Ask Your Question
0

Instance receiving traffic but not responding?

asked 2017-08-09 16:46:33 -0500

snowman4839 gravatar image

I ran a packstack install of Openstack Ocata on a fresh install of CentOS 7. I used neutron to link my external network (192.168.2.0/24) gateway of 192.168.2.1 which is my work computer to my openstack internal network (10.0.0.0/24) which has a dhcp range of 10.0.0.50-100. My openstack server's physical connection is assigned 192.168.2.2.

It looks like...

192.168.2.1 (work computer)

192.168.2.2 (br-ex on openstack server)

192.168.2.51 (virtual router between external and internal networks in openstack)

10.0.0.* (private IPs for virtual openstack instances)

I can create an instance of cirros and it got an IP of 10.0.0.11 and it can connect to the internet fine and can ping everything through the network back to 192.168.2.1. However, after assigning a floating IP to that instance of 192.168.2.56, I cannot connect to it the other way from my work computer (192.168.2.1).

My security group is default and permits all IPV4 traffic on all ports inbound to the cirros instance.

Here is my nat table for the router. With my limited knowledge of iptables, it looks like my PREROUTING table is correct to accept any packets intended for 192.168.2.56 and DNAT to 10.0.0.11.

[root@localhost ~(keystone_admin)]# ip netns exec qrouter-2aafaf25-0a31-4ae9-9347-0cd70f6ac3b1 iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 643 packets, 72024 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  668 73640 neutron-l3-agent-PREROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain INPUT (policy ACCEPT 37 packets, 7604 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 4 packets, 284 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    4   284 neutron-l3-agent-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT 9 packets, 656 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   13   940 neutron-l3-agent-POSTROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   13   940 neutron-postrouting-bottom  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-l3-agent-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       all  --  *      *       0.0.0.0/0            192.168.2.56         to:10.0.0.11

Chain neutron-l3-agent-POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  !qg-a8c35605-51 !qg-a8c35605-51  0.0.0.0/0            0.0.0.0/0            ! ctstate DNAT

Chain neutron-l3-agent-PREROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    9   656 DNAT       all  --  *      *       0.0.0.0/0            192.168.2.56         to:10.0.0.11
   16   960 REDIRECT   tcp  --  qr-+   *       0.0.0.0/0            169.254.169.254      tcp dpt:80 redir ports 9697

Chain neutron-l3-agent-float-snat (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 SNAT       all ...
(more)
edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
0

answered 2017-08-09 17:33:19 -0500

snowman4839 gravatar image

Well I feel incredibly stupid but it turned out the default security group wouldn't allow external connections. I misunderstood the default security group rule from packstack. It stated that in the default security group, it would allow ingress from any IPv4 or IPv6 address from other VMs in the same security group.

This means that you have to make a separate security group to allow external connections from 0.0.0.0/0 or your other given CIDR IP range for external connections

edit flag offensive delete link more

Comments

You can also edit the rules of a security group, you don't necessarily need a new group for that. But just out of curiosity, if your instance has already access to the outside world right after creation, why does it need a floating IP?

eblock gravatar imageeblock ( 2017-08-10 07:48:10 -0500 )edit

I meant it has the ability to route to the internet from the private subnet. It needs a floating IP for me to be able to ssh into it from the outside network.

snowman4839 gravatar imagesnowman4839 ( 2017-08-11 09:50:23 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2017-08-09 16:46:33 -0500

Seen: 11 times

Last updated: Aug 09