Ask Your Question

Can't ping between instances with router on the middle (using VLAN)

asked 2015-04-17 15:54:02 -0600

leafar gravatar image


I have an instance that is working as a router (CSR1Kv) and I have two instances connected to the router (CSR1Kv) on different VLANs.

instance1 <vlan113> router-CSR1Kv <vlan198> instance2

The instance1 is having the subnet that is able to ping router-CSR1Kv with IP on VLAN-113 The instance2 is having the subnet that is able to ping router-CSR1Kv with IP on VLAN-198

I created the static route on instance1 of network pointing to the gateway router-CSR1Kv. I created the static route on instance2 of network pointing to the gateway router-CSR1Kv.

In theory, I should be able to ping between the VMs because the router is able to route the packets of both subnets but I can't even ping from instance1 the IP of the connected interface of router-CSR1Kv towards instance2.

That means that somehow I'm having a security or blocking point issue that is not allowing me to ping between two subnets that doesn't belong to the same network/netmask. In this case the CSR1Kv is an instance that is in the middle to provide the L3 communication of both instances BUT is not working.

Can somebody explain me how to solve this issue?, what can be the cause of this issue?


edit retag flag offensive close merge delete


have you checked the Security Groups of the instances. Ping needs to be enabled in the SG .

rahulrajvn gravatar imagerahulrajvn ( 2015-04-20 09:33:35 -0600 )edit

1 answer

Sort by ยป oldest newest most voted

answered 2015-04-23 13:35:42 -0600

leafar gravatar image

Yes, i checked the security groups. Everything looks good. That is not the problem. The problem is related to a security applied in OpenStack with mac-spoofing... If I remove the iptables config I can ping without any problem from one instance to another passing through the router. That means that my IPTables rules is blocking the source mac-address to toward the destination. Does anybody have a solution to this issue?

edit flag offensive delete link more


can you please make this:

ip netns

get the q-router then

ip netns exec q-router-Xxxxxxxxxx iptables -S

And edit you post. Tks

GLaupre gravatar imageGLaupre ( 2015-04-23 16:17:18 -0600 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2015-04-17 15:54:02 -0600

Seen: 535 times

Last updated: Apr 23 '15