Ask Your Question
1

One way communications

asked 2013-06-25 16:56:50 -0500

OldParrothead gravatar image

I have the following setup:

Company Backbone at 192.168.1.x with a router at 192.168.1.1 A Server running all facets of Openstack: eth0 connected to backbone br-ex configured at 192.168.1.18 eth1 configured at 10.10.10.1 with an empty net behind it. I setup my physical router to route all 10.0.0.0/0 packets to 192.168.1.3 (see below) and have tried at 192.168.1.18 as well.

Configured an external network at 192.168.1.0/24 with DHCP from .2-.17 Configured an openstack network at 10.10.101.0/24, full DHCP

Configured an Openstack router with gateway on the external network (gets address 192.168.1.3) and another on the openstack network (gets address 10.10.101.1)

I set up a simple (ubuntu 12.04) VM to run with one interface (DHCP) and it gets an address of 10.10.101.3.

If I go to the net, or SSH to any server on the 192.168.1.x net, it works great, no issues at all. However, if I initiate contact from outside Openstack inward, nothing happens. I have run tcpdump and it gets as far as the network interfaces on the server, but nothing passes through.

Anybody out there got a clue??

Thanks, OldParrothead

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted
1

answered 2013-06-26 01:35:40 -0500

darragh-oreilly gravatar image

You will need to create and associate a floating IP with the instance's port in order to initiate connections from outside to the instance. This will create a one-to-one DNAT mapping from the floating IP to the instance IP.

The reason you see outbound connections working is because there is a default SNAT action on the gateway port that uplinks the router to the external network. Use tcpdump on the outside to see the IP addresses of the packets - you should see 192.168.1.3 and not 10.10.101.3. But when a floating IP is associated, then it will be used for outbound too.

http://docs.openstack.org/trunk/openstack-network/admin/content/l3_router_and_nat.html

edit flag offensive delete link more
-1

answered 2013-06-26 08:08:31 -0500

OldParrothead gravatar image

updated 2013-06-26 08:36:40 -0500

Thanks. I had thought of that. The instance has an associated floating IP.

I have checked tcpdump and it still appears to be using the 10.10.101.x address to communicate. I am not sure why that is. All my readings (and there have been a lot) indicate that once the IP has been associated, I should be seeing the "new" IP address.

However, that doesn't appear what is happening. I thought I was being "firewalled" at first. The traffic appears to be flowing properly.

I turned up two problems. One - quantum was intermittently failing due to an access problem. For this, I changed the quantum_sudoers file to just open the door completely for quantum Two - My security rules were I thought completely open, when I, in fact had them shut completely.

What was happening was that quantum was not doing the full floating IP association until I fixed the access problem. Then the tcpdump looked proper, and finally, I was able to track the security group issues down.

Thanks, OldParrothead

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

Stats

Asked: 2013-06-25 16:56:50 -0500

Seen: 176 times

Last updated: Jun 26 '13