Ask Your Question
0

iptables unable to ping public interface br-ex, but VMs can ping out

asked 2013-07-22 07:24:15 -0500

skyrainman gravatar image

Hello,

I have what I believe is an iptables/firewall issue. In short, my VMs can ping in and out and floating IPs work. However, once I setup my first public network, my public interface (br-ex) on my controller node stopped working, therefore, I lost external connectivity to my controller.

I have traced what the problem is, but unsure how to resolve it. When I created my public network, that's when my public traffic interface stopped working. Upon inspection, I found that openstack created a default route as follows:

0.0.0.0 65.55.58.1 0.0.0.0 UG 0 0 0 qg-8c88ca4b-2a

This route has a higher priority than my original route which causes the problem as follows:

0.0.0.0 65.55.58.1 0.0.0.0 UG 0 0 0 qg-8c88ca4b-2a 0.0.0.0 209.132.183.1 0.0.0.0 UG 0 0 0 br-ex

What I found is that if I remove the default gw route (65.55.58.1) created by openstack, I can reach the controller external IP just fine. However, my VMs can't ping in or out although they can reach the internal router (10.0.0.1).

Then, if add the openstack route back, I can reach my VMs floating ip, and they can ping in and out. My goal is to allow my external interface access to the internet for controller public connectivity. Is there a way to correct this issue I am facing?

Also, I added a few firewall rules to allow my backup servers etc., but when Openstack services are reloaded, the rules are removed. Is there a file that I can add the rules to that will allow the host to reload the rules when it reloads Openstack iptables?

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
0

answered 2013-07-22 08:07:22 -0500

darragh-oreilly gravatar image

updated 2013-07-22 08:08:30 -0500

Say you want to connect to the controller from your laptop, then add a static route on the controller:

ip route add ${LAPTOP_IP}/32 via 209.132.183.1

or you may want to add a static route for the network the laptop is on instead.

edit flag offensive delete link more

Comments

Hey there Darragh, I need to make the controller available to the entire internet so that the APIs and dashboard is available to the public internet.

skyrainman gravatar imageskyrainman ( 2013-07-22 08:22:59 -0500 )edit

So you want to route API/horizon packets via 209.132.183.1, and floating IP packets via 65.55.58.1?

darragh-oreilly gravatar imagedarragh-oreilly ( 2013-07-22 09:19:26 -0500 )edit

Yes, that would work. To be honest, they can all route via one gateway, as long as the same outcome is achieved.

skyrainman gravatar imageskyrainman ( 2013-07-22 09:20:57 -0500 )edit

Ok, that (2 default routes) would not be possible. You will need to remove the 209.132.183.1 one and keep the 65.55.58.1 one.

darragh-oreilly gravatar imagedarragh-oreilly ( 2013-07-22 09:53:18 -0500 )edit

I believe this issue is fixed with a simple IP tables rule, otherwise, it is bug. These 2 subnets are on the same VLAN. It's just quantum is blocking outbound traffic for the 174.138.21.0 subnet.

skyrainman gravatar imageskyrainman ( 2013-07-22 14:08:20 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2013-07-22 07:24:15 -0500

Seen: 309 times

Last updated: Jul 22 '13