Ask Your Question

RDO setup. Instances cannot access external network, while external network cannot ping instances

asked 2014-07-11 05:49:47 -0500

sprhawk gravatar image

updated 2014-07-11 05:52:47 -0500

I'm new to OpenStack. I'm using RDO packstack --allinone setup.

All openstack nodes reside in one single machine, with only one physical ethernet interface (eth0,

I launched two instances(Test6 and Test7) and set up public and private network, then assigned floating ips to both of them.

network topology image see here:

Public Network is, Private Network is

Test6 network is and, Test7 network is and

A router connect among test6 test7 and public network, to the private network, to the public network.

In Private network, Test6 , Test7, and Router can ping or access between each other. (any public network address or private network address).

In Public, no hosts in public network can access Test6, Test7 or Router (, nor instances can access hosts.

I think I missed some iptables configurations for bridge, but I didn't figure it out what filter should I add.

On host:

#ovs-vsctl show
Bridge br-int
    Port patch-tun
        Interface patch-tun
            type: patch
            options: {peer=patch-int}
    Port "qvoa86f386a-84"
        tag: 1
        Interface "qvoa86f386a-84"
    Port "tap816bfb16-c3"
        tag: 4095
        Interface "tap816bfb16-c3"
    Port "qvof5f02caa-df"
        tag: 1
        Interface "qvof5f02caa-df"
    Port "tapa37e0f14-18"
        tag: 1
        Interface "tapa37e0f14-18"
    Port "qr-095473ef-8f"
        tag: 1
        Interface "qr-095473ef-8f"
            type: internal
    Port br-int
        Interface br-int
            type: internal
    Port "qr-34feb8f5-dd"
        tag: 2
        Interface "qr-34feb8f5-dd"
            type: internal
Bridge br-ex
    Port "eth0"
        Interface "eth0"
    Port br-ex
        Interface br-ex
            type: internal
Bridge br-tun
    Port patch-int
        Interface patch-int
            type: patch
            options: {peer=patch-tun}
    Port br-tun
        Interface br-tun
            type: internal
ovs_version: "1.11.0"

#iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 49201 packets, 7639K bytes)
 pkts bytes target     prot opt in     out     source               destination
49201 7639K neutron-openvswi-PREROUTING  all  --  *      *  
42619 6708K nova-api-metadat-PREROUTING  all  --  *      *  
42619 6708K nova-api-PREROUTING  all  --  *      *  

Chain POSTROUTING (policy ACCEPT 15292 packets, 934K bytes)
 pkts bytes target     prot opt in     out     source               destination
15292  934K neutron-openvswi-POSTROUTING  all  --  *      *  
15292  934K neutron-postrouting-bottom  all  --  *      *  
12768  779K nova-api-metadat-POSTROUTING  all  --  *      *  
12791  781K nova-api-POSTROUTING  all  --  *      *  
15292  934K nova-postrouting-bottom  all  --  *      *  

Chain OUTPUT (policy ACCEPT 15266 packets, 932K bytes)
 pkts bytes target     prot opt in     out     source               destination
15266  932K neutron-openvswi-OUTPUT  all  --  *      *  
12760  779K nova-api-metadat-OUTPUT  all  --  *      *  
12783  780K nova-api-OUTPUT  all  --  *      *  

Chain neutron-openvswi-OUTPUT ...
edit retag flag offensive close merge delete


Have you setup security-group rules :

$ source keystonerc_admin
$  nova secgroup-add-rule default icmp -1 -1
$ nova secgroup-add-rule default tcp 22 22
dbaxps gravatar imagedbaxps ( 2014-07-11 05:56:53 -0500 )edit

Yes, I have set that. I can ping and ssh among instances and router namespace(ie, ip netns exec <router-ns> ping)

sprhawk gravatar imagesprhawk ( 2014-07-11 06:02:14 -0500 )edit

Could you create test CirrOS 0.3.2 VM

Login :-
$ ifconfig
$ ping
$ curl
$ curl
What reports :-
$ ip netns list
dbaxps gravatar imagedbaxps ( 2014-07-11 06:13:31 -0500 )edit

I'm currently working on it, and i'm trying to re-install the packstack, but I failed to install it, so I cannot show you the list. But I can tell you, inside VM, I cannot ping to external network (not even the router set in OpenStack dashboard).

When I finished the installation, I will show you

sprhawk gravatar imagesprhawk ( 2014-07-11 08:12:32 -0500 )edit

To reinstall:
$ packstack --answer-file=./answer-file-left-by-previous-run

dbaxps gravatar imagedbaxps ( 2014-07-11 08:19:18 -0500 )edit

3 answers

Sort by ยป oldest newest most voted

answered 2014-07-14 05:41:17 -0500

SGPJ gravatar image

Please refer to this blog:

edit flag offensive delete link more

answered 2014-07-11 10:56:25 -0500

dbaxps gravatar image
To resolve the problem external network was created matching public office network and OVS bridge br-ex placed on this  network, eth0 was made OVS port of bridge br-ex
edit flag offensive delete link more

answered 2014-07-11 10:01:53 -0500

sprhawk gravatar image

I freshly reinstall the openstack package, and packstack --allinone.

Now the network works!

I think the only different settings is the public_net network address CIDR, was, now is

I'm not professional in network administration. Is the netmask affect the network route table or something?

edit flag offensive delete link more


Is the netmask affect the network route table or something? - No
Do you have real network with active internet ?

dbaxps gravatar imagedbaxps ( 2014-07-11 10:45:32 -0500 )edit

yes. my office internal network is on previously, I setup the openstack public network as, but no instances can access the public network. even the router's external network port cannot access the external network

sprhawk gravatar imagesprhawk ( 2014-07-11 10:48:12 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools


Asked: 2014-07-11 05:49:47 -0500

Seen: 3,294 times

Last updated: Jul 14 '14