Neutron qrouters not passing traffic onto Virtual Machines
Hi there,
I am setting a relatively small OpenStack (Juno) deployment which I am trying to deploy to with the aim of moving the current deployment in a production state when I have ironed out all the bugs. (Possibly involving a redeploy with the assistance of Puppet, not sure yet).
However I have encountered a blocker I am unable to overcome. Any QRouters I create do not appear to pass traffic onto the virtual machines. I can ping either side of the router, but any traffic that should be DNATed isn't appearing on the qr side of the router.
Some background on the setup:
- 3x CentOS 7 Controller/Network Nodes running Neutron OpenVSwitch Agents, Neutron L3 Agents, Neutron DHCP Agents and Metadata Agents (control1 through control3)
- 7x CentOS 7 Compute Nodes running Neutron OpenVSwitch Agents (compute1 through compute7)
Routers are set to be non-distributed and HA. (I wanted to go distributed and HA unfortunately that isn't yet supported in Juno). We have one external VLAN (47 in this setup) which is our DMZ 10.47.0.0/20, and we have configured this with the goal of adding more VLANs with external allocations in future.
We also have the following networks for various functions:
10.47.16.0/24 Management (VLAN 48)
10.47.17.0/24 Mesh (For GRE Traffic, VLAN 49)
Here is some relevant output and configuration files:
ovs-vsctl show on management node with active router
[root@control3 ~]# ovs-vsctl show
7efc1761-efab-4caa-9932-654caf074936
Bridge br-tun
Port "gre-0a01e441"
Interface "gre-0a01e441"
type: gre
options: {df_default="true", in_key=flow, local_ip="10.47.17.66", out_key=flow, remote_ip="10.47.17.65"}
Port "gre-0a01e451"
Interface "gre-0a01e451"
type: gre
options: {df_default="true", in_key=flow, local_ip="10.47.17.66", out_key=flow, remote_ip="10.47.17.81"}
Port "gre-0a01e453"
Interface "gre-0a01e453"
type: gre
options: {df_default="true", in_key=flow, local_ip="10.47.17.66", out_key=flow, remote_ip="10.47.17.83"}
Port "gre-0a01e452"
Interface "gre-0a01e452"
type: gre
options: {df_default="true", in_key=flow, local_ip="10.47.17.66", out_key=flow, remote_ip="10.47.17.82"}
Port br-tun
Interface br-tun
type: internal
Port "gre-0a01e456"
Interface "gre-0a01e456"
type: gre
options: {df_default="true", in_key=flow, local_ip="10.47.17.66", out_key=flow, remote_ip="10.47.17.86"}
Port patch-int
Interface patch-int
type: patch
options: {peer=patch-tun}
Port "gre-0a01e454"
Interface "gre-0a01e454"
type: gre
options: {df_default="true", in_key=flow, local_ip="10.47.17.66", out_key=flow, remote_ip="10.47.17.84"}
Port "gre-0a01e457"
Interface "gre-0a01e457"
type: gre
options: {df_default="true", in_key=flow, local_ip="10.47.17.66", out_key=flow, remote_ip="10.47.17.87"}
Port "gre-0a01e440"
Interface "gre-0a01e440"
type: gre
options: {df_default="true", in_key=flow, local_ip="10.47.17.66", out_key=flow, remote_ip="10.47.17.64"}
Port "gre-0a01e455"
Interface "gre-0a01e455"
type: gre
options: {df_default="true", in_key=flow, local_ip="10.47.17.66", out_key=flow, remote_ip="10.47.17.85"}
Bridge br-int
fail_mode: secure
Port "qr-8668140a-07"
tag: 1
Interface "qr-8668140a-07"
type: internal
Port patch-tun
Interface patch-tun
type: patch
options: {peer=patch-int}
Port "tap9e08a279-67"
tag: 1
Interface "tap9e08a279-67"
Port br-int
Interface ...
yeah, it seems the DNAT rule is not being hit. Use
iptables-save -cas you ping to see which if any rules are actually being hit. Also try tcpdumping without filtering for icmp only - you could be missing something.After taking your suggestion I noticed that the DNAT is being hit. It is incrementing with each packet. However, the problem is despite the DNAT being hit the packets aren't leaving via the
qrinterface.can you ping 10.47.0.132 or 10.47.0.130 from the vm?
Yes, I can ping the floating IP address and the external IP address of the router from the vm.
from the vm?