Troubles with NAT (MASQUERADE): ICMP works, but not UDP/TCP
I have a host with a /29 available (so after removing 2 for broadcast and 1 for IPMI, not a lot of IP address space). So i am looking to MASQUERADE out for my VMs (with no inbound needd). This is an all-in-one setup, running flat network. I added -t nat -A POSTROUTING -o eth0 -j MASQUERADE.
Something interesting happens, my VM's can now ping to the public internet (going through the masquerade), but cannot do TCP or UDP.
The control network of my VM is 172.16.1/24, and it has IP 172.16.1.16. I can ping 172.16.1.1, its default route (and the IP on my br-ex). My eth0 has a public IP (my only way of reaching this host).
what is causing this ability to ping (ICMP echo) but not TCP or UDP? i do not see them @ all on my eth0 interface. E.g. when i tcpdump br-ex, i see the SYN packet I am trying to send from the VM. When i tcpdump on eth0, i do not see the SYN packet (neither w/ internal nor masqueraded IP).
my neutron secgroup is allow all in, allow all out (-1 for protocol).
any suggestion? how would you set up NAT for this setup? I don't really nead the floatingip since there's no way to reach the VM's anyway.
is there a way to disable the snat in case it is interfering?
ifconfig -a br-ex Link encap:Ethernet HWaddr e2:27:cd:ae:cf:4c inet addr:172.16.1.1 Bcast:172.16.1.255 Mask:255.255.255.0 inet6 addr: fe80::86a:33ff:fe90:54c7/64 Scope:Link UP BROADCAST RUNNING MTU:1500 Metric:1 RX packets:1294 errors:0 dropped:0 overruns:0 frame:0 TX packets:1729 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:148260 (148.2 KB) TX bytes:148149 (148.1 KB) br-int Link encap:Ethernet HWaddr 16:ce:e6:9f:62:40 inet6 addr: fe80::c0d:c6ff:fea2:dc98/64 Scope:Link UP BROADCAST RUNNING MTU:1500 Metric:1 RX packets:3138 errors:0 dropped:0 overruns:0 frame:0 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:543366 (543.3 KB) TX bytes:648 (648.0 B) eth0 Link encap:Ethernet HWaddr 60:eb:69:3e:97:04 inet addr:MYIP Bcast:MYBCAST Mask:255.255.255.248 inet6 addr: fe80::62eb:69ff:fe3e:9704/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:745210 errors:0 dropped:0 overruns:0 frame:0 TX packets:481915 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:347403469 (347.4 MB) TX bytes:101782097 (101.7 MB) Memory:df6e0000-df700000 int-br-ex Link encap:Ethernet HWaddr 46:30:6f:0d:11:4d inet6 addr: fe80::4430:6fff:fe0d:114d/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 ...
Per
ifconfig -a
eth0 doesn't have IP, perovs-vsctl show eth0 is not OVS port of br-ex
Would guess that you need one more ethernet interface eth1 :-$ ovs-ctl add-port br-ex eth0
$ iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
View http://www.karlrupp.net/en/computer/n...
How to set rules
eth0 does have an IP (the public one of the box). as an experiment I put the other public IP on br-ex, but i can put eth0 in the br-ex group. I was assuming it would route across here (and it seems it is since ICMP works just fine).
i just tried, adding eth0 to the br-ex group does not change anything. i can still ping the world. but not connect via tcp or udp.
This is how my previous system (virtualbox) was setup fwiw.
OK. Then br-ex has IP 172.16.1.1 and eth0 has IP which is what ?
eth0 is the publicly addressable IPv4 of the device.
the general neutron setup for the public network is as below. when i create a VM on the 'public' network, it gets an IP in 172.16.1.10-172.16.1.254. It can ping 172.16.1.1, and it can ping any address on the public internet (NAT'ing through eth0). But it cannot e.g. ssh to the world or fetch a file with HTTP.
I don't believe it would be correct to put eth0 in the bridge group with br-ex (since they are on separate networks they should not be bridged). But the L3 network stack of the host routes between them.
so i guess i don't understand the mechanism that ICMP works and TCP does not here.
(more)Take a look at this Fragmented floating IP pools and multiple AS hack It's double nat hack.