Date: Fri, 12 Sep 2014 12:33:21 +0200 From: Marko Lerota <mlerota@pdsvelebit.hr> To: FreeBSD XEN <freebsd-xen@freebsd.org> Subject: Routing/NAT problem on Xenserver 6.2 with virtual firewall Message-ID: <86k359p1qm.fsf@arch.perpetuum.hr>
next in thread | raw e-mail | index | archive | help
I have two physical Xenservers. Each one of them have two network cards
and few virtual machines. On Xenserver1 I have a FreeBSD that acts
as a router/firewall. The setup looks like this:
Xenserver1
/ ---- xn0 Wan Public IP
/
Virtual FreeBSD1 \
\ ---- xn1 LAN IP 10.0.0.1
Virtual Machines on xen1 --- xn1 LAN IP 10.0.0.4-10
Xenserver2
Virtual Machines on xen2 --- xn1 LAN IP 10.0.0.11-20
All virtual machines from xen2 server can easily go through
FreeBSD1 firewall out to the internet and back. But those from
xen1 can't. When I create second firewall FreeBSD2 on xen2 like
this:
Xenserver2
/ ---- xn0 Wan Public IP
/
Virtual FreeBSD2 \
\ ---- xn1 LAN IP 10.0.0.2
Virtual Machines on xen2 --- xn1 LAN IP 10.0.0.11-20
and change default routes of virtual machines on xen1 and xen2 to
10.0.0.2 (FreeBSD2) then virual machines on xen2 can't go out but
those from xen1 can.
Can somebody help me in this situation? I don't know what's wrong.
The firewall/NAT doesn't work if the virtual hosts are on the same
machine where firewall is. The funny thing is that ICMP packets are
passing through, but ordinary traffic does not. Do I have to change
something on Xenserver dom0 or PF firewall?
--
Marko Lerota
Sent from my GNU Emacs/Gnus Mailer
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86k359p1qm.fsf>