# Can't ping floating or instance ip

Been following the Juno Kilo installation guide to install everything on a single node (not in a vm) on ubuntu 14.04. Can create a instance, I can see it get an address assigned and give a floating ip. Up until recently was just giving anything that required an ip address in the conf file 10.20.82.137. Just made a change to have the instance tunnel network as 192.168.2.x, so that's why there's an interface only for that, and not for the management network.

Been reading a lot today, but my spin seems a little different than what I've found, as I have an existing bridge that'd I'd like to keep (have librvirt running with guests), if I can. I may have strayed here by assigning br-ex an address on 10.20.82.150, but I can ping that address from other systems on the network. The routing table looks screwy as there are two routes for 10.20.80, to the two bridges.

So, can't ping the assigned address on the tenant network (192.168.1.3), or the floating IP, 10.20.82.151.

I have added the iptable rules to forward ping/ssh using the openstack commands.

$neutron security-group-rule-create --protocol icmp --direction ingress --remote-ip-prefix 0.0.0.0/0 default$ neutron security-group-rule-create --protocol tcp   --port-range-min 22 --port-range-max 22  --direction ingress    --remote-ip-prefix 0.0.0.0/0  default


I have been able to ping 192.168.1.1/192.168.1.2 and 192.168.2.1 using ip netsh namespace based pings.

At wits end, probably read too many threads with similar questions. Appreciate any/all feedback, as this has been an educating experience.

Bob H

Based on other threads; here info on: ifconfig ovs-vsctl show ip route netstat -nr nuetron stuff

ifconfig

virtuser@ciosicm0:/var/log/apache2$ifconfig br0 Link encap:Ethernet HWaddr 00:1a:64:db:2a:8c inet addr:10.20.82.137 Bcast:10.20.83.255 Mask:255.255.252.0 inet6 addr: fe80::21a:64ff:fedb:2a8c/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:150353 errors:0 dropped:1 overruns:0 frame:0 TX packets:32015 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:9103048 (9.1 MB) TX bytes:14358204 (14.3 MB) br-ex Link encap:Ethernet HWaddr 00:1a:64:db:2a:8e inet addr:10.20.82.150 Bcast:10.20.82.255 Mask:255.255.255.0 inet6 addr: fe80::21a:64ff:fedb:2a8e/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1857529 errors:0 dropped:804878 overruns:0 frame:0 TX packets:1448 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:189125419 (189.1 MB) TX bytes:93670 (93.6 KB) eth0 Link encap:Ethernet HWaddr 00:1a:64:db:2a:8c inet6 addr: fe80::21a:64ff:fedb:2a8c/64 Scope:Link ... edit retag close merge delete ## Comments rch: edit: added iptables ( 2015-10-05 14:28:41 -0500 )edit Can you able to ping external router gateway from network namespace and vice versa from router namespace? ( 2015-10-06 10:42:33 -0500 )edit from either the dhcp or qrouter namespances I cannot ping either 10.20.82.150, or 10.20.82.137 which are address on interfaces local to the machine. I also can not ping the external gateway, which is 10.20.83.254 ( 2015-10-06 12:35:19 -0500 )edit I've also updated the floating ip range, such that it does not overlap withe the br-ex address of 10.20.82.150 ( 2015-10-06 12:36:27 -0500 )edit from either namespace, I can not ping the assigned instance ip (192.168.1.x) or the floating ip 10.20.82.152 ( 2015-10-06 13:01:48 -0500 )edit ## 3 answers Sort by » oldest newest most voted This is all with neutron, all-in-one setup on a single system. Kilo on Ubuntu 14.04. After spending several days trying to figure this out, I had several problems and this is the list of items that corrected this. My concern over multiple bridges (one supporting libvirt based vm's) was not founded as this was left unaltered. Two public ip addresses on the same network on two different bridges did not matter either. The instructions in the installation guide (kilo) do briefly mention (sort-of) necessary interface/bridge configuration of the system you're installing this on, but it doesn't show exactly what was needed. In the end, mine looked like this; auto eth1.1234 # auto eth1 iface eth1.1234 inet manual up ifconfig$IFACE 0.0.0.0 up
up ip link set $IFACE promisc on down ip link set$IFACE promisc off
down ifconfig \$IFACE down

auto br-ex
iface br-ex inet static
gateway 10.20.83.254
bridge_stp on
bridge_fd 0
bridge_maxwait 0
dns-nameservers 10.20.0.2 10.20.0.3


More on this later...

I needed to add the security group rules show above, using the tenant project NOT from admin. This was a key omission that took many hours to figure out. I needed to source the tenant project file (demo-openrs.sh in the instructions) then do the adds using either the neutron cli (above) or the nova cli (tried this as well). I need to do this as I'm NOT using the Noop driver for the firewall. In ml2_conf.ini, in the [securitygroup] section mine is set to

firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver


Still broke. Can't ping my floating ip, nor the other way around from the two namespaces.

The routes to my floating ip address on the system hosting the openstack installation were missing the routes to the public ip address. Since my floating ip's are not a range that can be defined with a netmask. I had to add static routes, i.e.

sudo ip route add 10.20.82.153/32 dev br-ex


For each public ip. This is not a permanent thing, as I noticed when I cycled (ifdown/ifup) br-ex I would lose the routes. Next step will be to put these in the /etc/network/interfaces file.

Once I did this, I could ping from the two namespaces to anything on my local system. Progress, but still broke as I can't ping my external gateway yet.

Many similar questions suggested that you need to modify the iptables NAT table to MASQUERADE the traffic. I added this rule to the NAT table on the openstack system itself.

sudo iptables -t nat -A POSTROUTING -o br-ex -j MASQUERADE


No change. Then changed it to eth1 (I'm using eth1 as my interface, not eth2 as in the installation guide).

sudo iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE


To be honest, I'll ...

more

I spent days on this but I finally got it working by re-creating my public network using this script

neutron net-create external --router:external=true --provider:network_type=flat --provider:physical_network=extnet

The most important piece was physical_network, it should always be extnet, b'cos neutron maps network bridge to extnet

Hope that helps

more

Add ICMP rule in default security group

more