On Wed, 2012-03-07 at 20:41 +0200, Peter Peltonen wrote: > As I received no response on the general CentOS list, I'll repost it > here as the question is about Xen virtual machine routing. > > > This is my network setup: > http://pastebin.com/kyWpTQYU > > > Lets assume my dom0's eth2 public ip is 1.2.3.33 and my dmz network > 11.22.33.96/255.255.255.224 . I have created NAT from my LAN with > iptables. You can see my /etc/sysconfig/iptables here: > http://pastebin.com/1FqSTvPH > > > And this is my dom0 routing table: > http://pastebin.com/gNjTFHp5 > > > My goal: > > To access NFS shares on a (non-virtualized) file server in the LAN > network from the domU web server in the DMZ network. > > > What I tried: > > I attached the domU to both bridges using this Xen config: > > vif = [ "mac=00:0c:29:de:3a:fe,bridge=xenbr0","mac=00:0C:29:76:19:85,bridge=xenbr1" > ] > > and then created two eth interfaces inside the domU mapping to the MAC > addresses above, giving eth1 an IP from the DMZ (11.22.33.111) and > giving eth2 an IP from the LAN (192.168.0.12). After this I mounted > the NFS share from the file server (192.168.0.2). > > > My problem: > > If my domU web server is connected to both LAN and DMZ using the two > bridges xenbr0 and xenbr1, I can access the NFS share from the domU > web server and everything else works as expected, except for one thing > -- my workstations in the LAN cannot anymore access the web server: > web pages do not open anymore and from the workstations I cannot ping > the domU. If the web server domU is only connected to DMZ via xenbr0, > the workstations can access it ok. > > > Any advice what I am doing wrong and I could fix my setup? The postrouting command uses -o eth2. To NAT LAN requests to your DMZ web server, shouldn't you be using xenbr0? Though, I would bridge eth2, as well, and create a virtual firewall with eth0 (DMZ?), eth1 (LAN) and eth2 (PUB). I wouldn't want the Dom0 to be directly compromised if my firewall was compromised. > Regards, > Peter > _______________________________________________ > CentOS-virt mailing list > CentOS-virt@xxxxxxxxxx > http://lists.centos.org/mailman/listinfo/centos-virt _______________________________________________ CentOS-virt mailing list CentOS-virt@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos-virt
