Ask Your Question
0

vm can't access external network with vlan on physical interface [closed]

asked 2014-11-25 06:31:24 -0500

SysFiller gravatar image

updated 2014-11-26 10:15:24 -0500

Hi, I'm using Ubuntu Trusty and I've installed an AIO Openstack. I want to use just one interface but splitting the traffic on two different vlans:

  • vlan73 ext/api
  • vlan74 mgmt/data

I've created the following network configuration:

auto em1.73
iface em1.73 inet manual
vlan-raw-device em1

auto brex
iface brex inet static
address 10.192.73.5
netmask 255.255.255.0
gateway 10.192.73.1
bridge_ports em1.73

auto em1.74
iface em1.74 inet static
address 10.192.74.5
netmask 255.255.255.0
vlan-raw-device em1

This is the brex section of ovs-vsctl show:

Bridge brex
    Port "qg-ff4a6b11-43"
        Interface "qg-ff4a6b11-43"
            type: internal
    Port "em1.73"
        Interface "em1.73"
    Port brex
        Interface brex
            type: internal

Networking is working for the Openstack node itself, I've defined a private network and a public one and the instances can ping their default gateway (virtual router) on both private and external interface. It seems that they can't reach the public network and they are not accessible.

More info:

root@bf-controller01:/etc/nova# neutron net-list
+--------------------------------------+-----------+-----------------------------------------------------+
| id                                   | name      | subnets                                             |
+--------------------------------------+-----------+-----------------------------------------------------+
| 091bf592-b6c8-44a3-8fa9-11f43c93260b | private   | e04ee64a-3448-4eff-bdf9-3fb58e46643c 10.0.0.0/24    |
| 916c7f00-bde2-41ff-91d4-79ea99b61714 | public    | 44c48ac5-e2d2-4c42-8c96-ddee5d08ce39 10.192.73.0/24 |
| a0ef35e1-8f47-41b3-9920-58bf5856cc6c | buildfarm | 5301ba83-b02c-4cbe-a4d0-7a8afc79f3fb 10.10.10.0/24  |
+--------------------------------------+-----------+-----------------------------------------------------+

/etc/neutron/neutron.conf

[DEFAULT]
verbose = True
debug = True
state_path = /var/lib/neutron
lock_path = $state_path/lock
use_syslog = False
log_dir =/var/log/neutron
bind_host = 0.0.0.0
bind_port = 9696
core_plugin = neutron.plugins.ml2.plugin.Ml2Plugin
service_plugins =neutron.services.l3_router.l3_router_plugin.L3RouterPlugin,neutron.services.loadbalancer.plugin.LoadBalancerPlugin,neutron.services.vpn.plugin.VPNDriverPlugin,neutron.services.firewall.fwaas_plugin.FirewallPlugin,neutron.services.metering.metering_plugin.MeteringPlugin
auth_strategy = keystone
base_mac = fa:16:3e:00:00:00
mac_generation_retries = 16
dhcp_lease_duration = 86400
dhcp_agent_notification = True
allow_bulk = True
allow_pagination = False
allow_sorting = False
allow_overlapping_ips = True
rpc_backend = neutron.openstack.common.rpc.impl_kombu
control_exchange = neutron
rabbit_host = 10.192.74.5
rabbit_password = password
rabbit_port = 5672
rabbit_hosts = 10.192.74.5:5672
rabbit_userid = openstack
rabbit_virtual_host = /
rabbit_ha_queues = False
notification_driver = neutron.openstack.common.notifier.rpc_notifier
agent_down_time = 75
router_scheduler_driver = neutron.scheduler.l3_agent_scheduler.ChanceScheduler
dhcp_agents_per_network = 1
api_workers = 0
rpc_workers = 0
use_ssl = False
notify_nova_on_port_status_changes = True
notify_nova_on_port_data_changes = True
nova_url = http://10.192.74.5:8774/v2/
nova_region_name =openstack
nova_admin_username =nova
nova_admin_tenant_id =5154fe3e868540cda135287ff47b6c43
nova_admin_password =password
nova_admin_auth_url =http://10.192.74.5:35357/v2.0/
send_events_interval = 2
rabbit_use_ssl=False
[quotas]
[agent]
root_helper = sudo neutron-rootwrap /etc/neutron/rootwrap.conf
report_interval = 30
[keystone_authtoken]
auth_host = 10.192.74.5
auth_port = 35357
auth_protocol = http
admin_tenant_name = services
admin_user = neutron
admin_password = password
signing_dir = $state_path/keystone-signing
auth_uri=http://10.192.74.5:5000/
[database]
connection = mysql://neutron:TwJGaxch2N@10.192.74.5/neutron
max_retries = 10
retry_interval = 10
idle_timeout = 3600
[service_providers]
service_provider=LOADBALANCER:Haproxy:neutron.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default
service_provider=VPN:openswan:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default

