Hi Openstack experts,

I have installed the master branch of Openstack (devstack) all in one machine configuration in Ubuntu 14.04 LTS. I am creating VM instance (VNF) in openstack that needs to provide the firewall and NAT service to my VM/host clients and the VM will have 2 interfaces LAN and WAN. I am using the openWRT VM. The VM instance is created with LAN interface using br-mgmt interface ( and WAN interface is created with net0 interface ( I was able to bring the openWRT VM with LAN with IP and WAN with IP If I ping the WAN IP( from ubuntu Host machine, ICMP requests are reaching LAN interface in openWRT VM and ICMP reply is not generated. So ping is failed with host is unreachable. Also I tried to ping the also from host machine and this is LAN side IP of openstack router that is pointed to openWRT VM. I was thinking that lan to wan routing is working if the reply comes for this ip( from openWRT VM. The setup I am trying is something like this

->(LAN- VM(WAN->(LAN- Router(WAN-External)->(outside world)

I tried to masquerading to WAN port as well in the OpenWRT VM. the routing is not working.

Then I throught it might be due to some issue in openWRT. So I tried the install the Ubuntu VM with 2 interfaces (LAN and WAN) and tried to make this as the router by setting ip_forward flag and masquerading. When I ping the IP from ubuntu host machine, ICMP requests are coming to LAN interface of Ubuntu VM and I am seeing ICMP reply as well generated but the host is not seeing the ICMP replies and says it as host is unreachable. If I ping IP (openstack router LAN side IP), ICMP requests are coming to ubuntu VM Lan interface and ICMP reply is not generated.

To check this concept, I tried to use the VirtualBox and created the OpenWRT VM with LAN and WAN interfaces. I created another ubuntu VM which will point LAN interface of OpenWRT VM and routing is working perfectly.

I feel that it might be due to some concepts in openstack. I am not sure whether some IP table rules in Ubuntu Host machine are blocking or dropping the packets or openstack doesnt support the instance with 2 interfaces and routing between interfaces. Can somebody from expert group to provide suggestion on how to make it working. It will be great help.

thanks kali

there are netfilter rules that prevent packets being forwarded with a source ip different than that allocated for the VM. So that prevents a VM acting as a router. These are on linux bridges, so you can try disabling them with sysctl -w net.bridge.bridge-nf-call-iptables=0

darragh-oreilly

Thanks a lot for your info. I tried to do this change and it was not working. I will try to put some diagram with what I am trying (virtual CPE) in openstack and how my setup is there. Could you help on this ?.

Openstack

I am also having problems with my Openwrt instances. Do you have any updates on your situation, and if you managed to get it working correctly, would you mind sharing your process? Also where would I execute the sysctl command shown above?

akm862

execute the sysctl command on the node running nova-compute

darragh-oreilly