Ask Your Question
0

Creating a VM to act as a router

asked 2013-06-13 17:51:54 -0500

dsmith4546 gravatar image

Hello,

I recently setup a virtual machine to act as a router. The problem is the vm is not routing traffic correctly. This is essentially what my setup is, refer to the output below.

(VM IM PINGING FROM) (Private subnet X) | (OPEN VPN TUNNEL) | (VMs below is in Private subnet Y on a completely different cloud) (VM ACTING AS ROUTER)(INT-X)--(INT-Y)(OVS)--------(VM IM TRYING TO PING)

When I run a packet capture on INT-X on the router VM. I see echo requests going out. When I run a packet capture on INT-Y on the OVS. I no longer see the echo requests........

Is there some sort of libvirt rule that needs to be changed in order for a virtual machine to act as a router?

edit retag flag offensive close merge delete

6 answers

Sort by ยป oldest newest most voted
0

answered 2013-06-26 16:50:04 -0500

dsmith4546 gravatar image

I think I need to start digging into the quantum code more. I will ask some other folks I work with to see if they are interested in adding that functionality.

edit flag offensive delete link more
0

answered 2013-06-14 02:36:00 -0500

gongysh gravatar image

so your router VM has a IP on INT-X which is the gateway of VM IM pinging from, right? and router VM has another IP on INT-Y which connects other VMs your are ping to. have u enabled the 'forward' by 'sysctl -w net.ipv4.ip_forward=1'?

edit flag offensive delete link more
0

answered 2013-06-17 17:41:31 -0500

dsmith4546 gravatar image

I am 99% sure this is has to do with OpenStack not allowing IP spoofing. Is there a way to turn off IP spoofing in Grizzly?

edit flag offensive delete link more
0

answered 2013-06-26 16:48:49 -0500

dsmith4546 gravatar image

Thanks Aaron Rosen, that solved my question.

edit flag offensive delete link more
0

answered 2013-06-17 17:52:03 -0500

Doug, yup that is what is blocking you. I think if you set firewall driver in ovs_quantum_plugin.ini to the Noop one that should do it. The nvp plugin has an extension port_security_enabled which is used to disable these spoofing rules. This would be pretty easy to add to the OVS plugin if you are interested in implementing it.

edit flag offensive delete link more
0

answered 2013-06-15 16:37:38 -0500

dsmith4546 gravatar image

Yes I have enabled IP forwarding. I have an OpenVPN tunnel between two vms in two different clouds. Each of those VMs are doing routing for their local subnet they are connected to. I have the appropriate routes in place on all virtual machines. I want to ping from a VM on one cloud to a VM on another cloud. I want to go over the OpenVPN tunnel. I am doing this as you said above by using those OpenVPN vms as the gateway. I see the traffic going over the tunnel. I see the traffic hitting the far side VM. The strange thing is I see the echo reply coming back. But it STOPS at the VM that is the gateway for my VM I'm pinging from. When I run a capture on the actual ethernet interface for that VM that is running OpenVPN, and is doing the routing, I see echo replies.....but they are never routed back to the VM who sent out the echo requests. I ran a capture on the tap interface and am seeing echo replies, but when I run a capture the q interface on ovs I don't see the echo replies..... Normally I was going to say there must be some kind of quantum rule for IP spoofing or something, but that doesn't make any sense because the traffic gets all the way to the far side VM over the tunnel. And when it gets routed at the other side of the tunnel the source address is an address that is different then the IP address assigned to the interface. This probably isn't an OpenStack issue.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2013-06-13 17:51:54 -0500

Seen: 1,321 times

Last updated: Jun 26 '13