/etc/neutron/ml2_conf.ini

[ml2]
type_drivers = gre
tenant_network_types = gre
mechanism_drivers =openvswitch
[ml2_type_flat]
[ml2_type_vlan]
[ml2_type_gre]
tunnel_id_ranges =1:1000
[ml2_type_vxlan]
[securitygroup]
enable_security_group = True
firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
[agent]
l2_population=False
polling_interval=2
arp_responder=False
tunnel_types=gre
[ovs]
enable_tunneling=True
integration_bridge=br-int
local_ip=10.192.74.5
tunnel_bridge=br-tun

root@bf-controller01:/etc/nova ...
(more)
edit retag flag offensive reopen merge delete

Closed for the following reason question is not relevant or outdated by SysFiller
close date 2014-11-28 03:47:20.534627

Comments

Please post your neutron.conf, ml2_conf.ini, and any ovs or other confs related to neutron

SamYaple gravatar imageSamYaple ( 2014-11-25 06:47:38 -0500 )edit

Three reports are needed :

ip netns exec qrouter-router01-id ifconfig
ip netns exec qdhcp-private-net-id route -n
ovs-vsctl show

where private-net is internal interface for router01

dbaxps gravatar imagedbaxps ( 2014-11-25 15:20:04 -0500 )edit

Updated the description! Many thanks

SysFiller gravatar imageSysFiller ( 2014-11-26 03:36:53 -0500 )edit

Update question with :-

ip netns exec qrouter-1259a267-05b5-4838-8ff1-337fdf9738bf ifconfig
ip netns exec qdhcp-091bf592-b6c8-44a3-8fa9-11f43c93260b route -n
ovs-vsctl show
ifconfig
/etc/neutron/plugin.ini
dbaxps gravatar imagedbaxps ( 2014-11-26 04:00:08 -0500 )edit

Run :-

ifconfig ( and  grep br-ex IP address )
ip netns exec qdhcp-6b580ca8-bc8b-49bf-ab52-d5df7c0a9195 ping 10.192.73.2
ip netns exec qdhcp-6b580ca8-bc8b-49bf-ab52-d5df7c0a9195 ping  IP-br-ex
dbaxps gravatar imagedbaxps ( 2014-11-26 04:59:26 -0500 )edit

2 answers

Sort by ยป oldest newest most voted
0

answered 2014-11-26 09:22:46 -0500

dgalvao gravatar image

I have a similar setup and it's working. Did you enable promiscuous mode, in the interface configs?

$ ls ifcfg-eth2*
ifcfg-eth2  ifcfg-eth2.38  ifcfg-eth2.40
$ ls ifcfg-eth2* | while read line; do cat $line; echo "--------"; done
DEVICE=eth2
TYPE=Ethernet
BOOTPROTO=none
ONBOOT=yes
PROMISC=yes
--------
DEVICE=eth2.38
TYPE=Ethernet
BOOTPROTO=none
ONBOOT=yes
VLAN=yes
PROMISC=yes
--------
DEVICE=eth2.40
TYPE=Ethernet
BOOTPROTO=none
ONBOOT=yes
VLAN=yes
PROMISC=yes
--------
edit flag offensive delete link more

Comments

I just tried setting all the interfaces in promisc mode but it doesn't seem to work: up ip link set $IFACE promisc on for every interface in /etc/network/interfaces Also issued ifconfig <interface> promisc to enable that at runtime.

SysFiller gravatar imageSysFiller ( 2014-11-26 09:50:19 -0500 )edit

ps: I cannot even ping the public default gateway from the router that has an interface on that network: defgw:10.192.73.1 router01:10.192.73.103 ip netns exec qrouter-c72b3a1e-c041-4ed4-b146-e53a2e22307d ping 10.192.73.1->Destination Host Unreachable looks like a vlan/bridging problem doesn't it?

SysFiller gravatar imageSysFiller ( 2014-11-26 09:57:30 -0500 )edit

You need to ensure the interfaces are in promiscuous mode. All instances and neutron routers will have mac addresses different than the mac addresses in the physical interfaces. If promiscuous mode is disabled the interfaces will drop all those frames.

dgalvao gravatar imagedgalvao ( 2014-11-26 12:02:23 -0500 )edit

I set em1 em73 and brex in promisc mode, still the same... I'm using gre as driver, should I set it to vlan instead? I also tried following this post http://www.gossamer-threads.com/lists/openstack/dev/39901 (http://www.gossamer-threads.com/lists...) setting the tag on the interface, but still no luck.

SysFiller gravatar imageSysFiller ( 2014-11-27 03:18:34 -0500 )edit
0

answered 2014-11-28 03:46:49 -0500

SysFiller gravatar image

I tried removing the vlan support using just simple plain interfaces and I had the same problem so it must be something wrong with the configuration. I installed it using puppetlabs-openstack and I think something didn't go through properly.

I'd prefer to close this ticket as the environment is not consistent. By the way I want to thank everybody for your effort, really appreciated!

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-11-25 06:31:24 -0500

Seen: 1,032 times

Last updated: Nov 28 '14