iptables unable to ping public interface br-ex, but VMs can ping out

asked 2013-07-22 07:24:15 -0600

skyrainman gravatar image


I have what I believe is an iptables/firewall issue. In short, my VMs can ping in and out and floating IPs work. However, once I setup my first public network, my public interface (br-ex) on my controller node stopped working, therefore, I lost external connectivity to my controller.

I have traced what the problem is, but unsure how to resolve it. When I created my public network, that's when my public traffic interface stopped working. Upon inspection, I found that openstack created a default route as follows: UG 0 0 0 qg-8c88ca4b-2a

This route has a higher priority than my original route which causes the problem as follows: UG 0 0 0 qg-8c88ca4b-2a UG 0 0 0 br-ex

What I found is that if I remove the default gw route ( created by openstack, I can reach the controller external IP just fine. However, my VMs can't ping in or out although they can reach the internal router (

Then, if add the openstack route back, I can reach my VMs floating ip, and they can ping in and out. My goal is to allow my external interface access to the internet for controller public connectivity. Is there a way to correct this issue I am facing?

Also, I added a few firewall rules to allow my backup servers etc., but when Openstack services are reloaded, the rules are removed. Is there a file that I can add the rules to that will allow the host to reload the rules when it reloads Openstack iptables?

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2013-07-22 08:07:22 -0600

darragh-oreilly gravatar image

updated 2013-07-22 08:08:30 -0600

Say you want to connect to the controller from your laptop, then add a static route on the controller:

ip route add ${LAPTOP_IP}/32 via

or you may want to add a static route for the network the laptop is on instead.

edit flag offensive delete link more


Hey there Darragh, I need to make the controller available to the entire internet so that the APIs and dashboard is available to the public internet.

skyrainman gravatar imageskyrainman ( 2013-07-22 08:22:59 -0600 )edit

So you want to route API/horizon packets via, and floating IP packets via

darragh-oreilly gravatar imagedarragh-oreilly ( 2013-07-22 09:19:26 -0600 )edit

Yes, that would work. To be honest, they can all route via one gateway, as long as the same outcome is achieved.

skyrainman gravatar imageskyrainman ( 2013-07-22 09:20:57 -0600 )edit

Ok, that (2 default routes) would not be possible. You will need to remove the one and keep the one.

darragh-oreilly gravatar imagedarragh-oreilly ( 2013-07-22 09:53:18 -0600 )edit

I believe this issue is fixed with a simple IP tables rule, otherwise, it is bug. These 2 subnets are on the same VLAN. It's just quantum is blocking outbound traffic for the subnet.

skyrainman gravatar imageskyrainman ( 2013-07-22 14:08:20 -0600 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2013-07-22 07:24:15 -0600

Seen: 346 times

Last updated: Jul 22 '13