From owner-freebsd-xen@FreeBSD.ORG  Fri Sep 12 10:45:35 2014
Return-Path: <owner-freebsd-xen@FreeBSD.ORG>
Delivered-To: freebsd-xen@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 604296A9
 for <freebsd-xen@freebsd.org>; Fri, 12 Sep 2014 10:45:35 +0000 (UTC)
Received: from mail.tdx.com (mail.tdx.com [62.13.128.18])
 by mx1.freebsd.org (Postfix) with ESMTP id 01F7EDAD
 for <freebsd-xen@freebsd.org>; Fri, 12 Sep 2014 10:45:34 +0000 (UTC)
Received: from Mail-PC.tdx.co.uk (storm.tdx.co.uk [62.13.130.251])
 (authenticated bits=0)
 by mail.tdx.com (8.14.3/8.14.3/) with ESMTP id s8CAgjxZ065181
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
 Fri, 12 Sep 2014 11:42:45 +0100 (BST)
Date: Fri, 12 Sep 2014 11:42:45 +0100
From: Karl Pielorz <kpielorz_lst@tdx.co.uk>
To: Marko Lerota <mlerota@pdsvelebit.hr>, FreeBSD XEN <freebsd-xen@freebsd.org>
Subject: Re: Routing/NAT problem on Xenserver 6.2 with virtual firewall
Message-ID: <9864A2A7BE97EB706ED0FC04@Mail-PC.tdx.co.uk>
In-Reply-To: <86k359p1qm.fsf@arch.perpetuum.hr>
References: <86k359p1qm.fsf@arch.perpetuum.hr>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-BeenThere: freebsd-xen@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Discussion of the freebsd port to xen - implementation and usage
 <freebsd-xen.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-xen>,
 <mailto:freebsd-xen-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-xen/>
List-Post: <mailto:freebsd-xen@freebsd.org>
List-Help: <mailto:freebsd-xen-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-xen>,
 <mailto:freebsd-xen-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Sep 2014 10:45:35 -0000


--On 12 September 2014 12:33 +0200 Marko Lerota <mlerota@pdsvelebit.hr> 
wrote:

> Can somebody help me in this situation? I don't know what's wrong.
> The firewall/NAT doesn't work if the virtual hosts are on the same
> machine where firewall is. The funny thing is that ICMP packets are
> passing through, but ordinary traffic does not. Do I have to change
> something on Xenserver dom0 or PF firewall?

This is a known bug - see:

  <https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=188261>

It's also an absolute PITA :( - It also affects DHCP (as I found out a 
while ago).

You either have to run a separate pool for the 'router' VM's (and setup the 
VM's accordingly balanced between pools) - or you can run the router VM's 
in HVM mode only, and they will work (i.e. xn0 etc. become re0 etc.) - 
performance isn't brilliant in that mode, and also as it's HVM they're not 
'agile' (so no xen motion migration, no moving storage while they're 
running).

I'd love to look at this further - but I don't have enough knowledge about 
either Xen or how the 'netfront' code is handled, and have been unable to 
find anyone either interested enough to look - or with the time to look :-(

You're more than welcome to add a '/me too' to the PR :)

-Karl