Ask Your Question
1

External instances L3 connectivity to physical network failing due to SNAT

asked 2017-01-26 18:51:59 -0500

gianpietro gravatar image

updated 2017-01-27 10:14:07 -0500

Hi,

When I place instances in my external network (for example when implementing my own routers instead of Neutron), I can connect to the physical world via L2 normally, but every L3 connection attempt seems to go to neutron, which is replacing the instance's source address with the compute node's address.

I'm aware of antispoofing rules, however, in this case I'm trying to connect to the outside from the same source IP assigned in the external network.

Is this normal? is there a way to deal with this without disabling the L3 Agent?

My environment is: Openstack Newton with 1 controller node, 1 compute node and 1 storage node, each running inside a VM.

Thanks!

edit retag flag offensive close merge delete
add a comment

1 answer

Sort by ยป oldest newest most voted
1

answered 2017-01-27 10:09:05 -0500

gianpietro gravatar image

Solved! something weird happened and I think it's a defect related to this kind of virtual environments with libvirt. Initially I though it was something specific to my setup but a colleague went through the exact same problem, so it's better to document it:

  • In my host, there are 3 libvirt VMs (Openstack Controller, Compute and Storage).
  • There is a virtual bridge called virbr0 ('default' network 192.168.122.x) that I was using as my 'provider' (external) network.

  • The strange thing, was that the OS Compute VM inherited this virbr0 interface and related MASQUERADE rules from the host, exactly as they exist out there. This only happened in the compute node at some stage of the Openstack installation. So in my compute node, we have the virbr0 (in DOWN state) and these 'alien' iptables rules:

    MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 MASQUERADE udp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24

These rules were the ones causing the problem, as any external VM source IP in the 192.168.122.x range was trying to exit with the compute node's IP address.

Instead if deleting the rules, I just changed the provider network to another, new virtual network (other than the 'default' one) and everything works as expected.

edit flag offensive delete link more

Comments

I was having the same problem in my virtualized environment with libvirt and I ran the procedure indicated by @gianpietro and it worked for me. Excellent!

ctomas gravatar imagectomas ( 2017-01-27 11:12:33 -0500 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2017-01-26 18:51:59 -0500

Seen: 205 times

Last updated: Jan 27 '17

Related questions

How to provide Internet for VMs?

unable to access internet from guest vm

Unable to access external network

Neutron - Linux Bridge Agent - pri Network not accessible

Instance can't access outside network

After rebooting server not able to access the floating IP of the instance?

[neutron] network node can't ping external network

Neutron: Linux Bridge and VLANs

tripleo - cannot access external network

Instance receiving traffic but not responding?