cant access instance ip from any ip outside cloud ips
hello all ,
I have multi-node setup with packstack instances work with ip ok i can access any ip in any vlan in my network from any instance (tested with ssh) and can access instance ip from another instance ip . the problem is i cant access the instance ip from any ip not instance example . compute node :- 10.13.43.50 centos instance :- 10.13.43.73
from 10.13.43.73 i can ping or ssh to 10.13.43.50 with out problems. from 10.13.43.50 i can't access any instances ip with any protocol .
i install OpenStack allinone the i used the answer file to add more compute node firewall and SELinux disabled in all
[root@server1 ~(keystone_admin)]# neutron net-list
+--------------------------------------+------------------+----------------------------------------------------+
| id | name | subnets |
+--------------------------------------+------------------+----------------------------------------------------+
| c3daeb74-4337-412f-a0f2-8ae71645d16f | external_network | 2a968b98-4fce-4669-96b1-d4b73480bc53 10.13.43.0/24 |
+--------------------------------------+------------------+----------------------------------------------------+
[root@server1 ~(keystone_admin)]# neutron subnet-list
+--------------------------------------+---------------+---------------+-------------------------------------------------+
| id | name | cidr | allocation_pools |
+--------------------------------------+---------------+---------------+-------------------------------------------------+
| 2a968b98-4fce-4669-96b1-d4b73480bc53 | public_subnet | 10.13.43.0/24 | {"start": "10.13.43.65", "end": "10.13.43.239"} |
+--------------------------------------+---------------+---------------+-------------------------------------------------+
[root@server1 ~(keystone_admin)]# neutron port-list
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
| id | name | mac_address | fixed_ips |
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
| 39f5d246-90c1-4eb2-965c-da55a1f4728a | | fa:16:3e:a5:39:04 | {"subnet_id": "2a968b98-4fce-4669-96b1-d4b73480bc53", "ip_address": "10.13.43.73"} |
| cae2a36b-9d17-4e4c-9d96-ff9cc01cf845 | | fa:16:3e:dd:73:7f | {"subnet_id": "2a968b98-4fce-4669-96b1-d4b73480bc53", "ip_address": "10.13.43.74"} |
| de6f9c7b-4823-4de1-9bd1-9d33a7c63a59 | | fa:16:3e:35:b5:22 | {"subnet_id": "2a968b98-4fce-4669-96b1-d4b73480bc53", "ip_address": "10.13.43.70"} |
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
[root@server1 ~(keystone_admin)]# neutron router-list
+--------------------------------------+---------+---------------------------------------------------------------+-------------+-------+
| id | name | external_gateway_info | distributed | ha |
+--------------------------------------+---------+---------------------------------------------------------------+-------------+-------+
| 3790c404-78dd-4414-9126-18c64c626ebc | router1 | {"network_id": "c3daeb74-4337-412f-a0f2-8ae71645d16f", | False | False |
| | | "enable_snat": true, "external_fixed_ips": [{"subnet_id": | | |
| | | "2a968b98-4fce-4669-96b1-d4b73480bc53", "ip_address": | | |
| | | "10.13.43.70"}]} | | |
+--------------------------------------+---------+---------------------------------------------------------------+-------------+-------+
[root@server1 ~(keystone_admin)]# neutron floatingip-list
[root@server1 ~(keystone_admin)]# ovs-vsctl show
8b0bf079-d523-464e-b7c6-1a7ae4c46ebd
Manager "ptcp:6640:127.0.0.1"
is_connected: true
Bridge br-tun
Controller "tcp:127.0.0.1:6633"
is_connected: true
fail_mode: secure
Port br-tun
Interface br-tun
type: internal
Port "vxlan-0a0d2b35"
Interface "vxlan-0a0d2b35"
type: vxlan
options: {df_default="true", in_key=flow, local_ip="10.13.43.50", out_key=flow, remote_ip="10.13.43.53"}
Port patch-int
Interface patch-int
type: patch
options: {peer=patch-tun}
Port "vxlan-0a0d2b33"
Interface "vxlan-0a0d2b33"
type: vxlan
options: {df_default="true", in_key=flow, local_ip="10.13.43.50", out_key=flow, remote_ip="10.13.43.51"}
Port "vxlan-0a0d2b34"
Interface "vxlan-0a0d2b34"
type: vxlan
options: {df_default="true", in_key=flow, local_ip="10.13.43.50", out_key=flow, remote_ip="10.13.43.52"}
Port "vxlan-0a0d2b36"
Interface "vxlan-0a0d2b36"
type: vxlan
options: {df_default="true", in_key=flow, local_ip="10.13.43.50", out_key=flow, remote_ip="10.13.43.54"}
Bridge br-ex
Controller "tcp:127.0.0.1:6633"
is_connected: true
fail_mode: secure
Port "eth0"
Interface "eth0"
Port br-ex
Interface br-ex
type: internal
Port phy-br-ex
Interface phy-br-ex
type: patch
options: {peer=int-br-ex}
Bridge br-int
Controller "tcp:127.0.0.1:6633"
is_connected: true
fail_mode: secure
Port int-br-ex
Interface int-br-ex
type: patch
options: {peer=phy-br-ex}
Port br-int
Interface br-int
type: internal
Port "qvo39f5d246-90"
tag: 1
Interface "qvo39f5d246-90"
Port patch-tun
Interface patch-tun
type: patch
options: {peer=patch-int}
ovs_version: "2.5.0"
What about security groups? Not sure if they are effective for instances directly connected to the external network, but normally an instance should block any ingress traffic from anywhere outside the security group.
Please, upload somewhere picture
http://controller/dashboard/project/network_topology/
in "Normal" mode. Packstack works with "Network isolation" pretty smoothly ( vs TripleO )Also update your question with neutron router-port-list your-router-name