I have two physical hosts (Correo and Alexander), running two XEN instances on one of them (Ferrari and Amarillo on Correo) and one on the other (Graham on Alexander)... Picture at http://bayour.com/misc/VoIP.jpg. On the firewall/gateway (192.168.1.1) I route 192.168.3.0/24 to Correo (192.168.1.7) and 192.168.4.0/24 to Alexander (192.168.1.6). This so that I can access the XEN hosts from the internal network. Very basic... And all my VoIP phones is on it's (about to be on a) separate network with the firewall/gateway as default gateway. On Alexander: ============= * /etc/xen/graham.cfg kernel = '/boot/vmlinuz-2.6.18-5-xen-amd64' ramdisk = '/boot/initrd.img-2.6.18-5-xen-amd64' memory = '2500' root = '/dev/sda1 ro' disk = [ 'file:/home/xen/domains/graham/disk.img,sda1,w', 'file:/home/xen/domains/graham/swap.img,sda2,w' ] name = 'graham' vif = [ 'ip=192.168.4.11' ] on_poweroff = 'destroy' on_reboot = 'restart' on_crash = 'restart' * /etc/xen/xend-config.sxp (xend-http-server yes) (xend-unix-server yes) (xend-tcp-xmlrpc-server no) (xend-unix-xmlrpc-server yes) (xend-relocation-server yes) (xend-unix-path /var/lib/xend/xend-socket) (xend-port 8000) (xend-relocation-port 8002) (xend-address 'alexander') (xend-relocation-address 'alexander') (console-limit 1024) (network-script network-route) (vif-script vif-route) (dom0-min-mem 196) (dom0-cpus 2) (enable-dump yes) (vnc-listen '0.0.0.0') * ifconfig (trimmed - only 'lo' if removed) eth0 Link encap:Ethernet HWaddr 00:1C:23:C4:28:92 inet addr:192.168.1.6 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::21c:23ff:fec4:2892/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth0:0 Link encap:Ethernet HWaddr 00:1C:23:C4:28:92 inet addr:192.168.4.1 Bcast:192.168.4.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 vif5.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF inet addr:192.168.1.6 Bcast:192.168.1.255 Mask:255.255.255.255 inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 * route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.4.11 0.0.0.0 255.255.255.255 UH 0 0 0 vif5.0 192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0 * iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT 0 -- 192.168.4.11 0.0.0.0/0 PHYSDEV match --physdev-in vif5.0 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif5.0 udp spt:68 dpt:67 Chain OUTPUT (policy ACCEPT) target prot opt source destination * iptables -L -n -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination On Graham: ========== * ifconfig (trimmed - only 'lo' if removed) eth0 Link encap:Ethernet HWaddr 00:16:3E:00:AB:28 inet addr:192.168.4.11 Bcast:192.168.4.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 * route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 192.168.4.1 0.0.0.0 UG 0 0 0 eth0 * iptables -L -n FATAL: Could not load /lib/modules/2.6.18-5-xen-amd64/modules.dep: No such file or directory iptables v1.3.6: can't initialize iptables table `filter': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. Correo with the XEN hosts Ferrari and Amarillo basically look identical (only different networks). As seen, I do NOT use NAT here. I wanted to use true routed network... And it seems to work. My primary Asterisk server (the one that do all the routing - the one on Alexander only deals with the PSTN trafik) runs on Graham and it can be accessed from the outside - with port forwarding on the firewall/gateway and it can also contact external Asterisk servers (I run one at home to deal with my private VoIP). The DNS runs on Correo, but it can not be reached (queried) from Graham! ----- s n i p ----- graham# ping -c 5 correo ping: unknown host correo graham# ping -c 5 192.168.1.7 PING 192.168.1.7 (192.168.1.7) 56(84) bytes of data. 64 bytes from 192.168.1.7: icmp_seq=1 ttl=62 time=0.270 ms 64 bytes from 192.168.1.7: icmp_seq=2 ttl=62 time=0.260 ms 64 bytes from 192.168.1.7: icmp_seq=3 ttl=62 time=0.264 ms 64 bytes from 192.168.1.7: icmp_seq=4 ttl=62 time=0.273 ms 64 bytes from 192.168.1.7: icmp_seq=5 ttl=62 time=0.257 ms --- 192.168.1.7 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4000ms rtt min/avg/max/mdev = 0.257/0.264/0.273/0.021 ms graham# traceroute -n 192.168.1.7 traceroute to 192.168.1.7 (192.168.1.7), 30 hops max, 52 byte packets 1 192.168.1.6 0.285 ms 0.091 ms 0.090 ms 2 192.168.1.7 0.323 ms 0.262 ms 0.258 ms graham# telnet 192.168.1.7 53 Trying 192.168.1.7... Connected to 192.168.1.7. Escape character is '^]'. correo Connection closed by foreign host. graham# host graham 192.168.1.7 ;; reply from unexpected source: 192.168.1.1#53, expected 192.168.1.7#53 ;; reply from unexpected source: 192.168.1.1#53, expected 192.168.1.7#53 ;; connection timed out; no servers could be reached ----- s n i p ----- Also, scp or ssh FROM Graham to Correo don't work, but the other way around works fine... Looking at the answer that 'host' gave me, I now see that the connection goes via the firewall/gateway which is not directly obvious - Alexander (which is Graham's default GW) is on the same network as Correo... PS. I solved this specific DNS problem with a caching DNS server on Alexander, but scp/ssh (etc) naturally still don't work because of this weird problem... I just can't see it! Maybe a set of (many :) extra eyes can... Thanx! -- Fedora-xen mailing list Fedora-xen@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-xen