[Fedora-xen] Weird routing problem
Turbo Fredriksson
turbo at bayour.com
Thu Apr 10 12:55:46 UTC 2008
I have two physical hosts (Correo and Alexander), running two XEN
instances on one of them (Ferrari and Amarillo on Correo) and one
on the other (Graham on Alexander)...
Picture at http://bayour.com/misc/VoIP.jpg.
On the firewall/gateway (192.168.1.1) I route 192.168.3.0/24 to Correo
(192.168.1.7) and 192.168.4.0/24 to Alexander (192.168.1.6). This so
that I can access the XEN hosts from the internal network. Very basic...
And all my VoIP phones is on it's (about to be on a) separate network
with the firewall/gateway as default gateway.
On Alexander:
=============
* /etc/xen/graham.cfg
kernel = '/boot/vmlinuz-2.6.18-5-xen-amd64'
ramdisk = '/boot/initrd.img-2.6.18-5-xen-amd64'
memory = '2500'
root = '/dev/sda1 ro'
disk = [ 'file:/home/xen/domains/graham/disk.img,sda1,w', 'file:/home/xen/domains/graham/swap.img,sda2,w' ]
name = 'graham'
vif = [ 'ip=192.168.4.11' ]
on_poweroff = 'destroy'
on_reboot = 'restart'
on_crash = 'restart'
* /etc/xen/xend-config.sxp
(xend-http-server yes)
(xend-unix-server yes)
(xend-tcp-xmlrpc-server no)
(xend-unix-xmlrpc-server yes)
(xend-relocation-server yes)
(xend-unix-path /var/lib/xend/xend-socket)
(xend-port 8000)
(xend-relocation-port 8002)
(xend-address 'alexander')
(xend-relocation-address 'alexander')
(console-limit 1024)
(network-script network-route)
(vif-script vif-route)
(dom0-min-mem 196)
(dom0-cpus 2)
(enable-dump yes)
(vnc-listen '0.0.0.0')
* ifconfig (trimmed - only 'lo' if removed)
eth0 Link encap:Ethernet HWaddr 00:1C:23:C4:28:92
inet addr:192.168.1.6 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::21c:23ff:fec4:2892/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
eth0:0 Link encap:Ethernet HWaddr 00:1C:23:C4:28:92
inet addr:192.168.4.1 Bcast:192.168.4.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
vif5.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
inet addr:192.168.1.6 Bcast:192.168.1.255 Mask:255.255.255.255
inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
* route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.4.11 0.0.0.0 255.255.255.255 UH 0 0 0 vif5.0
192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
* iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- 192.168.4.11 0.0.0.0/0 PHYSDEV match --physdev-in vif5.0
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif5.0 udp spt:68 dpt:67
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
* iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
On Graham:
==========
* ifconfig (trimmed - only 'lo' if removed)
eth0 Link encap:Ethernet HWaddr 00:16:3E:00:AB:28
inet addr:192.168.4.11 Bcast:192.168.4.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
* route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 192.168.4.1 0.0.0.0 UG 0 0 0 eth0
* iptables -L -n
FATAL: Could not load /lib/modules/2.6.18-5-xen-amd64/modules.dep: No such file or directory
iptables v1.3.6: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
Correo with the XEN hosts Ferrari and Amarillo basically look identical (only different
networks).
As seen, I do NOT use NAT here. I wanted to use true routed network... And it seems to work.
My primary Asterisk server (the one that do all the routing - the one on Alexander only deals
with the PSTN trafik) runs on Graham and it can be accessed from the outside - with port
forwarding on the firewall/gateway and it can also contact external Asterisk servers (I run
one at home to deal with my private VoIP).
The DNS runs on Correo, but it can not be reached (queried) from Graham!
----- s n i p -----
graham# ping -c 5 correo
ping: unknown host correo
graham# ping -c 5 192.168.1.7
PING 192.168.1.7 (192.168.1.7) 56(84) bytes of data.
64 bytes from 192.168.1.7: icmp_seq=1 ttl=62 time=0.270 ms
64 bytes from 192.168.1.7: icmp_seq=2 ttl=62 time=0.260 ms
64 bytes from 192.168.1.7: icmp_seq=3 ttl=62 time=0.264 ms
64 bytes from 192.168.1.7: icmp_seq=4 ttl=62 time=0.273 ms
64 bytes from 192.168.1.7: icmp_seq=5 ttl=62 time=0.257 ms
--- 192.168.1.7 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4000ms
rtt min/avg/max/mdev = 0.257/0.264/0.273/0.021 ms
graham# traceroute -n 192.168.1.7
traceroute to 192.168.1.7 (192.168.1.7), 30 hops max, 52 byte packets
1 192.168.1.6 0.285 ms 0.091 ms 0.090 ms
2 192.168.1.7 0.323 ms 0.262 ms 0.258 ms
graham# telnet 192.168.1.7 53
Trying 192.168.1.7...
Connected to 192.168.1.7.
Escape character is '^]'.
correo
Connection closed by foreign host.
graham# host graham 192.168.1.7
;; reply from unexpected source: 192.168.1.1#53, expected 192.168.1.7#53
;; reply from unexpected source: 192.168.1.1#53, expected 192.168.1.7#53
;; connection timed out; no servers could be reached
----- s n i p -----
Also, scp or ssh FROM Graham to Correo don't work, but the other way
around works fine...
Looking at the answer that 'host' gave me, I now see that the connection
goes via the firewall/gateway which is not directly obvious - Alexander
(which is Graham's default GW) is on the same network as Correo...
PS. I solved this specific DNS problem with a caching DNS server on
Alexander, but scp/ssh (etc) naturally still don't work because
of this weird problem... I just can't see it! Maybe a set of
(many :) extra eyes can... Thanx!
More information about the Fedora-xen
mailing list