From owner-freebsd-xen@FreeBSD.ORG  Fri Sep 12 10:33:32 2014
Return-Path: <owner-freebsd-xen@FreeBSD.ORG>
Delivered-To: freebsd-xen@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 883DA4EA
 for <freebsd-xen@freebsd.org>; Fri, 12 Sep 2014 10:33:32 +0000 (UTC)
Received: from mail.claresco.hr (zid.claresco.hr [89.201.163.42])
 by mx1.freebsd.org (Postfix) with ESMTP id 3D61DCC4
 for <freebsd-xen@freebsd.org>; Fri, 12 Sep 2014 10:33:30 +0000 (UTC)
Received: from mail.claresco.hr (localhost [127.0.0.1])
 by mail.claresco.hr (Postfix) with ESMTP id 636F52ADFBD
 for <freebsd-xen@freebsd.org>; Fri, 12 Sep 2014 12:33:22 +0200 (CEST)
Received: from arch.perpetuum.hr.claresco.hr (unknown [213.191.141.3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by mail.claresco.hr (Postfix) with ESMTPSA id 375A82ADFA9
 for <freebsd-xen@freebsd.org>; Fri, 12 Sep 2014 12:33:22 +0200 (CEST)
From: Marko Lerota <mlerota@pdsvelebit.hr>
To: FreeBSD XEN <freebsd-xen@freebsd.org>
Subject: Routing/NAT problem on Xenserver 6.2 with virtual firewall
Organization: *BSD Users - Fanatics Dept.
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAJFBMVEWgnbRLVpRNVY9jMRPh
 s21jSlEyNVX45Mv4zI+sbUclFAtMVpT8V0lFAAACZ0lEQVR4nG3Tv2vbQBQHcFMogWyeNeVK
 BLXGl5j6xnABOaNTuXFGmWpwtw519yj4soW6AatT4GKD3+aDZrl/rt/Tr9qlGiz7Pn7v3bsf
 HVc/NrIiSfElqH53GgijcCqzk/+AmBF5cN0DsFlIRGMh/oHuqxkTM6VlzB4EoZEs2aSZOASb
 EQJYZpweQshE697GTDndBXtgp9LIT9+OpDGHEfb9knk+nx+jfN1JCVZMCl6XwFm0a2EXztZD
 3s4fj47ZbKI2VeBmJImeEfGLJ+M9sDPilX7IB5rN6sdfcGhuoHU+LC4nxfnI7YOJtdb95Gb+
 fbgJ2uJ2ZgaA++f5ZzBqNCCYfMTd5q0BfBVNqm7I8gUjQ+YtXotRW6PH9AEj+dKs/KuNQAl5
 o/NY+QkonW8aQAl0oXMYPvRiXIM4pRJifbXytnhTA8alBx/jefG2ar3DBlt34/PXz9M+nMVN
 iNaPUdCApJc2ItejOmLGoK1qQLV9pJmXBnL10DYoBA5aHNfj8ZNwZa5O4CzgTJeilKJmrQJs
 IHIt1/7/Sg2p3iq/Hz0/5W05rq4M9aN2B5FLohUP4ylVyfxhEIjAs8J4PhIJ9U+CEroogib5
 BXAf7bB4vkfAzgPFt1tM9sJZAOH+lCexhwswuNtim4QTZdokqo4o89LkH7V6iFxICeqfp+Wh
 fmUuGPunLj2Meti6Cn4DjJ/UReROqR+aqawAi/JkfgKE64rrfkhjU8MtT8ivR4S5n6Yo08A7
 HvgAlHDWRSGlNSDxwK9HtXy4FS2I60EdUIJM+Ut9OZNJG4CpbEQW1VBQoQoPuBw2EVa4P0u0
 TgzQF+VoAAAAAElFTkSuQmCC
Date: Fri, 12 Sep 2014 12:33:21 +0200
Message-ID: <86k359p1qm.fsf@arch.perpetuum.hr>
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: ClamAV using ClamSMTP
X-BeenThere: freebsd-xen@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Discussion of the freebsd port to xen - implementation and usage
 <freebsd-xen.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-xen>,
 <mailto:freebsd-xen-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-xen/>
List-Post: <mailto:freebsd-xen@freebsd.org>
List-Help: <mailto:freebsd-xen-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-xen>,
 <mailto:freebsd-xen-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Sep 2014 10:33:32 -0000

I have two physical Xenservers. Each one of them have two network cards
and few virtual machines. On Xenserver1 I have a FreeBSD that acts 
as a router/firewall. The setup looks like this:


Xenserver1 

                  / ---- xn0 Wan Public IP
                 /
Virtual FreeBSD1 \
                  \ ---- xn1 LAN IP 10.0.0.1



Virtual Machines on xen1 --- xn1 LAN IP 10.0.0.4-10


Xenserver2 

Virtual Machines on xen2 --- xn1 LAN IP 10.0.0.11-20

All virtual machines from xen2 server can easily go through
FreeBSD1 firewall out to the internet and back. But those from 
xen1 can't. When I create second firewall FreeBSD2 on xen2 like 
this: 

Xenserver2 

                  / ---- xn0 Wan Public IP
                 /
Virtual FreeBSD2 \
                  \ ---- xn1 LAN IP 10.0.0.2 

Virtual Machines on xen2 --- xn1 LAN IP 10.0.0.11-20

and change default routes of virtual machines on xen1 and xen2 to 
10.0.0.2 (FreeBSD2) then virual machines on xen2 can't go out but
those from xen1 can. 

Can somebody help me in this situation? I don't know what's wrong.
The firewall/NAT doesn't work if the virtual hosts are on the same 
machine where firewall is. The funny thing is that ICMP packets are 
passing through, but ordinary traffic does not. Do I have to change 
something on Xenserver dom0 or PF firewall? 


-- 
Marko Lerota
Sent from my GNU Emacs/Gnus Mailer