Neutron router can't reach external network - Kilo

asked 2015-07-28 17:16:39 -0600

unitiger gravatar image

updated 2015-07-30 16:45:58 -0600

Hi guys, it's not my first time to face with this issue - I had tried Juno before and now Kilo. I installed multi-node (3 nodes for controller, network and compute) openstack environment per Kilo installation instruction on my Mac via virtualbox. My Mac connected to internet via wifi and virtualbox's NAT network is, with DNS server assigned by company wifi network.

I've set up the neutron network according to the instruction, here is the network interface configuration on network node:

# The primary network interface
auto eth2
iface eth2 inet manual
#iface eth2 inet dhcp
up ifconfig $IFACE up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down

# The openvswitch network interface
auto br-ex
iface br-ex inet dhcp

eth2 is the external NIC of network node connecting to the NAT network of virtualbox. All 3 nodes have one NIC connected to this network (, controller is, network and compute The private network (demo-subnet) I defined is, so the external gateway IP of demo-router is, the private gateway IP is

I have looked up many similar questions but could not find the right solution for my case, so if you have any thoughts on that, pls be kind to share with me, thanks in advance!

---Appended based on Rahul's reply----

Hi Rahul, first thanks for your kind reply. Actually I forgot 1 point of what you mentioned - enabling IP forwarding on network node. But after the changes and all nodes rebooted, the controller still could not ping router gateway IP ( I tried to ping controller from the router and got following findings: Testing command on network node - ip netns exec qrouter-9bbc99ea-69ca-4a23-8fb7-c0b2ef7425dc ping note: is the IP of controller within ext-net

Controller ( received the ARP request from and unicast the ARP reply with its MAC address to the MAC address of neutron router external interface; The interface br-ex on network node didn't see the ARP reply from controller to neutron router; The router external interface didn't see the ARP reply either; Compute node saw the ARP request from and did nothing (expected behaviour).

So the question is why the ARP reply packets didn't arrive at the interface br-ex (I also tried the physical interface eth2 of network node and didn't see the ARP reply). I guess it may be caused by no layer 2 trunk between the virtualbox vswitch and ovs-vswitch. Any other thoughts?

---Adding more info about my configuration and testing Jul/31/2015, thanks for Kiran's comments--- start with output of "ovs-vsctl show"

root@network:/etc/neutron/plugins# ovs-vsctl show
2e906efa-87a8-46f4-99e4-4d8f299db833 ...
3 answers

answered 2015-10-20 03:38:39 -0600

My environment:
Win8.1 Host --> Virtualbox VM (Redhat 7.1) --> Packstack Juno.

I have only created the public network and a router from my admin account whose gateway has been set to the public network. I'm facing similar issue of not being able to connect to my gateway. I have checked as per other posts that my

  • bridge_mappings=physnet1:br-ex

  • /etc/neutron/l3_agent.ini external_network_bridge = br-ex

  • /etc/sysctl.conf net.ipv4.ip_forward=1

  • net.ipv4.conf.all.rp_filter=0
  • net.ipv4.conf.default.rp_filter=0

My enp0s3 (attached to br-ex) is in promiscuous mode as recommended by other posts.

Output of tcpdump -vv -nni enp0s3 icmp or arp: I see only ARP requests going out ... but no ARP replies from gateway coming in (or for that matter from any other machine on the network if I try to ping them). Hence, Ping is never sent out. But in qrouter's netns, I do see that arp -an shows the mac address of the gateway just fine. But it still tries to do an arp request when I ping gateway.

Even tried adding on the Redhat VM host based on other posts recommended elsewhere. :

  • iptables -t nat -I POSTROUTING 1 -s -o enp0s3 -j MASQUERADE

Any ideas ?

rgds GA

answered 2015-07-29 07:12:04 -0600

RAHUL1603 gravatar image

Hi Unitiger,

Check for these things --

  1. Have you enabled br-ex. in /etc/neutron/l3_agent.ini external_network_bridge = br-ex

  2. Check from VM -- ping -- should work ping -- gateway ping -- router gateway Traceroute -- Path should be same traceroute -- Path should be same.

Most probably your network node is not passing on traffic further. In that case traceroute will not go further If that is the case your network node is not doing IP forwarding. If so see the guide how to enable it -- /etc/sysctl.conf net.ipv4.ip_forward=1 net.ipv4.conf.all.rp_filter=0 net.ipv4.conf.default.rp_filter=0

sysctl -p Please let me know if you are still facing issue.

Regards Rahul1603

Hi Rahul, I did some more testing based on your reply, please see the adding end to my original questions. Thanks! --Tiger

unitiger gravatar imageunitiger ( 2015-07-29 17:55:55 -0600 )edit

answered 2015-07-30 01:08:34 -0600

updated 2015-07-30 01:10:11 -0600

Unitiger, Based on your debug, if the ARP reply was to sent neutron gateway's MAC (IP: did the mac address match the qrouter's interface on br-ex? Assuming you're using OVS. Can you check the qrouter's interface is on br-ex with ovs-vsctl show command?

Other things to check is ensure your eth2 is on the br-ex. Better yet, ensure its on ifcfg-eth2 as it lasts across reboots.

As mentioned by previous answer, check that external network is specified. However, I would ensure in /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini

. . .
bridge_mappings =physnet1:br-ex

Of course, restart network node after this and check ovs-vsctl show.

Thanks, Kiran

Hi Kiran, thanks for your help, I added more info per your analysis, please help review again, thanks!

unitiger gravatar imageunitiger ( 2015-07-30 16:47:32 -0600 )edit

