One way communications

asked 2013-06-25 16:56:50 -0600

OldParrothead gravatar image

I have the following setup:

Company Backbone at 192.168.1.x with a router at A Server running all facets of Openstack: eth0 connected to backbone br-ex configured at eth1 configured at with an empty net behind it. I setup my physical router to route all packets to (see below) and have tried at as well.

Configured an external network at with DHCP from .2-.17 Configured an openstack network at, full DHCP

Configured an Openstack router with gateway on the external network (gets address and another on the openstack network (gets address

I set up a simple (ubuntu 12.04) VM to run with one interface (DHCP) and it gets an address of

If I go to the net, or SSH to any server on the 192.168.1.x net, it works great, no issues at all. However, if I initiate contact from outside Openstack inward, nothing happens. I have run tcpdump and it gets as far as the network interfaces on the server, but nothing passes through.

Anybody out there got a clue??

Thanks, OldParrothead

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2013-06-26 01:35:40 -0600

darragh-oreilly gravatar image

You will need to create and associate a floating IP with the instance's port in order to initiate connections from outside to the instance. This will create a one-to-one DNAT mapping from the floating IP to the instance IP.

The reason you see outbound connections working is because there is a default SNAT action on the gateway port that uplinks the router to the external network. Use tcpdump on the outside to see the IP addresses of the packets - you should see and not But when a floating IP is associated, then it will be used for outbound too.

edit flag offensive delete link more

answered 2013-06-26 08:08:31 -0600

OldParrothead gravatar image

updated 2013-06-26 08:36:40 -0600

Thanks. I had thought of that. The instance has an associated floating IP.

I have checked tcpdump and it still appears to be using the 10.10.101.x address to communicate. I am not sure why that is. All my readings (and there have been a lot) indicate that once the IP has been associated, I should be seeing the "new" IP address.

However, that doesn't appear what is happening. I thought I was being "firewalled" at first. The traffic appears to be flowing properly.

I turned up two problems. One - quantum was intermittently failing due to an access problem. For this, I changed the quantum_sudoers file to just open the door completely for quantum Two - My security rules were I thought completely open, when I, in fact had them shut completely.

What was happening was that quantum was not doing the full floating IP association until I fixed the access problem. Then the tcpdump looked proper, and finally, I was able to track the security group issues down.

Thanks, OldParrothead

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools


Asked: 2013-06-25 16:56:50 -0600

Seen: 219 times

Last updated: Jun 26 '13