neutron floating ip not working inbound (but works outbound)

Installed openstack using 3-node architecture (neutron networking) as described here:

Installed Keystone/Glance/Nova/Neutron/Horizon/Cinder/Heat/Ceilometer as described in the guide, with one exception that I didn't add a 4th Cinder "block" node, but just added it onto the compute node.

The architecture looks like this: Openstack Arch

my 'ext-net' is the 'External' (v902) network in the drawing, which is I assigned an allocation list from to .200. I can see on my demo account a few floating IP's:

floating IP's

Floating IP is assigned to the ifxed IP. Here is my network topology as seen from horizon (I tried to cut out the non-relevant pieces) net_topo

You can see assigned to the 'simple' instance interface, of which router2 is also on as Pinging out from 'simple' to an IP routed to through the 'ext-net' running a TCPdump properly shows the pings coming in as (the floating IP). This is a TCPDump from the external machine that the 'simple' instance is pinging.

[08/22/14 10:14:10] > sudo tcpdump -vvv -ttt -en -i eth0 host tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 00:00:00.000000 00:26:99:e7:d1:48 > 00:50:56:81:76:81, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 62, id 58221, offset 0, flags [DF], proto ICMP (1), length 84) > ICMP echo request, id 20737, seq 44, length 64

This is from the 'simple' instance, showing pings are successful (in both directions, the responses are received) pings_from_simple

However, pinging from the external node is not successful.

[08/22/14 10:14:20] > ping PING ( 56(84) bytes of data. ^C --- ping statistics --- 11 packets transmitted, 0 received, 100% packet loss, time 10079ms

So my question is why doesn't this work? What could I be missing here? I've traced the ping from the external net into the network node blitz em3, being tunneled (GRE) from blitz em2 ( over to compute em2 ( and the frame is received on a TCPDUMP on glacius01 (compute). However, a tcpdump on the VM itself does NOT show the ping reaching the instance.

Any help would be greatly appreciated.