Cannot ping External network gateway from router inside namespace

asked 2018-09-13 09:48:05 -0500

Aref gravatar image

We deployed openstack according to queens documentations on Ubuntu 18 And used networking option2 (self service) linux bridge agent

https://docs.openstack.org/neutron/qu... https://docs.openstack.org/neutron/qu...

The problem is that we cannot Ping external network from inside of provider network. Our network infrastructure is highly similar to openstack docs: image description

Here are the outputs:

  root@controller:~# ip netns
qrouter-c172d86d-ca59-4560-bbc5-7a701759c932 (id: 2)
qdhcp-d10d49b8-d801-4b17-95bb-b9436e7714db (id: 1)
qdhcp-a1577a43-39a6-4fd3-b243-ddb848240eee (id: 0)

root@controller:~# ip netns exec qrouter-c172d86d-ca59-4560-bbc5-7a701759c932 ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever


2: qr-52604f59-e7@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default qlen 1000
    link/ether fa:16:3e:80:83:15 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.16.1.1/24 brd 172.16.1.255 scope global qr-52604f59-e7
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fe80:8315/64 scope link 
       valid_lft forever preferred_lft forever
3: qg-c8c9e3ff-15@if12: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether fa:16:3e:ec:2f:75 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 203.0.113.102/24 brd 203.0.113.255 scope global qg-c8c9e3ff-15
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:feec:2f75/64 scope link 
       valid_lft forever preferred_lft forever

image description

Here is our server which its first interface is on managmant network and second in provider network We can easily see MAC address of our virtual router is detected, so connection datalink layer is working.

root@controller:~# brctl show
bridge name     bridge id               STP enabled     interfaces
brqa1577a43-39          8000.0261618a4664       no              tap52604f59-e7
                                                                                              tapdca6ba0a-f3
                                                                                              vxlan-13
brqd10d49b8-d8          8000.005056a871a1       no              ens33
                                                                                              tap0b74aef2-ce
                                                                                              tapc8c9e3ff-15




root@controller:~# ip netns exec qrouter-c172d86d-ca59-4560-bbc5-7a701759c932 iptables-save
# Generated by iptables-save v1.6.1 on Thu Sep 13 13:28:14 2018
*raw
:PREROUTING ACCEPT [1166:128205]
:OUTPUT ACCEPT [2426:231652]
:neutron-l3-agent-OUTPUT - [0:0]
:neutron-l3-agent-PREROUTING - [0:0]
-A PREROUTING -j neutron-l3-agent-PREROUTING
-A OUTPUT -j neutron-l3-agent-OUTPUT
COMMIT
# Completed on Thu Sep 13 13:28:14 2018
# Generated by iptables-save v1.6.1 on Thu Sep 13 13:28:14 2018
*nat
:PREROUTING ACCEPT [42:4998]
:INPUT ACCEPT [42:4998]
:OUTPUT ACCEPT [108:7740]
:POSTROUTING ACCEPT [0:0]
:neutron-l3-agent-OUTPUT - [0:0]
:neutron-l3-agent-POSTROUTING - [0:0]
:neutron-l3-agent-PREROUTING - [0:0]
:neutron-l3-agent-float-snat - [0:0]
:neutron-l3-agent-snat - [0:0]
:neutron-postrouting-bottom - [0:0]
-A PREROUTING -j neutron-l3-agent-PREROUTING
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A POSTROUTING -j neutron-l3-agent-POSTROUTING
-A POSTROUTING -j neutron-postrouting-bottom
-A neutron-l3-agent-POSTROUTING ! -i qg-c8c9e3ff-15 ! -o qg-c8c9e3ff-15 -m conntrack ! --ctstate DNAT -j ACCEPT
-A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -i qr-+ -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
-A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
-A neutron-l3-agent-snat -o qg-c8c9e3ff-15 -j SNAT --to-source 203.0.113.102
-A neutron-l3-agent-snat -m mark ! --mark 0x2/0xffff -m conntrack --ctstate DNAT -j SNAT ...
(more)
edit retag flag offensive close merge delete