Ask Your Question
0

Cannot reach floating IP from outside network

asked 2017-03-08 01:20:45 -0600

AJ NOURI gravatar image

updated 2017-03-08 16:55:51 -0600

Host OS

  • Distributor ID: Debian
  • Description: Debian GNU/Linux 8.6
  • (jessie) Release: 8.6
  • Codename: jessie

Openstack Environement

  • RDO All-In-One installed on VMware workstation VM + Centos7

-During installation, Openstack is configured to use the external interface (192.168.0.[1-155]/24) (connecting VM to host) as "public" network..
-Configured a subnet range for floating IPs (not assigned by external network:192.168.0.[170-199]/24).
-Created an instance, assigned a floating IP (192.168.0.176).

selection_888

Results:
==> Can ping/ssh to instance from within Openstack, but not from outside.

Observations:
I can observe the floatng IP (192.168.0.176) assigned to router external interface 

[root@RDO-AIO ~(keystone_admin)]# ip netns exec qrouter-a2dd3739-fe62-4e79-8795-e3023419dc30 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
9: qg-913f6089-a8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN qlen 1000
    link/ether fa:16:3e:31:a4:f9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.173/24 brd 192.168.0.255 scope global qg-913f6089-a8
       valid_lft forever preferred_lft forever
    inet 192.168.0.176/32 brd 192.168.0.176 scope global qg-913f6089-a8    <<<<<<<<<<<<<<<<<<<<<<<<  
       valid_lft forever preferred_lft forever
    inet6 f816:3eff:fe31:a4f9/64 scope global mngtmpaddr dynamic 
       valid_lft 86318sec preferred_lft 86318sec
    inet6 fe80::f816:3eff:fe31:a4f9/64 scope link 
       valid_lft forever preferred_lft forever

routing and arp on openstack looks OK

[root@RDO-AIO ~(keystone_admin)]# cat /proc/sys/net/ipv4/ip_forward
1

[root@RDO-AIO ~(keystone_admin)]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         gateway         0.0.0.0         UG    0      0        0 br-ex
link-local      0.0.0.0         255.255.0.0     U     1002   0        0 eno16777736
link-local      0.0.0.0         255.255.0.0     U     1006   0        0 br-ex
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 br-ex   <<<<<<<<<<<<<<
[root@RDO-AIO ~(keystone_admin)]# 
[root@RDO-AIO ~(keystone_admin)]# arp
Address                  HWtype  HWaddress           Flags Mask            Iface
192.168.0.146            ether   b4:b5:2f:b1:fa:ec   C                     br-ex
192.168.0.2              ether   a2:c6:c7:14:c5:49   C                     br-ex
192.168.0.173            ether   fa:16:3e:31:a4:f9   C                     br-ex
192.168.0.176            ether   fa:16:3e:31:a4:f9   C                     br-ex   <<<<<<<<<<<<<  
gateway                  ether   f4:ca:e5:4c:ed:44   C                     br-ex

From outside network is pointing (route) to floatng iP's, used by instances, via Openstack host:

/ # ip a 192.168.0.176 via 192.168.0.108 dev ovsbr0

From Openstack host, I can see the ping coming but Openstack not forwarding it to the router namespace:

[root@RDO-AIO ~(keystone_admin)]# tcpdump icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-ex, link-type EN10MB (Ethernet), capture size 65535 bytes
IP 192.168.0.146 ...
(more)
edit retag flag offensive close merge delete

Comments

Do you have a static route configured in your physical router to point to the virtual network?

WigiPedia gravatar imageWigiPedia ( 2017-03-08 12:16:39 -0600 )edit

Yes, I forget to mention this:
# ip route
192.168.0.176 via 192.168.0.108 dev ovsbr0
...

The traffic arrives at the Openstack host (arrocrding to the route from outside) but Openstack doesn't forward it to the router namespace.

AJ NOURI gravatar imageAJ NOURI ( 2017-03-08 16:52:44 -0600 )edit

The router will have a different IP address from the OpenStack host. If you specified a provider network with several IPs in range, it will grab one of those at random. Try pinging those IPs and set the route to whichever one responds.

WigiPedia gravatar imageWigiPedia ( 2017-03-09 13:36:03 -0600 )edit
add a comment

3 answers

Sort by ยป oldest newest most voted
1

answered 2017-03-08 05:42:56 -0600

dbaxps gravatar image

updated 2017-03-08 05:56:49 -0600

Using as comment :-
RDO All-In-One (CentOS 7.3 && RDO ) installed on KVM Guest @Libvirt Subnet on top of VIRTHOST : - Centos7.3 or F25 

VIRTHOST should to be set up on standard Linux Bridge

See http://bderzhavets.blogspot.com/2016/...
Ignore "Nova-Docker" Hypervisor configuration same would for standard libvirt/kvm driver cloud VMs.

