Cannot ping External network gateway from router inside namespace
We deployed openstack according to queens documentations on Ubuntu 18 And used networking option2 (self service) linux bridge agent
https://docs.openstack.org/neutron/qu... https://docs.openstack.org/neutron/qu...
The problem is that we cannot Ping external network from inside of provider network.
Our network infrastructure is highly similar to openstack docs:
Here are the outputs:
root@controller:~# ip netns
qrouter-c172d86d-ca59-4560-bbc5-7a701759c932 (id: 2)
qdhcp-d10d49b8-d801-4b17-95bb-b9436e7714db (id: 1)
qdhcp-a1577a43-39a6-4fd3-b243-ddb848240eee (id: 0)
root@controller:~# ip netns exec qrouter-c172d86d-ca59-4560-bbc5-7a701759c932 ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: qr-52604f59-e7@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default qlen 1000
link/ether fa:16:3e:80:83:15 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.16.1.1/24 brd 172.16.1.255 scope global qr-52604f59-e7
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fe80:8315/64 scope link
valid_lft forever preferred_lft forever
3: qg-c8c9e3ff-15@if12: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether fa:16:3e:ec:2f:75 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 203.0.113.102/24 brd 203.0.113.255 scope global qg-c8c9e3ff-15
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:feec:2f75/64 scope link
valid_lft forever preferred_lft forever
Here is our server which its first interface is on managmant network and second in provider network We can easily see MAC address of our virtual router is detected, so connection datalink layer is working.
root@controller:~# brctl show
bridge name bridge id STP enabled interfaces
brqa1577a43-39 8000.0261618a4664 no tap52604f59-e7
tapdca6ba0a-f3
vxlan-13
brqd10d49b8-d8 8000.005056a871a1 no ens33
tap0b74aef2-ce
tapc8c9e3ff-15
root@controller:~# ip netns exec qrouter-c172d86d-ca59-4560-bbc5-7a701759c932 iptables-save
# Generated by iptables-save v1.6.1 on Thu Sep 13 13:28:14 2018
*raw
:PREROUTING ACCEPT [1166:128205]
:OUTPUT ACCEPT [2426:231652]
:neutron-l3-agent-OUTPUT - [0:0]
:neutron-l3-agent-PREROUTING - [0:0]
-A PREROUTING -j neutron-l3-agent-PREROUTING
-A OUTPUT -j neutron-l3-agent-OUTPUT
COMMIT
# Completed on Thu Sep 13 13:28:14 2018
# Generated by iptables-save v1.6.1 on Thu Sep 13 13:28:14 2018
*nat
:PREROUTING ACCEPT [42:4998]
:INPUT ACCEPT [42:4998]
:OUTPUT ACCEPT [108:7740]
:POSTROUTING ACCEPT [0:0]
:neutron-l3-agent-OUTPUT - [0:0]
:neutron-l3-agent-POSTROUTING - [0:0]
:neutron-l3-agent-PREROUTING - [0:0]
:neutron-l3-agent-float-snat - [0:0]
:neutron-l3-agent-snat - [0:0]
:neutron-postrouting-bottom - [0:0]
-A PREROUTING -j neutron-l3-agent-PREROUTING
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A POSTROUTING -j neutron-l3-agent-POSTROUTING
-A POSTROUTING -j neutron-postrouting-bottom
-A neutron-l3-agent-POSTROUTING ! -i qg-c8c9e3ff-15 ! -o qg-c8c9e3ff-15 -m conntrack ! --ctstate DNAT -j ACCEPT
-A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -i qr-+ -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
-A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
-A neutron-l3-agent-snat -o qg-c8c9e3ff-15 -j SNAT --to-source 203.0.113.102
-A neutron-l3-agent-snat -m mark ! --mark 0x2/0xffff -m conntrack --ctstate DNAT -j SNAT ...add a comment