Flat provider network without dhcp not working

asked 2013-09-03 16:54:06 -0500

sasok gravatar image

I am trying to configure flat provider network on a single-node devstack install. Normal networking and floating iPs all working as they should. I have added another physical interface (eth2) to be used for a flat provider network. I have created a flat provider network attached to eth2. I had to also create a subnet on the provider network, otherwise instance creation of an instance connected to the provider network was not possible. CIDR for the subnet is 192.168.10/24. I have disabled DHCP for this subnet. On the instance attached to this provider network, the IP on the interface is configured statically to be I have another machine connected physically to eth2 with the IP When I try to ping from to, the replies never come back. ARP seems to be working OK. When using tshark to inspect various interfaces, replies can also be seen on the tap interface and qbr interfaces, so the instance seems to be replying. But on the veth pair attached to qbr the replies are no longer present.

When I inspect the instance with nova show <instance_id> I can see nova showing IP Subnet has DHCP disabled, but still this IP is shown. When I set the IP address of the instance interface to this IP, everything seems to be working fine. I can ping from the instance to the outside machine and vice versa. So the connectivity only seems to be assured for the IP that nova has chosen.</instance_id>

I would like to ask if this behaviour is intended or am I misconfiguring something. Would configuring the provider network as type vlan help?

edit retag flag offensive close merge delete

1 answer

Sort by » oldest newest most voted

answered 2013-09-04 02:04:31 -0500

darragh-oreilly gravatar image

The security groups implementation adds iptables rules to prevent IP spoofing. Run iptables-save and look for a line with the source address.

edit flag offensive delete link more


Thanks. Do you know if this mechanism can be disabled in any way for the port?

sasok gravatar imagesasok ( 2013-09-04 08:24:17 -0500 )edit

I don't think you can disable security groups on a particular port, but you may be able to disable security groups entirely.

darragh-oreilly gravatar imagedarragh-oreilly ( 2013-09-04 09:02:02 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2013-09-03 16:54:06 -0500

Seen: 593 times

Last updated: Sep 04 '13