On Wed, 2012-03-07 at 13:13 -0700, Ed Heron wrote: > On Wed, 2012-03-07 at 20:41 +0200, Peter Peltonen wrote: > > As I received no response on the general CentOS list, I'll repost it > > here as the question is about Xen virtual machine routing. > > > > > > This is my network setup: > > http://pastebin.com/kyWpTQYU > > > > > > Lets assume my dom0's eth2 public ip is 1.2.3.33 and my dmz network > > 11.22.33.96/255.255.255.224 . I have created NAT from my LAN with > > iptables. You can see my /etc/sysconfig/iptables here: > > http://pastebin.com/1FqSTvPH > > > > > > And this is my dom0 routing table: > > http://pastebin.com/gNjTFHp5 > > > > > > My goal: > > > > To access NFS shares on a (non-virtualized) file server in the LAN > > network from the domU web server in the DMZ network. > > > > > > What I tried: > > > > I attached the domU to both bridges using this Xen config: > > > > vif = [ "mac=00:0c:29:de:3a:fe,bridge=xenbr0","mac=00:0C:29:76:19:85,bridge=xenbr1" > > ] > > > > and then created two eth interfaces inside the domU mapping to the MAC > > addresses above, giving eth1 an IP from the DMZ (11.22.33.111) and > > giving eth2 an IP from the LAN (192.168.0.12). After this I mounted > > the NFS share from the file server (192.168.0.2). > > > > > > My problem: > > > > If my domU web server is connected to both LAN and DMZ using the two > > bridges xenbr0 and xenbr1, I can access the NFS share from the domU > > web server and everything else works as expected, except for one thing > > -- my workstations in the LAN cannot anymore access the web server: > > web pages do not open anymore and from the workstations I cannot ping > > the domU. If the web server domU is only connected to DMZ via xenbr0, > > the workstations can access it ok. > > > > > > Any advice what I am doing wrong and I could fix my setup? > > The postrouting command uses -o eth2. To NAT LAN requests to your DMZ > web server, shouldn't you be using xenbr0? > > Though, I would bridge eth2, as well, and create a virtual firewall > with eth0 (DMZ?), eth1 (LAN) and eth2 (PUB). I wouldn't want the Dom0 > to be directly compromised if my firewall was compromised. I'd also add a fourth network interface for SAN, then you can connect 2 virtual servers together and use DRBD to replicate your disk space for fault tolerance. Your firewall could be started on either machine. > > Regards, > > Peter > > _______________________________________________ > > CentOS-virt mailing list > > CentOS-virt@xxxxxxxxxx > > http://lists.centos.org/mailman/listinfo/centos-virt > _______________________________________________ CentOS-virt mailing list CentOS-virt@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos-virt
