Instances has full network access, but I can't connect to them(only from vnc and compute node)

Hello, I have an icehouse installation with nova-network + FlatDHCP + multi-host. I can connect to instances only from compute node, vnc console, and other instances. When I am inside the instance I have full network connection, but I can't connect to them, even from controller node. I am using a private subnet with NAT as the external instance network.

Please help Thanks, Alex