Ask Your Question

Could not route the traffic to internet from a private IP

asked 2017-02-08 22:51:59 -0500

kiritim gravatar image


We have setup Openstack with basic services - keystone, glance, nova and neutron on a single node. We have configured the Openstack with OVS plugin and configured an OVS bridge(br-ex) to be the external network bridge. We have attached this bridge to a linux bridge using a veth pair. The linux bridge is configured with a private IP (192.x.x.x) and a subnet (192.x.x.x/24) is attached to it. By doing this we are able to bring up the setup, boot a vm and also bring it to an active state.

We are able to ping the vm and ssh directly into the vm without using ip netns. But we are facing an issue ie., we are not able to access internet inside the vm. The packet is getting dropped at the linux bridge. We have tried the following nat rule on the host machine –

iptables -t nat -A POSTROUTING -s 192.x.x.0/24 -j MASQUERADE

But still we can’t access the internet.

We have also tried out the following snat and dnat rules to check if we can nat atleast 1 vm and make it to access internet -

iptables -t nat -A POSTROUTING -s 192.x.x.4 -j SNAT --to 10.x.x.x

iptables -t nat -A PREROUTING -d 10.x.x.x -j DNAT --to 192.x.x.4

Even after trying this out we are not able to grant internet access to the vm.

We have tried this scenario with floating ips and its working fine, but we are not able to work this out using private ips and nat rules.

Is there any way possible so that we can route the traffic to the internet and get the response back?

Thanks, Kiriti.

edit retag flag offensive close merge delete


You better learn RDO Packstack utility to reduce head aches.

dbaxps gravatar imagedbaxps ( 2017-02-09 11:44:15 -0500 )edit

1 answer

Sort by » oldest newest most voted

answered 2017-02-10 14:31:42 -0500

mting gravatar image

openstack defult just let the ip that binding in the instance interface(you could check the port setting, the ip is there) go out

if you want instance working as a route , you need to add allowed-address-pairs to this port

for example

there is 2 vm ,vm1 has 2 interface ,eth0 - internet, eth1 - vm2(, you want vm2 to reach internet via vm1. beside setup route in vm1 , you need add as a allowed-address-pairs of vm1-eth0, then traffic from vm2 could go though vm1-eth0

edit flag offensive delete link more


Thanks for the inputs. However, I would like to know if we can perform this using IP tables nat rules by nating the private IP say to the public IP so that everytime a vm is booted we need not make all the changes on vm1. If there are any nat rules which can be tried please let me know.

kiritim gravatar imagekiritim ( 2017-02-16 03:57:30 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2017-02-08 22:51:59 -0500

Seen: 135 times

Last updated: Feb 10 '17