Ask Your Question
2

forwarding and NAT rules not working on br-ex

asked 2014-05-21 10:36:24 -0500

arindamchoudhury gravatar image

updated 2014-05-22 09:47:23 -0500

Hi,

I have installed openstack icehouse on fedora 20 using packstack. Its a all-in-one with neutron GRE following this.

I only have one NIC so I put the external network gateway address in br-ex and I can ping and ssh to my VM using floating IP (I am following this).

# iptables -A FORWARD -d 172.24.4.224/28 -j ACCEPT 
# iptables -A FORWARD -s 172.24.4.224/28 -j ACCEPT 
# iptables -t nat -I POSTROUTING 1 -s 172.24.4.224/28 -j MASQUERADE

but when I ran the above command to enable forwarding and NAT rules, I can not access my VMs anymore.

# sysctl -a | grep net.ipv4.ip_forward
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_use_pmtu = 0

# ovs-vsctl show
0a5bfc1f-a948-4627-88d3-58ad5882dddb
    Bridge br-tun
        Port br-tun
            Interface br-tun
                type: internal
        Port patch-int
            Interface patch-int
                type: patch
                options: {peer=patch-tun}
    Bridge br-ex
        Port "qg-65b3fe96-a5"
            Interface "qg-65b3fe96-a5"
                type: internal
        Port br-ex
            Interface br-ex
                type: internal
    Bridge br-int
        Port br-int
            Interface br-int
                type: internal
        Port "qr-c408c223-9c"
            tag: 1
            Interface "qr-c408c223-9c"
                type: internal
        Port "tap8433daff-78"
            tag: 1
            Interface "tap8433daff-78"
                type: internal
        Port patch-tun
            Interface patch-tun
                type: patch
                options: {peer=patch-int}
    ovs_version: "2.0.1"

as suggested:

# iptables -A FORWARD -d 172.24.4.224/28 -j ACCEPT
# iptables -A FORWARD -s 172.24.4.224/28 -j ACCEPT
# iptables -t nat -I POSTROUTING 1 -s 172.24.4.224/28 -o  em1 -j MASQUERADE

with this, I can ping and SSH to my VM. But still no internet connectivity from VM.

Any help will be highly appreciated.

edit retag flag offensive close merge delete

Comments

Have you been take care of [root@dfw02 neutron(keystone_admin)]$ cat dnsmasq.conf log-facility = /var/log/neutron/dnsmasq.log log-dhcp dhcp-option=26,1454 To setup MTU 1454 on cloud instances

DanIzack gravatar imageDanIzack ( 2014-05-21 10:53:32 -0500 )edit

I am confused about what really I have to do? sorry. should I follow this

arindamchoudhury gravatar imagearindamchoudhury ( 2014-05-21 11:03:20 -0500 )edit

How looks your ovs-vsctl show ? Could you post it ?

dbaxps gravatar imagedbaxps ( 2014-05-21 11:06:06 -0500 )edit

Have you updated /etc/sysconfig/iptables with
-A INPUT -p gre -j ACCEPT
-A OUTPUT -p gre -j ACCEPT
?

dbaxps gravatar imagedbaxps ( 2014-05-21 11:14:34 -0500 )edit

no. i have not

arindamchoudhury gravatar imagearindamchoudhury ( 2014-05-21 13:54:09 -0500 )edit

2 answers

Sort by ยป oldest newest most voted
1

answered 2014-05-28 09:10:57 -0500

dbaxps gravatar image

updated 2015-04-14 03:41:11 -0500

Drop all this MASQUERADE stuff and run install via packstack ( with gre tunnels) bind to em1.

Attempt to MASQUERADE public network is not right way to manage at all.

Regarding basics of Neutron workflow (GRE) view
https://www.hastexo.com/system/files/...
Page 17 in particular.

Your answer file just references em1 as follows

    CONFIG_CONTROLLER_HOST=192.168.1.127
    CONFIG_COMPUTE_HOSTS=192.168.1.127
    CONFIG_NETWORK_HOSTS=192.168.1.127
    CONFIG_NOVA_NETWORK_PUBIF=em1
    CONFIG_NOVA_NETWORK_PRIVIF=lo
    CONFIG_NEUTRON_OVS_TENANT_NETWORK_TYPE=gre
    CONFIG_NEUTRON_OVS_TUNNEL_RANGES=1:1000
    CONFIG_NEUTRON_OVS_TUNNEL_IF=em1

When done create external network as you need say 192.168.1.0/24 with desired allocation pool no DHCP. Create /etc/sysconfig/network-scripts/ifcfg-br-ex as follows

DEVICE="br-ex"
BOOTPROTO="static"
IPADDR="192.168.1.127"
NETMASK="255.255.255.0"
DNS1="83.221.202.254"
BROADCAST="192.168.1.255"
GATEWAY="192.168.1.1"
NM_CONTROLLED="no"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="yes"
IPV6INIT=no
ONBOOT="yes"
TYPE="OVSIntPort"
OVS_BRIDGE=br-ex
DEVICETYPE="ovs"

and /etc/sysconfig/network-scripts/ifcfg-em1

DEVICE="em1"
# HWADDR=00:22:15:63:E4:E2
ONBOOT="yes"
TYPE="OVSPort"
DEVICETYPE="ovs"
OVS_BRIDGE=br-ex
NM_CONTROLLED=no
IPV6INIT=no

start && enable network service , stop && disable NetworkManager Host reboot

edit flag offensive delete link more
0

answered 2014-05-22 09:02:08 -0500

larsks gravatar image

You probably want to restrict the MASQUERADE rule to only traffic that's actually exiting your host. So instead of:

iptables -t nat -I POSTROUTING 1 -s 172.24.4.224/28 -j MASQUERADE

Try:

iptables -t nat -I POSTROUTING 1 -s 172.24.4.224/28 -o eth0 -j MASQUERADE

...assuming that eth0 is your physical network interface.

edit flag offensive delete link more

Comments

Step suggested by larsks won't provide inbound connectivity, just oubound for public network

dbaxps gravatar imagedbaxps ( 2015-04-14 03:12:47 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

Stats

Asked: 2014-05-21 10:36:24 -0500

Seen: 3,445 times

Last updated: Apr 14 '15