Virtual machine as gateway

asked 2014-07-28 01:31:02 -0600

Doria gravatar image

I have installed openstack icehouse on ubuntu. I created two tenant networks using neutron, under the same tenant, network A is connected with router and br-ex, network B is not. I then created one virtual machine VM-1 in network A, and one virtual machine VM-2 in network B. I intend to configure VM-1 as the gateway of VM-2, and thus VM-2 can ping to the internet as VM-1 can do. But after I configured VM-1 as the default gw of VM-2, and enabled the packet forwarding of VM-1, VM-2 cannot ping VM-1, not even the internet.

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2014-12-13 21:16:36 -0600

Zollner Robert gravatar image

1) VM-01 should have two interface one in Netw-A(eth0) and another in Netw-B(eth1) at this point if your "Security Group" setting permits it you should be able to ping between ip addreses of VM-01(eth1) and VM-02 that are in Netw-B

2) Next to be able to ping from Vm-02 to Vm-01 eth0 ipaddr (Netw-B) you must delete some iptables rules or disable the neutron firewall completely

get port id of VM-01 eth1:

neutron port-list |grep ""
| **6cd7f3ab**-.. fa:16:3e:9c:38:23 | {"subnet_id": "b9...", "ip_address": ""}|

id = 6cd7f3ab

iptables -n -L -t filter -v  --line-numbers | grep -i "Chain neutron-openvswi-s"6cd7f3ab -A 3
Chain neutron-openvswi-s6cd7f3ab-4 (1 references)
num   pkts bytes target     prot opt in     out   source        destination         
1     2658  229K RETURN     all  --  *      *    MAC FA:16:3e:9c:38:23
2        5     0 DROP       all  --  *      *

Delete rule nr. #2:

iptables -D neutron-openvswi-s6cd7f3ab-b 2

3) enable nat on vm-01:

iptables -t nat -A POSTROUTING -o **eth0** -j MASQUERADE
edit flag offensive delete link more

answered 2014-07-28 02:39:46 -0600

totten25 gravatar image

I don't understand why do you use VM-1 as gateway because by default, when you created internal network and you add it to be interface in virtual router. Router can help you to route between network A and network B. For this problem, VM-1 in network A didn't has routing information about VM-2 in network B. You should add routing which is linux command and when you reboot VM-1, routing table will be cleared and back to default. You may add route in /etc/network/interfaces. Moreover, i think "tcpdump" command can help you to figure out this problem.

edit flag offensive delete link more


Hello Totten, I want to configure VM-1 as the default gateway of VM-2 because I want to add a series of IPtables rules, which I cannot do on the router. Thank you for your answer. Do you know is this probably related to the nova security group rules?

Doria gravatar imageDoria ( 2014-07-28 11:26:02 -0600 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2014-07-28 01:31:02 -0600

Seen: 1,420 times

Last updated: Jul 28 '14