Ask Your Question
1

External instances L3 connectivity to physical network failing due to SNAT

asked 2017-01-26 18:51:59 -0600

gianpietro gravatar image

updated 2017-01-27 10:14:07 -0600

Hi,

When I place instances in my external network (for example when implementing my own routers instead of Neutron), I can connect to the physical world via L2 normally, but every L3 connection attempt seems to go to neutron, which is replacing the instance's source address with the compute node's address.

I'm aware of antispoofing rules, however, in this case I'm trying to connect to the outside from the same source IP assigned in the external network.

Is this normal? is there a way to deal with this without disabling the L3 Agent?

My environment is: Openstack Newton with 1 controller node, 1 compute node and 1 storage node, each running inside a VM.

Thanks!

edit retag flag offensive close merge delete
add a comment

1 answer

Sort by ยป oldest newest most voted
1

answered 2017-01-27 10:09:05 -0600

gianpietro gravatar image

Solved! something weird happened and I think it's a defect related to this kind of virtual environments with libvirt. Initially I though it was something specific to my setup but a colleague went through the exact same problem, so it's better to document it:

  • In my host, there are 3 libvirt VMs (Openstack Controller, Compute and Storage).
  • There is a virtual bridge called virbr0 ('default' network 192.168.122.x) that I was using as my 'provider' (external) network.

  • The strange thing, was that the OS Compute VM inherited this virbr0 interface and related MASQUERADE rules from the host, exactly as they exist out there. This only happened in the compute node at some stage of the Openstack installation. So in my compute node, we have the virbr0 (in DOWN state) and these 'alien' iptables rules:

    MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 MASQUERADE udp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24

These rules were the ones causing the problem, as any external VM source IP in the 192.168.122.x range was trying to exit with the compute node's IP address.

Instead if deleting the rules, I just changed the provider network to another, new virtual network (other than the 'default' one) and everything works as expected.

edit flag offensive delete link more

Comments

I was having the same problem in my virtualized environment with libvirt and I ran the procedure indicated by @gianpietro and it worked for me. Excellent!

ctomas gravatar imagectomas ( 2017-01-27 11:12:33 -0600 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2017-01-26 18:51:59 -0600

Seen: 259 times

Last updated: Jan 27 '17

Related questions

Instance HTTP issues

External network with more than one VLAN not working in Stein Release.

VM multicast corosync invalid packet data

Ocata Neutron Error : Interface name must be shorter than IFNAMSIZ (15)

Cannot Ping VMs

Creating self service network. [closed]

Neutron: Command not found

Openstack Neutron Instances not getting IP addresses

Domain admin can access entities out of scope

(Newton) SNAT drop default traffic