Ask Your Question
0

RDO setup. Instances cannot access external network, while external network cannot ping instances

asked 2014-07-11 05:49:47 -0600

sprhawk gravatar image

updated 2014-07-11 05:52:47 -0600

I'm new to OpenStack. I'm using RDO packstack --allinone setup.

All openstack nodes reside in one single machine, with only one physical ethernet interface (eth0, 192.168.0.11)

I launched two instances(Test6 and Test7) and set up public and private network, then assigned floating ips to both of them.

network topology image see here: http://postimg.org/image/yumejw07n/

Public Network is 192.168.0.192/26, Private Network is 10.0.0.0/24.

Test6 network is 10.0.0.15 and 192.168.0.204, Test7 network is 10.0.0.17 and 192.168.0.199

A router connect among test6 test7 and public network, 10.0.0.1 to the private network, 192.168.0.203 to the public network.

In Private network, Test6 , Test7, and Router can ping or access between each other. (any public network address or private network address).

In Public, no hosts in public network can access Test6, Test7 or Router (192.168.0.203), nor instances can access hosts.

I think I missed some iptables configurations for bridge, but I didn't figure it out what filter should I add.

On host:

#ovs-vsctl show
bc3a6627-8bfa-4d4a-b75a-a360b1d9ebe2
Bridge br-int
    Port patch-tun
        Interface patch-tun
            type: patch
            options: {peer=patch-int}
    Port "qvoa86f386a-84"
        tag: 1
        Interface "qvoa86f386a-84"
    Port "tap816bfb16-c3"
        tag: 4095
        Interface "tap816bfb16-c3"
    Port "qvof5f02caa-df"
        tag: 1
        Interface "qvof5f02caa-df"
    Port "tapa37e0f14-18"
        tag: 1
        Interface "tapa37e0f14-18"
    Port "qr-095473ef-8f"
        tag: 1
        Interface "qr-095473ef-8f"
            type: internal
    Port br-int
        Interface br-int
            type: internal
    Port "qr-34feb8f5-dd"
        tag: 2
        Interface "qr-34feb8f5-dd"
            type: internal
Bridge br-ex
    Port "eth0"
        Interface "eth0"
    Port br-ex
        Interface br-ex
            type: internal
Bridge br-tun
    Port patch-int
        Interface patch-int
            type: patch
            options: {peer=patch-tun}
    Port br-tun
        Interface br-tun
            type: internal
ovs_version: "1.11.0"

#iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 49201 packets, 7639K bytes)
 pkts bytes target     prot opt in     out     source               destination
49201 7639K neutron-openvswi-PREROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0
42619 6708K nova-api-metadat-PREROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0
42619 6708K nova-api-PREROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 15292 packets, 934K bytes)
 pkts bytes target     prot opt in     out     source               destination
15292  934K neutron-openvswi-POSTROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0
15292  934K neutron-postrouting-bottom  all  --  *      *       0.0.0.0/0            0.0.0.0/0
12768  779K nova-api-metadat-POSTROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0
12791  781K nova-api-POSTROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0
15292  934K nova-postrouting-bottom  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 15266 packets, 932K bytes)
 pkts bytes target     prot opt in     out     source               destination
15266  932K neutron-openvswi-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
12760  779K nova-api-metadat-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
12783  780K nova-api-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain neutron-openvswi-OUTPUT ...
(more)
edit retag flag offensive close merge delete

Comments

Have you setup security-group rules :

$ source keystonerc_admin
$  nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0
$ nova secgroup-add-rule default tcp 22 22 0.0.0.0/0
dbaxps gravatar imagedbaxps ( 2014-07-11 05:56:53 -0600 )edit

Yes, I have set that. I can ping and ssh among instances and router namespace(ie, ip netns exec <router-ns> ping)

sprhawk gravatar imagesprhawk ( 2014-07-11 06:02:14 -0600 )edit

Could you create test CirrOS 0.3.2 VM

Login :-
$ ifconfig
$ ping 8.8.8.8
$ curl http://169.254.169.254
$ curl  msn.com
What reports :-
$ ip netns list
dbaxps gravatar imagedbaxps ( 2014-07-11 06:13:31 -0600 )edit

I'm currently working on it, and i'm trying to re-install the packstack, but I failed to install it, so I cannot show you the list. But I can tell you, inside VM, I cannot ping to external network (not even the router set in OpenStack dashboard).

When I finished the installation, I will show you

sprhawk gravatar imagesprhawk ( 2014-07-11 08:12:32 -0600 )edit

To reinstall:
$ packstack --answer-file=./answer-file-left-by-previous-run

dbaxps gravatar imagedbaxps ( 2014-07-11 08:19:18 -0600 )edit
see more comments

3 answers

Sort by ยป oldest newest most voted
2

answered 2014-07-14 05:41:17 -0600

SGPJ gravatar image

Please refer to this blog: https://blogs.oracle.com/ronen/entry/...

edit flag offensive delete link more
add a comment
1

answered 2014-07-11 10:56:25 -0600

dbaxps gravatar image 
To resolve the problem external network was created matching public office network and OVS bridge br-ex placed on this  network, eth0 was made OVS port of bridge br-ex
edit flag offensive delete link more
add a comment
0

answered 2014-07-11 10:01:53 -0600

sprhawk gravatar image

I freshly reinstall the openstack package, and packstack --allinone.

Now the network works!

I think the only different settings is the public_net network address CIDR, was 192.168.0.192/26, now is 192.168.0.0/24.

I'm not professional in network administration. Is the netmask affect the network route table or something?

edit flag offensive delete link more

Comments

Is the netmask affect the network route table or something? - No
Do you have real network 192.168.0.0/24 with active internet ?

dbaxps gravatar imagedbaxps ( 2014-07-11 10:45:32 -0600 )edit

yes. my office internal network is on 192.168.0.0/24 previously, I setup the openstack public network as 192.168.0.192/26, but no instances can access the public network. even the router's external network port cannot access the external network

sprhawk gravatar imagesprhawk ( 2014-07-11 10:48:12 -0600 )edit
add a comment

Get to know Ask OpenStack

Resources for moderators

Question Tools

subscribe to rss feed

Stats

Asked: 2014-07-11 05:49:47 -0600

Seen: 3,256 times

Last updated: Jul 14 '14

Related questions

VMs not getting IP through DHCP private 10.x network unreachable

Devstack : how to access instances by there floating IPs from a no-openstack computer ?

External and Internal Network

Openstack nova - telnet: Unable to connect to remote host: Connection refused

Issue with RDO

what does RDO stand for?

succesful provisioning but failed deployment

Networking with openstack

Get private IP with CLI

Problem with gre network on Juno [closed]