Ask Your Question

Can't ping floating or instance ip

asked 2015-10-02 17:01:38 -0500

hansenb gravatar image

updated 2015-10-05 14:28:15 -0500

Been following the Juno Kilo installation guide to install everything on a single node (not in a vm) on ubuntu 14.04. Can create a instance, I can see it get an address assigned and give a floating ip. Up until recently was just giving anything that required an ip address in the conf file Just made a change to have the instance tunnel network as 192.168.2.x, so that's why there's an interface only for that, and not for the management network.

Been reading a lot today, but my spin seems a little different than what I've found, as I have an existing bridge that'd I'd like to keep (have librvirt running with guests), if I can. I may have strayed here by assigning br-ex an address on, but I can ping that address from other systems on the network. The routing table looks screwy as there are two routes for 10.20.80, to the two bridges.

So, can't ping the assigned address on the tenant network (, or the floating IP,

I have added the iptable rules to forward ping/ssh using the openstack commands.

$ neutron security-group-rule-create --protocol icmp  --direction ingress --remote-ip-prefix default
 $ neutron security-group-rule-create --protocol tcp   --port-range-min 22 --port-range-max 22  --direction ingress    --remote-ip-prefix  default

I have been able to ping and using ip netsh namespace based pings.

At wits end, probably read too many threads with similar questions. Appreciate any/all feedback, as this has been an educating experience.

Bob H

Based on other threads; here info on: ifconfig ovs-vsctl show ip route netstat -nr nuetron stuff


virtuser@ciosicm0:/var/log/apache2$ ifconfig
br0       Link encap:Ethernet  HWaddr 00:1a:64:db:2a:8c
          inet addr:  Bcast:  Mask:
          inet6 addr: fe80::21a:64ff:fedb:2a8c/64 Scope:Link
          RX packets:150353 errors:0 dropped:1 overruns:0 frame:0
          TX packets:32015 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:9103048 (9.1 MB)  TX bytes:14358204 (14.3 MB)

br-ex     Link encap:Ethernet  HWaddr 00:1a:64:db:2a:8e
          inet addr:  Bcast:  Mask:
          inet6 addr: fe80::21a:64ff:fedb:2a8e/64 Scope:Link
          RX packets:1857529 errors:0 dropped:804878 overruns:0 frame:0
          TX packets:1448 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:189125419 (189.1 MB)  TX bytes:93670 (93.6 KB)

eth0      Link encap:Ethernet  HWaddr 00:1a:64:db:2a:8c
          inet6 addr: fe80::21a:64ff:fedb:2a8c/64 Scope:Link ...
edit retag flag offensive close merge delete


rch: edit: added iptables

hansenb gravatar imagehansenb ( 2015-10-05 14:28:41 -0500 )edit

Can you able to ping external router gateway from network namespace and vice versa from router namespace?

Raghavachari gravatar imageRaghavachari ( 2015-10-06 10:42:33 -0500 )edit

from either the dhcp or qrouter namespances I cannot ping either, or which are address on interfaces local to the machine.

I also can not ping the external gateway, which is

hansenb gravatar imagehansenb ( 2015-10-06 12:35:19 -0500 )edit

I've also updated the floating ip range, such that it does not overlap withe the br-ex address of

hansenb gravatar imagehansenb ( 2015-10-06 12:36:27 -0500 )edit

from either namespace, I can not ping the assigned instance ip (192.168.1.x) or the floating ip

hansenb gravatar imagehansenb ( 2015-10-06 13:01:48 -0500 )edit

3 answers

Sort by ยป oldest newest most voted

answered 2015-10-08 08:51:12 -0500

hansenb gravatar image

This is all with neutron, all-in-one setup on a single system. Kilo on Ubuntu 14.04.

After spending several days trying to figure this out, I had several problems and this is the list of items that corrected this. My concern over multiple bridges (one supporting libvirt based vm's) was not founded as this was left unaltered. Two public ip addresses on the same network on two different bridges did not matter either.

The instructions in the installation guide (kilo) do briefly mention (sort-of) necessary interface/bridge configuration of the system you're installing this on, but it doesn't show exactly what was needed. In the end, mine looked like this;

auto eth1.1234

auto eth1

iface eth1.1234 inet manual
    up ifconfig $IFACE up
    up ip link set $IFACE promisc on
    down ip link set $IFACE promisc off
    down ifconfig $IFACE down

auto br-ex
iface br-ex inet static
    bridge_stp on
    bridge_fd 0
    bridge_maxwait 0

More on this later...

I needed to add the security group rules show above, using the tenant project NOT from admin. This was a key omission that took many hours to figure out. I needed to source the tenant project file ( in the instructions) then do the adds using either the neutron cli (above) or the nova cli (tried this as well). I need to do this as I'm NOT using the Noop driver for the firewall. In ml2_conf.ini, in the [securitygroup] section mine is set to

firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

Still broke. Can't ping my floating ip, nor the other way around from the two namespaces.

The routes to my floating ip address on the system hosting the openstack installation were missing the routes to the public ip address. Since my floating ip's are not a range that can be defined with a netmask. I had to add static routes, i.e.

sudo ip route add dev br-ex

For each public ip. This is not a permanent thing, as I noticed when I cycled (ifdown/ifup) br-ex I would lose the routes. Next step will be to put these in the /etc/network/interfaces file.

Once I did this, I could ping from the two namespaces to anything on my local system. Progress, but still broke as I can't ping my external gateway yet.

Many similar questions suggested that you need to modify the iptables NAT table to MASQUERADE the traffic. I added this rule to the NAT table on the openstack system itself.

sudo iptables -t nat -A POSTROUTING -o br-ex -j MASQUERADE

No change. Then changed it to eth1 (I'm using eth1 as my interface, not eth2 as in the installation guide).

sudo iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

To be honest, I'll ... (more)

edit flag offensive delete link more

answered 2018-01-31 21:00:18 -0500

roadrunner gravatar image

I spent days on this but I finally got it working by re-creating my public network using this script

neutron net-create external --router:external=true --provider:network_type=flat --provider:physical_network=extnet

The most important piece was physical_network, it should always be extnet, b'cos neutron maps network bridge to extnet

Hope that helps

edit flag offensive delete link more

answered 2018-05-24 03:36:57 -0500

Rahul Bagad gravatar image

Add ICMP rule in default security group

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools



Asked: 2015-10-02 15:58:32 -0500

Seen: 12,891 times

Last updated: May 24 '18