________________________________________
> > CentOS-virt mailing list
> > CentOS-virt at centos.org
> > http://lists.centos.org/mailman/listinfo/centos-virt
>