Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Instance receiving traffic but not responding?

I ran a packstack install of Openstack Ocata on a fresh install of CentOS 7. I used neutron to link my external network (192.168.2.0/24) gateway of 192.168.2.1 which is my work computer to my openstack internal network (10.0.0.0/24) which has a dhcp range of 10.0.0.50-100. My openstack server's physical connection is assigned 192.168.2.2.

It looks like...

192.168.2.1 (work computer)

192.168.2.2 (br-ex on openstack server)

192.168.2.51 (virtual router between external and internal networks in openstack)

10.0.0.* (private IPs for virtual openstack instances)

I can create an instance of cirros and it got an IP of 10.0.0.11 and it can connect to the internet fine and can ping everything through the network back to 192.168.2.1. However, after assigning a floating IP to that instance of 192.168.2.56, I cannot connect to it the other way from my work computer (192.168.2.1).

My security group is default and permits all IPV4 traffic on all ports inbound to the cirros instance.

Here is my nat table for the router. With my limited knowledge of iptables, it looks like my PREROUTING table is correct to accept any packets intended for 192.168.2.56 and DNAT to 10.0.0.11.

[root@localhost ~(keystone_admin)]# ip netns exec qrouter-2aafaf25-0a31-4ae9-9347-0cd70f6ac3b1 iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 643 packets, 72024 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  668 73640 neutron-l3-agent-PREROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain INPUT (policy ACCEPT 37 packets, 7604 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 4 packets, 284 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    4   284 neutron-l3-agent-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT 9 packets, 656 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   13   940 neutron-l3-agent-POSTROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   13   940 neutron-postrouting-bottom  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-l3-agent-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       all  --  *      *       0.0.0.0/0            192.168.2.56         to:10.0.0.11

Chain neutron-l3-agent-POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  !qg-a8c35605-51 !qg-a8c35605-51  0.0.0.0/0            0.0.0.0/0            ! ctstate DNAT

Chain neutron-l3-agent-PREROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    9   656 DNAT       all  --  *      *       0.0.0.0/0            192.168.2.56         to:10.0.0.11
   16   960 REDIRECT   tcp  --  qr-+   *       0.0.0.0/0            169.254.169.254      tcp dpt:80 redir ports 9697

Chain neutron-l3-agent-float-snat (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 SNAT       all  --  *      *       10.0.0.11            0.0.0.0/0            to:192.168.2.56

Chain neutron-l3-agent-snat (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   13   940 neutron-l3-agent-float-snat  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    4   284 SNAT       all  --  *      qg-a8c35605-51  0.0.0.0/0            0.0.0.0/0            to:192.168.2.51
    0     0 SNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match ! 0x2/0xffff ctstate DNAT to:192.168.2.51

Chain neutron-postrouting-bottom (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   13   940 neutron-l3-agent-snat  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* Perform source NAT on outgoing traffic. *

however if I tcpdump the bridge, I see my 192.168.2.1 hitting 192.168.2.56 but then it seems to forward the packet with the same source ip of 192.168.2.1 which is not on the same network as the destination 10.0.0.* network. Is this a problem with the router NAT in Neutron? Did I misconfigure the router?


[root@localhost ~(keystone_admin)]# tcpdump -i any -n icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
17:38:55.238778 IP 192.168.2.1 > 192.168.2.56: ICMP echo request, id 44824, seq 0, length 64
17:38:55.238993 IP 192.168.2.1 > 10.0.0.11: ICMP echo request, id 44824, seq 0, length 64
17:38:55.238997 IP 192.168.2.1 > 10.0.0.11: ICMP echo request, id 44824, seq 0, length 64
17:38:56.238839 IP 192.168.2.1 > 192.168.2.56: ICMP echo request, id 44824, seq 1, length 64
17:38:56.238882 IP 192.168.2.1 > 10.0.0.11: ICMP echo request, id 44824, seq 1, length 64
17:38:56.238884 IP 192.168.2.1 > 10.0.0.11: ICMP echo request, id 44824, seq 1, length 64
17:38:57.241239 IP 192.168.2.1 > 192.168.2.56: ICMP echo request, id 44824, seq 2, length 64
17:38:57.241286 IP 192.168.2.1 > 10.0.0.11: ICMP echo request, id 44824, seq 2, length 64
17:38:57.241288 IP 192.168.2.1 > 10.0.0.11: ICMP echo request, id 44824, seq 2, length 64