Ask Your Question
2

Neutron router can't reach external network - Kilo

asked 2015-07-28 17:16:39 -0500

unitiger gravatar image

updated 2015-07-30 16:45:58 -0500

Hi guys, it's not my first time to face with this issue - I had tried Juno before and now Kilo. I installed multi-node (3 nodes for controller, network and compute) openstack environment per Kilo installation instruction on my Mac via virtualbox. My Mac connected to internet via wifi and virtualbox's NAT network is 10.0.3.0/24, with DNS server assigned by company wifi network.

I've set up the neutron network according to the instruction, here is the network interface configuration on network node:

# The primary network interface
auto eth2
iface eth2 inet manual
#iface eth2 inet dhcp
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down

# The openvswitch network interface
auto br-ex
iface br-ex inet dhcp

eth2 is the external NIC of network node connecting to the NAT network of virtualbox. All 3 nodes have one NIC connected to this network (10.0.3.0/24), controller is 10.0.3.16, network 10.0.3.12 and compute 10.0.3.11. The private network (demo-subnet) I defined is 172.16.1.0/24, so the external gateway IP of demo-router is 10.0.3.101, the private gateway IP is 172.16.1.1.

I have looked up many similar questions but could not find the right solution for my case, so if you have any thoughts on that, pls be kind to share with me, thanks in advance!

---Appended based on Rahul's reply----

Hi Rahul, first thanks for your kind reply. Actually I forgot 1 point of what you mentioned - enabling IP forwarding on network node. But after the changes and all nodes rebooted, the controller still could not ping router gateway IP (10.0.3.101). I tried to ping controller from the router and got following findings: Testing command on network node - ip netns exec qrouter-9bbc99ea-69ca-4a23-8fb7-c0b2ef7425dc ping 10.0.3.16 note: 10.0.3.16 is the IP of controller within ext-net

Controller (10.0.3.16) received the ARP request from 10.0.3.101 and unicast the ARP reply with its MAC address to the MAC address of neutron router external interface; The interface br-ex on network node didn't see the ARP reply from controller to neutron router; The router external interface didn't see the ARP reply either; Compute node saw the ARP request from 10.0.3.101 and did nothing (expected behaviour).

So the question is why the ARP reply packets didn't arrive at the interface br-ex (I also tried the physical interface eth2 of network node and didn't see the ARP reply). I guess it may be caused by no layer 2 trunk between the virtualbox vswitch and ovs-vswitch. Any other thoughts?

---Adding more info about my configuration and testing Jul/31/2015, thanks for Kiran's comments--- start with output of "ovs-vsctl show"

root@network:/etc/neutron/plugins# ovs-vsctl show
2e906efa-87a8-46f4-99e4-4d8f299db833 ...
(more)
edit retag flag offensive close merge delete

3 answers

Sort by ยป oldest newest most voted
0

answered 2015-10-20 03:38:39 -0500

My environment:
Win8.1 Host --> Virtualbox VM (Redhat 7.1) --> Packstack Juno.

I have only created the public network and a router from my admin account whose gateway has been set to the public network. I'm facing similar issue of not being able to connect to my gateway. I have checked as per other posts that my

  • bridge_mappings=physnet1:br-ex

  • /etc/neutron/l3_agent.ini external_network_bridge = br-ex

  • /etc/sysctl.conf net.ipv4.ip_forward=1

  • net.ipv4.conf.all.rp_filter=0
  • net.ipv4.conf.default.rp_filter=0

My enp0s3 (attached to br-ex) is in promiscuous mode as recommended by other posts.

Output of tcpdump -vv -nni enp0s3 icmp or arp: I see only ARP requests going out ... but no ARP replies from gateway coming in (or for that matter from any other machine on the network if I try to ping them). Hence, Ping is never sent out. But in qrouter's netns, I do see that arp -an shows the mac address of the gateway just fine. But it still tries to do an arp request when I ping gateway.

Even tried adding on the Redhat VM host based on other posts recommended elsewhere. :

  • iptables -t nat -I POSTROUTING 1 -s 192.168.1.0/24 -o enp0s3 -j MASQUERADE

Any ideas ?

rgds GA

edit flag offensive delete link more
0

answered 2015-07-30 01:08:34 -0500

updated 2015-07-30 01:10:11 -0500

Unitiger, Based on your debug, if the ARP reply was to sent neutron gateway's MAC (IP: 10.0.3.101) did the mac address match the qrouter's interface on br-ex? Assuming you're using OVS. Can you check the qrouter's interface is on br-ex with ovs-vsctl show command?

Other things to check is ensure your eth2 is on the br-ex. Better yet, ensure its on ifcfg-eth2 as it lasts across reboots.

As mentioned by previous answer, check that external network is specified. However, I would ensure in /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini

[ovs]
. . .
bridge_mappings =physnet1:br-ex

Of course, restart network node after this and check ovs-vsctl show.

Thanks, Kiran

edit flag offensive delete link more

Comments

Hi Kiran, thanks for your help, I added more info per your analysis, please help review again, thanks!

unitiger gravatar imageunitiger ( 2015-07-30 16:47:32 -0500 )edit
0

answered 2015-07-29 07:12:04 -0500

RAHUL1603 gravatar image

Hi Unitiger,

Check for these things --

  1. Have you enabled br-ex. in /etc/neutron/l3_agent.ini external_network_bridge = br-ex

  2. Check from VM -- ping 172.16.1.3 -- should work ping 172.16.1.1 -- gateway ping 10.0.3.101 -- router gateway Traceroute 10.0.3.101 -- Path should be same traceroute 8.8.8.8 -- Path should be same.

Most probably your network node is not passing on traffic further. In that case traceroute will not go further 10.0.3.101. If that is the case your network node is not doing IP forwarding. If so see the guide how to enable it -- /etc/sysctl.conf net.ipv4.ip_forward=1 net.ipv4.conf.all.rp_filter=0 net.ipv4.conf.default.rp_filter=0

sysctl -p Please let me know if you are still facing issue.

Regards Rahul1603

edit flag offensive delete link more

Comments

Hi Rahul, I did some more testing based on your reply, please see the adding end to my original questions. Thanks! --Tiger

unitiger gravatar imageunitiger ( 2015-07-29 17:55:55 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-07-28 17:16:39 -0500

Seen: 3,541 times

Last updated: Oct 20 '15