Hi guys,

I´m trying to route from a specific src IP address
to a new network interface, but it´s not working

First, I tried to use iptables commands, my first thought was like this:
iptables -t nat -A PREROUTING 1 -i eth0 -s <src> -d <dst> -j DNAT --to <interface>

but that command is not available, I just can give IP addresses after the --to argument.
Furthermore, I think iptables is too 'high-level' for this task (?).

I tried to use ip route commands, but that seems to be too low-level and used to route between interfaces etc..

But I have to route dependent on a src IP address to an interface.
Can anyone give me a hint and tell me how to solve this problem?

Thank you!

I think the problem is not clear at all.

For starters, what are your network interfaces? What are the ip addresses and what is routing like?

Then.... what would you like to achieve?

Anyways.... perhaps you could try with routing based on source/dest addresses. I think it's possible using routing tables plus rules.

It goes something like:

some_table can be a number (I think) or the name of a table predefined in /etc/iproute2/rt_tables.

Hi! Thank you for your reply!

I will try to explain the problem a bit more in detail:

I have two virtual machines running on a xen hypervisor.
The Xen hypervisor is in routing mode, that means it has two IP addresses 192.168.0.1 for the frontend network and 192.168.1.1 for the backend network.
First, there was a single VM having the IP address 192.168.1.2 and running behing the hypervisor in the back end network.

ip route shows:
192.168.1.2 dev vif1.0 scope link src 192.168.0.1
192.168.0.0/24 dev vif1.0 proto kernel scope link src 192.168.0.1

(so that means on the hypervisor layer, the VM has the network interface vif1.0)

Now the interessting part starts: I made a live clone of this VM which results in a second VM running
on the same hypervisor and having the same IP address but another virtual interface:

192.168.1.2 dev vif1.0 scope link src 192.168.0.1
192.168.0.0/24 dev vif1.0 proto kernel scope link src 192.168.0.1
192.168.1.2 dev vif2.0 scope link src 192.168.0.1
192.168.0.0/24 dev vif2.0 proto kernel scope link src 192.168.0.1

Now I want to route to the original-VM or to the cloned-VM dependent on the IP source address.
For example, Bob should be routed to the original-VM as normal and Alice should be routed to the cloned-VM while both communicating with the same destination IP address.
That means I can only route dependent on the interface and not on the target IP address (what my current problem is)

I attached a little illustration of the setup.. (its for research)
I know that there are some other problems considering network traffic,
and that I have to block certain replies, but acutally this is the main problem :-)

Thank you very much!

Attached Images

tmp.jpg (13.9 KB, 2 views)

Why are there two routing items with the same network? Are they created that way by xen? To my not-bound-by-xen network knowledge, it feels like it's not gonna hold water. That sounds like you should bridge the virtual network interfaces and place the IP address (192.168.0.1/24) on the bridge instead, am I wrong?

Yes they are created by Xen running in routing mode.
You can run Xen in brdiging mode (which is more easy),
but we need Xen in routing mode for this project.

Do you know how I could solve the problem?
How can I route from a src IP address to a target VM through a specific interface?

Thank you!

Don't know the difference between both modes I can only see the routing problem as seen in your routing tables.

You have two interfaces with overlapping network segments. The IP addresses set for those two interfaces is the same on the host? Can you remove the IP address from those interfaces (on the host), bridge them and set the IP address on the bridge? You could, of course set the exact dst address to get in touch with a certain VM. Routing will use the best matching rule so if you set a rule to reach one single IP address it won't hesitate to use it instead of the defined /24.

So....
That should do. Perhaps using two different network segments? Anyway, hope it helps.