Creatie external network via flat external network provider on Controller matching CIDR of Office LAN . Next : - 192.168.1.1 is IP of external physical router device( for instance )

Office LAN 192.168.1.0/24 is supposed to match external network (configured via flat network provider ) for VM's deployed system . VIRTHOST (F25) is based on linux bridge br0 having original interface enp3s0 as source interface

[root@fedora23wks network-scripts]# cat ifcfg-br0
DEVICE=br0
TYPE=Bridge
BOOTPROTO=static
DNS1=192.168.1.1
DNS2=83.221.202.254
GATEWAY=192.168.1.1
IPADDR=192.168.1.57
NETMASK=255.255.255.0
ONBOOT=yes

[root@fedora23wks network-scripts]# cat ifcfg-enp3s0
DEVICE=enp3s0
HWADDR=78:24:af:43:1b:53
ONBOOT=yes
TYPE=Ethernet
IPV6INIT=no
USERCTL=no
BRIDGE=br0

***************************
Then run script
***************************
#!/bin/bash -x
chkconfig network on
systemctl stop NetworkManager
systemctl disable NetworkManager
service network restart

In case you attempt to play libvirt/kvm tricks it's much more efficient to set up RH's OS's and Hypervisor Libvirt/KVM all way around
Cloud VMs are just L2 KVM/Libvirt Guests . Nested KVM is better to set enabled.
Thus it would always work for sure due to avoiding repackaging to Debian as well as VMWARE as Guest OS hosting CentOS 7 && RDO.

edit flag offensive delete link more

Comments

Thanks @dbaxps, I'll definitly find some time to deploy this on KVM. For now I need to find a solution to the issue in hand. At least I need to point out what doesn't work, is it a configuration issue or the RDO on Vmware deployment doesn't work by design? If so, shouldn't be some warning from RDO?

AJ NOURI gravatar imageAJ NOURI ( 2017-03-08 16:42:53 -0600 )edit

In KVM case Libvirt subnet matching external and having br0 as attached VNIC provides INGRESS/EGRESS traffic support. I was forced to create several systems where VENV RDO deployment should have physical network attached to VIRTHOST as External.

dbaxps gravatar imagedbaxps ( 2017-03-09 02:55:13 -0600 )edit

The problem here I believe is VMWARE Hypervisor running on Debian Jessy.
My question is : Would VM (L1) running as VMWARE VM be pingable from outside ?

dbaxps gravatar imagedbaxps ( 2017-03-09 03:01:13 -0600 )edit

ping + SSH
ajn@~$ lsb_release -a
Distributor ID: Debian
Description: Debian GNU/Linux 8.6 (jessie)
Release:8.6
Codename: jessie

ajn@~$ ssh root@192.168.0.108
root@192.168.0.108's password:
Last login: Wed Mar 8 16:35:06 2017 from 192.168.0.146
[root@RDO-AI

AJ NOURI gravatar imageAJ NOURI ( 2017-03-09 06:41:14 -0600 )edit
add a comment
0

answered 2017-03-08 20:14:54 -0600

Shaik Saddam Hussain gravatar image

Hi,

Can you check the firewall configuration of your CentOS7 VM - for testing try disabling firewall and selinux and try reboot of VM then try reaching to Floating IP from outside

edit flag offensive delete link more

Comments

Hi Shaik, yes before installig Openstack:

systemctl disable firewalld
systemctl stop firewalld
systemctl disable NetworkManager
systemctl stop NetworkManager
systemctl enable network
systemctl start network

AJ NOURI gravatar imageAJ NOURI ( 2017-03-08 22:12:24 -0600 )edit
add a comment
0

answered 2017-03-09 03:14:03 -0600

sspwin gravatar image

please check if the security group settings for the VM are allowing ICMP. try allowing all tcp traffic.

edit flag offensive delete link more

Comments

Hi sspwin, both tcp 22 and icmp are allowed, instances can ping & ssh to each other:

# openstack security group rule list <1fd0...>
| 6e819...bdf5945b9d39 | tcp | 0.0.0.0/0 | 22:22 | None |
| 75b33...ca1-020573a09efe | icmp | 0.0.0.0

AJ NOURI gravatar imageAJ NOURI ( 2017-03-09 06:37:48 -0600 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2017-03-08 01:20:45 -0600

Seen: 1,592 times

Last updated: Mar 09 '17

Related questions

Unable to access instance via ssh

Unable to ping IPs of VMs in provider network

Get floating ip for instance

Floating IP Attachement wiered Behaviour

RDO Juno, Neutron, CentOS 7: external router port DOWN

floating ip is not active in devstack

How to access instances from the outside world?

DevStack - auto reconfigure br-ex bridge

Can I separate Openstack services from and All-In-One installation?

br-ex is down, floating ip can't access