Date: Fri, 12 Sep 2014 08:47:49 -0500 From: Mark Felder <feld@FreeBSD.org> To: freebsd-xen@freebsd.org Subject: Re: Routing/NAT problem on Xenserver 6.2 with virtual firewall Message-ID: <1410529669.1815882.166744545.1E24373F@webmail.messagingengine.com> In-Reply-To: <9864A2A7BE97EB706ED0FC04@Mail-PC.tdx.co.uk> References: <86k359p1qm.fsf@arch.perpetuum.hr> <9864A2A7BE97EB706ED0FC04@Mail-PC.tdx.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Sep 12, 2014, at 05:42, Karl Pielorz wrote: > > --On 12 September 2014 12:33 +0200 Marko Lerota <mlerota@pdsvelebit.hr> > wrote: > > > Can somebody help me in this situation? I don't know what's wrong. > > The firewall/NAT doesn't work if the virtual hosts are on the same > > machine where firewall is. The funny thing is that ICMP packets are > > passing through, but ordinary traffic does not. Do I have to change > > something on Xenserver dom0 or PF firewall? > > This is a known bug - see: > > <https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=188261>; > > It's also an absolute PITA :( - It also affects DHCP (as I found out a > while ago). > > You either have to run a separate pool for the 'router' VM's (and setup > the > VM's accordingly balanced between pools) - or you can run the router VM's > in HVM mode only, and they will work (i.e. xn0 etc. become re0 etc.) - > performance isn't brilliant in that mode, and also as it's HVM they're > not > 'agile' (so no xen motion migration, no moving storage while they're > running). > I'm confident you could patch out the HVM xn0 but keep the rest of the HVM code so you have fast disk, etc, and you can run the xen tools which then allows you to use XM and XSM :-) I know Roger has given me a patch that does this while we were troubleshooting a performance issue.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1410529669.1815882.166744545.1E24373F>