Ask Your Question

Allowing guests in DevStack to talk to outside world

asked 2013-06-04 23:03:38 -0500

radix gravatar image

updated 2013-06-04 23:25:35 -0500

I'm running DevStack in a minimal Ubuntu 12.04 KVM to test and learn about how to deploy a development environment for hacking on OpenStack.

I've found the most success with using Quantum instead of nova-network; if I use nova-network, I can't route ("No route to host") from the openstack host to the guests. With quantum, I can. The guests can also route to each other.

However, the other direction doesn't fully work. The guests can talk to the host on its br-ex IP (, but everything past that (towards the Internet) is black-holed.

Is it expected that guests in a devstack should be able to route all the way out to the Internet, assuming their host has Internet access? Do I need to set up additional routes or iptables rules to allow this? I'm using no localrc configuration that should affect networking other than using quantum instead of nova-network.

disable_service n-net
enable_service q-svc
enable_service q-agt
enable_service q-dhcp
enable_service q-l3
enable_service q-meta
enable_service quantum


my route table:

radix@devstack-lts:~/devstack$ ip route
default via dev eth0  metric 100 via dev br-ex dev br-ex  proto kernel  scope link  src dev eth0  proto kernel  scope link  src


edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2013-06-05 10:27:44 -0500

radix gravatar image

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

edit flag offensive delete link more

answered 2013-06-05 08:45:59 -0500

darragh-oreilly gravatar image

updated 2013-06-05 08:48:52 -0500 is part of rfc1918 and so is not publicly routable. Packets with this source address must be SNATed again with a public IP so hosts on the Internet can send packets back to you. If you are on a company network, then you will need help from your networking people. If you are working from home, then you will need to ensure that outbound packets get to your home router and it SNATs them with the public IP your ISP has allocated to you - this might be happening aready. Run tcpdump on the nic on the physical host to see if packets are leaving with source IP and the destination MAC of your home router. You will need to add a static route on the home-router so it knows send inbound packets (from Internet) (destination IP = or to the physical machine. The physical host will need to have IP forwarding enabled and its firewall needs to allow this traffic.

edit flag offensive delete link more


Thanks for your answer, Darragh. (sorry, didn't realize hitting enter would save my post...) I'm doing this from home. I'm surprised you think I'll have to change the configuration of my physical router - isn't it possible to just set up NAT with iptables on the devstack host? it has Internet access

radix gravatar imageradix ( 2013-06-05 09:07:32 -0500 )edit

The physical router does not know about the 172 network and does not have a route for it - so you have to add it. This should be easy with the router's web gui. Yes - alternatively you could snat or masquerade the packets again to the IP of the host (then 3 levels of NAT) - more difficult though.

darragh-oreilly gravatar imagedarragh-oreilly ( 2013-06-05 09:43:36 -0500 )edit

Yeah, it turns out the solution was simple: sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE.

radix gravatar imageradix ( 2013-06-05 10:27:19 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools


Asked: 2013-06-04 23:03:38 -0500

Seen: 4,600 times

Last updated: Jun 05 '13