On 11.5.2010 3.40, Gordon Messmer wrote: > Routing policy is definitely required for a multi-homed system such as > Jussi presented, but NAT is totally superfluous. It adds an extra layer > of complexity that makes the system more difficult to diagnose and > configure, and contributes nothing of value in return. Funny, this morning I came to the same conclusion after some googling. A xen box with two bridges should be considered normal, and it should not break anything inside or outside the box. There are good instructions on the net for installing 2 virtual bridges on a xen box. But I have found no mention of this specific dual-bridge problem I have: that ip traffic goes in ok through any physical nic to the dom0 or domUs, but all replies are routed to only one nic (the default gateway). (I verified this with tcpdump.) > John Pierce's advice was simple and correct. If you don't want to set > up ifup-post scripts of your own, you can use shorewall. Shorewall is > actually more complex, but you don't have to understand much about the > "ip" tool to use it. I am going to try this first without Shorewall (simpler, I hope). John, could you elaborate a little on this (I never had to adjust routing before): On 10.5.2010 21.15, John R Pierce wrote: > something like... > > [after setting up network 1 the 'normal' way, we add these rules for > network 2...] > > NET2=xxx.yyy.zzz.www/26 > NET2GWY=xxx.yyy.zzz.wwx > > ip rule add from $NET2 table 200 > ip route add default via $NET2GWY dev eth1 table 200 > ip route flush cache > > so... any packet thats 'from' the subnet $NET2 is tagged to use ip > routing table '200' (quite arbitrary), and in turn route table 200 > specifies a different default gateway. Where should I put that script? network-scripts/ifup-post? What would your "table 200" look like, and where should I put that? - Jussi -- Jussi Hirvi * Green Spot Topeliuksenkatu 15 C * 00250 Helsinki * Finland Tel. +358 9 493 981 * Mobile +358 40 771 2098 (only sms) jussi.hirvi at greenspot.fi * http://www.greenspot.fi