Multiple external networks: no ARP forwarding

asked 2017-12-26 02:13:56 -0500

Lionel gravatar image

Hi,

I'm using Mitaka version, with Linux Bridge (no OVS). I'm trying to add a second external network with no floating IP (to give access to some NFS resources from Openstack instances). I have setup a new private network with subnet, a new external network / subnet and a router to link them.

But from instances, I am just able to ping router gateway, but nothing on the external network. It is working from router namespace:

# ip netns exec qrouter-7fbc6bf9-ada9-44fc-90fc-3a58a2e849f5 ping 192.168.6.41
PING 192.168.6.41 (192.168.6.41) 56(84) bytes of data.
64 bytes from 192.168.6.41: icmp_seq=1 ttl=255 time=0.597 ms
64 bytes from 192.168.6.41: icmp_seq=2 ttl=255 time=0.300 ms

With some tcpdump captures, I can see that ARP requests arrive on router private interface:

# ip netns exec qrouter-7fbc6bf9-ada9-44fc-90fc-3a58a2e849f5 tcpdump -ni qr-05f0cee1-a7 arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on qr-05f0cee1-a7, link-type EN10MB (Ethernet), capture size 262144 bytes
15:51:21.977640 ARP, Request who-has 192.168.6.42 tell 192.168.13.5, length 28
15:51:22.995403 ARP, Request who-has 192.168.6.42 tell 192.168.13.5, length 28
15:51:23.993706 ARP, Request who-has 192.168.6.42 tell 192.168.13.5, length 28

But don't get any answer.

And nothing happens on router public interface:

# ip netns exec qrouter-7fbc6bf9-ada9-44fc-90fc-3a58a2e849f5 tcpdump -ni qg-f1680df3-43 arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on qg-f1680df3-43, link-type EN10MB (Ethernet), capture size 262144 bytes

Here is iptables conf:

# ip netns exec qrouter-7fbc6bf9-ada9-44fc-90fc-3a58a2e849f5 iptables -L -vn
Chain INPUT (policy ACCEPT 33267 packets, 5130K bytes)
 pkts bytes target     prot opt in     out     source               destination
33267 5130K neutron-l3-agent-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 129 packets, 10836 bytes)
 pkts bytes target     prot opt in     out     source               destination
  129 10836 neutron-filter-top  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  129 10836 neutron-l3-agent-FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 10693 packets, 1042K bytes)
 pkts bytes target     prot opt in     out     source               destination
10693 1042K neutron-filter-top  all  --  *      *       0.0.0.0/0            0.0.0.0/0
10693 1042K neutron-l3-agent-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain neutron-filter-top (2 references)
 pkts bytes target     prot opt in     out     source               destination
10822 1053K neutron-l3-agent-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain neutron-l3-agent-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination
  129 10836 neutron-l3-agent-scope  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain neutron-l3-agent-INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x1/0xffff
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0 ...
(more)
edit retag flag offensive close merge delete