devstack on Fedora 22, neutron networking, vm can not ping internet hosts
I have a Fedora 22 machine where I am running devstack. Almost everything seems to be working properly except my VMs can not ping external (internet) hosts. Hopefully, someone can get me over that hump.
Here is a snippet from my local.conf (enp5s0 is my wired ethernet connection):
FLAT_INTERFACE=enp5s0
IP_VERSION=4
FLOATING_RANGE=192.168.3.0/24
PUBLIC_NETWORK_GATEWAY=192.168.3.1
FIXED_RANGE=10.3.0.0/24
NETWORK_GATEWAY=10.3.0.1
I have run iptables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE
, which has worked for me on older versions of Fedora.
In the event it helps, here is a dump of my iptables rules.
Chain INPUT (policy ACCEPT)
target prot opt source destination
neutron-openvswi-INPUT all -- anywhere anywhere
nova-api-INPUT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- anywhere anywhere
neutron-openvswi-FORWARD all -- anywhere anywhere
nova-filter-top all -- anywhere anywhere
nova-api-FORWARD all -- anywhere anywhere
ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- anywhere anywhere
neutron-openvswi-OUTPUT all -- anywhere anywhere
nova-filter-top all -- anywhere anywhere
nova-api-OUTPUT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
Chain DOCKER (1 references)
target prot opt source destination
Chain neutron-filter-top (2 references)
target prot opt source destination
neutron-openvswi-local all -- anywhere anywhere
Chain neutron-openvswi-FORWARD (1 references)
target prot opt source destination
neutron-openvswi-sg-chain all -- anywhere anywhere PHYSDEV match --physdev-out tap5d908dd9-18 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
neutron-openvswi-sg-chain all -- anywhere anywhere PHYSDEV match --physdev-in tap5d908dd9-18 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
neutron-openvswi-sg-chain all -- anywhere anywhere PHYSDEV match --physdev-out tapbafd0f82-43 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
neutron-openvswi-sg-chain all -- anywhere anywhere PHYSDEV match --physdev-in tapbafd0f82-43 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
Chain neutron-openvswi-INPUT (1 references)
target prot opt source destination
neutron-openvswi-o5d908dd9-1 all -- anywhere anywhere PHYSDEV match --physdev-in tap5d908dd9-18 --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */
neutron-openvswi-obafd0f82-4 all -- anywhere anywhere PHYSDEV match --physdev-in tapbafd0f82-43 --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */
Chain neutron-openvswi-OUTPUT (1 references)
target prot opt source destination
Chain neutron-openvswi-i5d908dd9-1 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
RETURN all -- anywhere anywhere state RELATED ...
I should add that my router's External Gateway (192.168.3.2) shows a status of "Down". That is different from my devstack on Fedora 20 (which is working and shows a state of "Active").