Using XenServer in a routed IP network

Hetzner is a hosting company in Germany where you can rent dedicated root servers per month. Using their KVM-over-IP setup, it is possible to install operating systems that are not available by default, such as XenServer by Citrix. With the machine, you get four public IP addresses. One of these addresses is given to you when the machine is assigned to you, the other three are assigned to you on request.

There is a problem with the public IP addresses Hetzner gives you. Within the Hetzner network, there is a hard connection between the MAC address of your machine and the IP addresses you have been given. This is a problem for virtual machines that are bridged onto the network by the host machine. These virtual machines have their own MAC address and the Hetzner network will drop packets from these unknown MAC addresses.

There is a solution to this problem: have the host machine route IP packets from the virtual machines to the network and vice versa. We will use the following addresses in the example below:

IP addresses (host), (VM)
Gateway (host)

We start with the configuration of the host machine (running XenServer). The first file is the configuration file of eth0: /etc/sysconfig/network-scripts/ifcfg-eth0

HWADDR=40:61:86:be:ce:88 (replace with MAC address of host)

Notice that this file does not contain any IP configuration. The second file is the configuration file of xenbr0: /etc/sysconfig/network-scripts/ifcfg-xenbr0

IPADDR= (replace with IP address of host)
GATEWAY= (replace with gateway of host)

Now we need to enable IP forwarding on the host machine. We start with the sysctl configuration file: /etc/sysctl.conf


The first line tells the machine to perform IP forwarding. The four lines after that tell the machine to disable sending ICMP redirects. The last file we need to edit is the firewall configuration file: /etc/sysconfig/iptables. Add this text below the line -A RH-Firewall-1-INPUT -i lo -j ACCEPT:

-A RH-Firewall-1-INPUT -i xenbr0 -o xenbr0 -j ACCEPT

Now reboot the machine and continue with the IP configuration of the virtual machine running on XenServer. There is only one file we need to edit here, which is the configuration file of eth0: /etc/sysconfig/network-scripts/ifcfg-eth0

HWADDR=8e:35:1e:3b:12:aa (replace with MAC address of VM)
IPADDR= (replace with IP address of VM)
GATEWAY= (replace with IP address of host)

The gateway in this configuration is crucial: it needs to be the IP address of the host itself, not the gateway of the host.

16 thoughts on “Using XenServer in a routed IP network

  1. Permalink  ⋅ Reply


    June 22, 2010 at 5:27pm

    thank you for this tutorial, but what do you do if there are several VMs (and several IP addresses)

    • Permalink  ⋅ Reply


      June 22, 2010 at 8:27pm

      The main part of the tutorial stays the same. Just repeat the bottom part where we configure the VM, using a different IP address for each VM.

  2. Permalink  ⋅ Reply


    June 22, 2010 at 10:15pm

    Thank you, Jan for quick reply. I tried so, but when I started dummy interface I got this:

    ifup xenbr0:1
    Device xenbr0:1 has different MAC address than expected, ignoring.

    maybe it’s expecting mac from eth0 .. and still no ping to vm

  3. Permalink  ⋅ Reply


    June 23, 2010 at 12:12am

    sorry, ping is ok, but vm is throwing error about ip conflict
    vm network configuration is the same as xenbr1:0

  4. Permalink  ⋅ Reply


    June 24, 2010 at 9:21pm

    what if vm and host ip are in different subnets ?

    • Permalink  ⋅ Reply


      June 27, 2010 at 8:17am

      I haven’t tested it yet, but it probably means that you need to assign the host one of the IP addresses in the extra subnet and then use that IP address as the gateway for the VM.

  5. Permalink  ⋅ Reply


    September 24, 2010 at 1:32am

    I would also like to add another network (192.168.x.x). No problem to install it on the VMs, but how do I configure the Host so I get internet access from a VM using such a private IP only?

  6. Permalink  ⋅ Reply


    August 20, 2011 at 5:37pm

    Thank you very much! It solved my problem!

  7. Permalink  ⋅ Reply

    kenneth spohr

    February 4, 2012 at 2:27pm

    This has been a very helpful guide for 5.6!! Thanks a lot! -But things has changed for 6.0 Is there any chance some knows how to tackle that one..?

  8. Permalink  ⋅ Reply

    kenneth spohr

    February 10, 2012 at 12:22pm

    Me myself and I, We fixed it!

    Here is a very simplified version, tested and working on xenserver 6! Should also be fine for earlier versions.

    In xenserver, edit this file:
    net.ipv4.ip_forward = 0
    net.ipv4.ip_forward = 1
    Add (below the line you just changed):
    # Prevent redirects to make system more secure
    net.ipv4.conf.default.send_redirects = 0
    net.ipv4.conf.lo.send_redirects = 0
    net.ipv4.conf.xenbr0.send_redirects = 0

    Safe the file and exit the file editor.
    Reboot, or use this command:
    sysctl -p

    Make exception to firewall with this command:
    Go to Customize, and select xenbr0 as Trusted Device, OK, and OK again.
    Reboot, or restart the firewall, with this command:
    service iptables restart

    Now you can configure your VMs with gateway = IP of host (xenserver).
    Thats it honey!

    If anyone knows how to make this more secure, regarding the firewall by only allowing IPs from specific VMs. Please shout out (:

    • Permalink  ⋅ Reply


      March 5, 2012 at 11:53am


      What about if I want to give some VMs private ip what should I do?


  9. Permalink  ⋅ Reply


    February 23, 2012 at 6:59am

    I have noticed that in XenServer v6 any changes made to ifcfg-xenbr0 are gone back to default on reboot or when I restart the network. Following lines are missing:


  10. Permalink  ⋅ Reply


    May 10, 2012 at 12:37pm

    Thanks jansipke,

    Good information.

    Really helpful.

  11. Permalink  ⋅ Reply


    March 30, 2015 at 6:45pm

    Nice Article,
    but in my xen server 6.5 installation I can’t find any file name ifcfg-eth0

    I have created the xenbr0:1 and enabled the forwarding.

    I run the endian firewal as router that own the second ip available in the same subnet of the management newtwork and give dhcp to a private network with other vps but the endian and the virtual machines can’t reach the connection..

    I’m not understanding where i’m wrong…! help!

Leave a Reply

Your email will not be published. Name and Email fields are required.