Ask Your Question

problem with ip forwarding between vms

asked 2016-03-02 11:20:34 -0500

a2k123 gravatar image

I looked for answer in the forum and in google but couldnt find anything helpfull.

I have a private cloud with 4 physical servers, managed by openstack. each server has 2 nics, one for management and the other for data (the VMs attached to the data nic, and openstack management working through the management nic). server 1 is the controller which have openstack-all-in-one installed. server 2,3,4 are the compute nodes. each compute node has one vm (instace). vm 1 in server 2, ip vm 2 in server 3, ip vm 3 in server 4, ip all three vms can communicate with each other.

now. my goal is to change the route between vm1 to vm3 to pass through vm2. therefore i added a static rule to the routing table of vm1 to route to through gateway in the same way i added a static rule to the routing table of vm3 to route to through gateway in vm2 i changed ip_forwarding in sysctl to 1 (to enable ip forwarding). then i tried to send ping to vm3 (from vm1). at first i thought it all works good, but after i realized that because all VMs are in the same subnet, then vm2 recognized it and sent to vm1 a redirect message, and vm1 start sending his traffic directly to vm3. i found how to disable the redirect message from vm2. now, my problem is that vm2 does forward vm1's ping, but vm3 does not receive it. tcpdump in vm2 shows that vm2 does forward the ping to vm3. tcpdump in vm3 capture nothing. i tried to tcpdump in server 3 (the physical server where vm2 is located). i captured only the incoming ping request from vm1, but not the ping request that forwarded from vm2 to vm3. something blocked it.

my guess was that because the ip forwarding changes only the mac address of the packets, and keeps the original ip source address, then the packet is dropped probably by the ovs. i configured vm2 to function as a NAT so it will replace vm1's ip address to vm2's ip address while forwarding the ping from vm1 to vm3. it worked. vm3 received the ping and answered with a ping reply to vm2. now vm2 recognize that packet (of the ping reply) is designated to vm1 and forward it to vm1. but this time the ip source address is vm3's ip address ( so the message is blocked. with tcpdump in vm2, vm1, and server3 i saw exactly the same problem; vm2 sends the message (ping reply) to vm1, but the tcpdump on server3 cant capture it.

any idea what openstack featue blocs it and how to disable it?

thanks in advance, amit.

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2017-03-27 11:29:55 -0500

javibr gravatar image

This is caused because of anti-spoofing policy, try disabling it (

edit flag offensive delete link more


Thanks that resolved our issue that not able to configure nat instance for VPN using openswan

ADouban gravatar imageADouban ( 2019-12-30 04:07:39 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2016-03-02 11:20:34 -0500

Seen: 808 times

Last updated: Mar 27 '17