Hi,

I am running several VMs directly attached to a VLAN in OpenStack Mitaka on CentOS 7. This VM has a public IP address and a private interface. It masquerades on eth0 (public) and gets packages from a client-VM. There also is an OpenVPN connection for external client to reach the client network.

I already set up such scenarios and they are working fine but now I have a compute-node which blocks all traffic when source address does not match (= forwarding). Packets (ICMP) leave the client-vm, arrive at the router-vm, get masqueraded, sent to the external server, I get the reply and forward it back to the client. I can see the packet leaving the router-vm (tcpdump) but not arriving at the client-vm. This effictively cuts the internet access for all client vm's.

As far as I can see, all nodes have the same nova configuration. I use arp-anti-spoof security provided by neutron but the scenario above was working in the past on other nodes (including a Windows VM running on the same node).

The default security group also lists 0.0.0.0/0 and ::/0 for all protocols ingress and egress.

I am not sure what I need to change or fix for this to work.