Ask Your Question
2

Why can't I connect to instance via their floating IPs?

asked 2013-03-20 20:45:14 -0500

lorin gravatar image

updated 2013-03-27 15:48:05 -0500

Razique gravatar image

(This is copy of my question from serverfault.com, figured it's time to start asking here instead)

I'm having trouble getting floating IPs to work properly on my OpenStack setup. It looks like the controller node (running nova-network) isn't forwarding the traffic to the instances.

I've got a Folsom deployment with FlatDHCP, not running multi-host, running on Ubuntu 12.04.

As an example, here's a running instance with a fixed IP of 10.40.0.2 and a floating IP of 10.20.0.3:

$ nova list
+-------+---------+--------+------------------------------+
| ID    | Name    | Status | Networks                     |
+-------+---------+--------+------------------------------+
| 3d292 | quantal | ACTIVE | private=10.40.0.2, 10.20.0.3 |
+-------+---------+--------+------------------------------+

If I'm logged into the controller, I can ping and ssh to the VM instance from either of the IPs. However, I cannot ping or ssh to the instance from an external machine.

If I try to ping from a machine on a different network (192.168.3.5), I can see the packets reach the controller on its public interface (eth3), but those packets aren't getting forwarded to the bridge (br100) that's connected to the private interface:

# tcpdump -i any icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
20:33:12.908188 IP 192.168.3.5 > 10.20.0.3: ICMP echo request, id 58378, seq 0, length 64
20:33:13.910759 IP 192.168.3.5 > 10.20.0.3: ICMP echo request, id 58378, seq 1, length 64
20:33:14.910591 IP 192.168.3.5 > 10.20.0.3: ICMP echo request, id 58378, seq 2, length 64

I've configured nova-network to use the "no-op" firewall driver, so there shouldn't be any security group issues here:

firewall_driver=nova.virt.firewall.NoopFirewallDriver

I've confirmed that I have IP forwarding enabled:

$ cat /proc/sys/net/ipv4/ip_forward
1

I'm not too familiar with iptables, but looking at the rules, I can't see anything obviously wrong (it's lorin/5209761 on gist.github.com, I can't post links yet!)

I assume this rule is in effect when connecting from the controller to the VM:

-A nova-network-OUTPUT -d 10.20.0.3/32 -j DNAT --to-destination 10.40.0.2

And that it hits these rules when doing forward

-A nova-network-PREROUTING -d 10.20.0.3/32 -j DNAT --to-destination 10.40.0.2
-A nova-network-FORWARD -o br100 -j ACCEPT

At this point, I'm at a loss as to why it isn't doing the NAT properly and forwarding the packets.

The interfaces are:

  • eth0: (not involved here)
  • eth1: connects to the internal VM-only network, br100 is bridged to it. Packets should ultimately go out that interface
  • eth2: (not involved here)
  • eth3: public-facing interface. It has the IP of the controller (10.20.0.2), as well as the floating IP of the instance (10.20.0.3).

Below is the output of ... (more)

edit retag flag offensive close merge delete

Comments

Can you provide a full iptables dump with counters?

gmi gravatar imagegmi ( 2013-03-27 09:41:29 -0500 )edit

iptables dump is at https://gist.github.com/lorin/5209761

lorin gravatar imagelorin ( 2013-03-27 19:46:13 -0500 )edit

1 answer

Sort by ยป oldest newest most voted
0

answered 2013-03-27 19:47:05 -0500

lorin gravatar image

It turned out that my routes were configured incorrectly, I needed to change the default gateway.

edit flag offensive delete link more

Comments

What did you change it to?

PT_C gravatar imagePT_C ( 2013-06-28 10:08:53 -0500 )edit

I have exactly the same problem. Can you explain more clearly what you did?

piosystems gravatar imagepiosystems ( 2014-07-04 06:29:18 -0500 )edit

This is a case of http://xkcd.com/979/ (xkcd #979). What did you change the default gateway to, and from what?

t0xicCode gravatar imaget0xicCode ( 2014-11-18 13:30:36 -0500 )edit

OMG, what routes, where, on host or instance? What was wrong? To what value did you change the GW??

Daneel gravatar imageDaneel ( 2015-09-02 02:24:27 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2013-03-20 20:45:14 -0500

Seen: 1,957 times

Last updated: Mar 27 '13