Ask Your Question

Why can't I connect to instance via their floating IPs?

asked 2013-03-20 20:45:14 -0500

lorin gravatar image

updated 2013-03-27 15:48:05 -0500

Razique gravatar image

(This is copy of my question from, figured it's time to start asking here instead)

I'm having trouble getting floating IPs to work properly on my OpenStack setup. It looks like the controller node (running nova-network) isn't forwarding the traffic to the instances.

I've got a Folsom deployment with FlatDHCP, not running multi-host, running on Ubuntu 12.04.

As an example, here's a running instance with a fixed IP of and a floating IP of

$ nova list
| ID    | Name    | Status | Networks                     |
| 3d292 | quantal | ACTIVE | private=, |

If I'm logged into the controller, I can ping and ssh to the VM instance from either of the IPs. However, I cannot ping or ssh to the instance from an external machine.

If I try to ping from a machine on a different network (, I can see the packets reach the controller on its public interface (eth3), but those packets aren't getting forwarded to the bridge (br100) that's connected to the private interface:

# tcpdump -i any icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
20:33:12.908188 IP > ICMP echo request, id 58378, seq 0, length 64
20:33:13.910759 IP > ICMP echo request, id 58378, seq 1, length 64
20:33:14.910591 IP > ICMP echo request, id 58378, seq 2, length 64

I've configured nova-network to use the "no-op" firewall driver, so there shouldn't be any security group issues here:


I've confirmed that I have IP forwarding enabled:

$ cat /proc/sys/net/ipv4/ip_forward

I'm not too familiar with iptables, but looking at the rules, I can't see anything obviously wrong (it's lorin/5209761 on, I can't post links yet!)

I assume this rule is in effect when connecting from the controller to the VM:

-A nova-network-OUTPUT -d -j DNAT --to-destination

And that it hits these rules when doing forward

-A nova-network-PREROUTING -d -j DNAT --to-destination
-A nova-network-FORWARD -o br100 -j ACCEPT

At this point, I'm at a loss as to why it isn't doing the NAT properly and forwarding the packets.

The interfaces are:

  • eth0: (not involved here)
  • eth1: connects to the internal VM-only network, br100 is bridged to it. Packets should ultimately go out that interface
  • eth2: (not involved here)
  • eth3: public-facing interface. It has the IP of the controller (, as well as the floating IP of the instance (

Below is the output of ... (more)

edit retag flag offensive close merge delete


Can you provide a full iptables dump with counters?

gmi gravatar imagegmi ( 2013-03-27 09:41:29 -0500 )edit

iptables dump is at

lorin gravatar imagelorin ( 2013-03-27 19:46:13 -0500 )edit

1 answer

Sort by » oldest newest most voted

answered 2013-03-27 19:47:05 -0500

lorin gravatar image

It turned out that my routes were configured incorrectly, I needed to change the default gateway.

edit flag offensive delete link more


What did you change it to?

PT_C gravatar imagePT_C ( 2013-06-28 10:08:53 -0500 )edit

I have exactly the same problem. Can you explain more clearly what you did?

piosystems gravatar imagepiosystems ( 2014-07-04 06:29:18 -0500 )edit

This is a case of (xkcd #979). What did you change the default gateway to, and from what?

t0xicCode gravatar imaget0xicCode ( 2014-11-18 13:30:36 -0500 )edit

OMG, what routes, where, on host or instance? What was wrong? To what value did you change the GW??

Daneel gravatar imageDaneel ( 2015-09-02 02:24:27 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2013-03-20 20:45:14 -0500

Seen: 2,611 times

Last updated: Mar 27 '13