From owner-freebsd-xen@FreeBSD.ORG Fri Sep 12 13:47:56 2014 Return-Path: Delivered-To: freebsd-xen@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AFC98DEC for ; Fri, 12 Sep 2014 13:47:56 +0000 (UTC) Received: from new1-smtp.messagingengine.com (new1-smtp.messagingengine.com [66.111.4.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 80A9B197 for ; Fri, 12 Sep 2014 13:47:56 +0000 (UTC) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by gateway2.nyi.internal (Postfix) with ESMTP id 617BA13EF for ; Fri, 12 Sep 2014 09:47:49 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute5.internal (MEProxy); Fri, 12 Sep 2014 09:47:49 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:from:to:mime-version :content-transfer-encoding:content-type:subject:date:in-reply-to :references; s=smtpout; bh=c4+mm6SIJPifEmYy/mYiMKykdr4=; b=La/Ge sWh0eN4MDEmF7DLUwrrg+9NV65z6IbDbRgSJF+MR6DJWZBzT0FddE0UmDrXalOdF DXj19QDN68CdvNvKK6KpxCYv6CpV4W5R9g3N4rj+iLPNNOo65+hTjafWRnjwxZh0 0dJhawsUuFwLnaRPh49dz/PKvpaDdBVq9Efzfc= Received: by web3.nyi.internal (Postfix, from userid 99) id 1A38910CFCC; Fri, 12 Sep 2014 09:47:49 -0400 (EDT) Message-Id: <1410529669.1815882.166744545.1E24373F@webmail.messagingengine.com> X-Sasl-Enc: yhBYvr6oEpHneY493xcWR0MdIX8VcyKEibmtgR5GEjIF 1410529669 From: Mark Felder To: freebsd-xen@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-6c0f847e Subject: Re: Routing/NAT problem on Xenserver 6.2 with virtual firewall Date: Fri, 12 Sep 2014 08:47:49 -0500 In-Reply-To: <9864A2A7BE97EB706ED0FC04@Mail-PC.tdx.co.uk> References: <86k359p1qm.fsf@arch.perpetuum.hr> <9864A2A7BE97EB706ED0FC04@Mail-PC.tdx.co.uk> X-BeenThere: freebsd-xen@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussion of the freebsd port to xen - implementation and usage List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Sep 2014 13:47:56 -0000 On Fri, Sep 12, 2014, at 05:42, Karl Pielorz wrote: > > --On 12 September 2014 12:33 +0200 Marko Lerota > wrote: > > > Can somebody help me in this situation? I don't know what's wrong. > > The firewall/NAT doesn't work if the virtual hosts are on the same > > machine where firewall is. The funny thing is that ICMP packets are > > passing through, but ordinary traffic does not. Do I have to change > > something on Xenserver dom0 or PF firewall? > > This is a known bug - see: > > > > It's also an absolute PITA :( - It also affects DHCP (as I found out a > while ago). > > You either have to run a separate pool for the 'router' VM's (and setup > the > VM's accordingly balanced between pools) - or you can run the router VM's > in HVM mode only, and they will work (i.e. xn0 etc. become re0 etc.) - > performance isn't brilliant in that mode, and also as it's HVM they're > not > 'agile' (so no xen motion migration, no moving storage while they're > running). > I'm confident you could patch out the HVM xn0 but keep the rest of the HVM code so you have fast disk, etc, and you can run the xen tools which then allows you to use XM and XSM :-) I know Roger has given me a patch that does this while we were troubleshooting a performance issue.