[rhos-list] floating IP not reachable
Nicolas VOGEL
nvogel67 at hotmail.com
Wed Jul 24 15:43:28 UTC 2013
Hello Rhys,
Thanks for your answer.
I put all the outputs you asked.
The outputs were made with two VMs running and floating IPs associated (192.168.32.2/10.192.76.136 and 192.168.32.3/10.192.76.135, see nova list output).
I connected via ssh to the first VM and I could ping the second, the I thing internal communication is OK.
I put the complete output from iptables commands because I don't know what you want to verify and I'm not very good with iptables.
Thanks for your help!
1) ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet 169.254.169.254/32 scope link lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 84:2b:2b:6c:fd:0f brd ff:ff:ff:ff:ff:ff
inet 10.192.75.190/24 brd 10.192.75.255 scope global em1
inet6 fe80::862b:2bff:fe6c:fd0f/64 scope link
valid_lft forever preferred_lft forever
3: em2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 84:2b:2b:6c:fd:10 brd ff:ff:ff:ff:ff:ff
inet 10.192.76.135/32 scope global em2
inet 10.192.76.136/32 scope global em2
inet6 fe80::862b:2bff:fe6c:fd10/64 scope link
valid_lft forever preferred_lft forever
4: p1p1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 00:1b:21:7c:b8:38 brd ff:ff:ff:ff:ff:ff
5: p1p2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 00:1b:21:7c:b8:39 brd ff:ff:ff:ff:ff:ff
6: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether 52:54:00:d6:4f:da brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
7: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 500
link/ether 52:54:00:d6:4f:da brd ff:ff:ff:ff:ff:ff
9: br100: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether fe:16:3e:04:d9:a2 brd ff:ff:ff:ff:ff:ff
inet 192.168.32.1/22 brd 192.168.35.255 scope global br100
inet6 fe80::3c6c:d7ff:fe0b:c6af/64 scope link
valid_lft forever preferred_lft forever
10: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
link/ether fe:16:3e:04:d9:a2 brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc16:3eff:fe04:d9a2/64 scope link
valid_lft forever preferred_lft forever
11: vnet1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
link/ether fe:16:3e:2f:a5:0e brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc16:3eff:fe2f:a50e/64 scope link
valid_lft forever preferred_lft forever
==================================================================
2) brctl show
bridge name bridge id STP enabled interfaces
br100 8000.fe163e04d9a2 no vnet0
vnet1
virbr0 8000.525400d64fda yes virbr0-nic
==================================================================
3) nova list
+--------------------------------------+---------+--------+-----------------------------------------+
| ID | Name | Status | Networks |
+--------------------------------------+---------+--------+-----------------------------------------+
| 0dd1311a-f188-4570-af5d-dbf0fe62d50e | fed32-1 | ACTIVE | novanetwork=192.168.32.2, 10.192.76.136 |
| 57960ee0-e2f2-4a08-8560-3bf39c489b78 | fed64-1 | ACTIVE | novanetwork=192.168.32.3, 10.192.76.135 |
+--------------------------------------+---------+--------+-----------------------------------------+
==================================================================
4) nova-manage network-list
id IPv4 IPv6 start address DNS1 DNS2 VlanID project uuid
1 192.168.32.0/22 None 192.168.32.2 8.8.4.4 None None None e2e597a5-7606-4335-911a-d8cadcb840d6
===================================================================
5) nova secgroup-list
+---------+-------------+
| Name | Description |
+---------+-------------+
| default | default |
+---------+-------------+
====================================================================
6) nova secgroup-list-rules <your assigned group>
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| icmp | -1 | -1 | 0.0.0.0/0 | |
| tcp | 22 | 22 | 0.0.0.0/0 | |
+-------------+-----------+---------+-----------+--------------+
============================================================================
7) iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
nova-network-INPUT all -- anywhere anywhere
nova-compute-INPUT all -- anywhere anywhere
nova-api-INPUT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere multiport dports http /* 001 horizon incoming */
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere multiport dports http /* 001 nagios incoming */
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT tcp -- anywhere anywhere multiport dports iscsi-target,8776 /* 001 cinder incoming */
ACCEPT tcp -- anywhere anywhere multiport dports 5666 /* 001 nrpe incoming */
ACCEPT tcp -- anywhere anywhere multiport dports armtechdaemon /* 001 glance incoming */
ACCEPT tcp -- anywhere anywhere multiport dports rsync /* 001 rsync incoming */
ACCEPT tcp -- anywhere anywhere multiport dports webcache /* 001 swift proxy incoming */
ACCEPT tcp -- anywhere anywhere multiport dports x11,6001,6002,rsync /* 001 swift storage incoming */
ACCEPT tcp -- anywhere anywhere multiport dports commplex-main,35357 /* 001 keystone incoming */
ACCEPT tcp -- anywhere anywhere multiport dports vnc-server:cvsup /* 001 nova compute incoming */
ACCEPT tcp -- anywhere anywhere multiport dports mysql /* 001 mysql incoming */
ACCEPT tcp -- anywhere anywhere multiport dports 6080 /* 001 novncproxy incoming */
ACCEPT tcp -- anywhere anywhere multiport dports 8773,8774,8775 /* 001 novaapi incoming */
ACCEPT tcp -- anywhere anywhere multiport dports amqp /* 001 qpid incoming */
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
nova-filter-top all -- anywhere anywhere
nova-network-FORWARD all -- anywhere anywhere
nova-compute-FORWARD all -- anywhere anywhere
nova-api-FORWARD all -- anywhere anywhere
ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
nova-filter-top all -- anywhere anywhere
nova-network-OUTPUT all -- anywhere anywhere
nova-compute-OUTPUT all -- anywhere anywhere
nova-api-OUTPUT all -- anywhere anywhere
Chain nova-api-FORWARD (1 references)
target prot opt source destination
Chain nova-api-INPUT (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 10.192.75.190 tcp dpt:8775
Chain nova-api-OUTPUT (1 references)
target prot opt source destination
Chain nova-api-local (1 references)
target prot opt source destination
Chain nova-compute-FORWARD (1 references)
target prot opt source destination
ACCEPT udp -- default 255.255.255.255 udp spt:bootpc dpt:bootps
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain nova-compute-INPUT (1 references)
target prot opt source destination
ACCEPT udp -- default 255.255.255.255 udp spt:bootpc dpt:bootps
Chain nova-compute-OUTPUT (1 references)
target prot opt source destination
Chain nova-compute-inst-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
nova-compute-provider all -- anywhere anywhere
ACCEPT udp -- 192.168.32.1 anywhere udp spt:bootps dpt:bootpc
ACCEPT all -- 192.168.32.0/22 anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere
nova-compute-sg-fallback all -- anywhere anywhere
Chain nova-compute-inst-3 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
nova-compute-provider all -- anywhere anywhere
ACCEPT udp -- 192.168.32.1 anywhere udp spt:bootps dpt:bootpc
ACCEPT all -- 192.168.32.0/22 anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere
nova-compute-sg-fallback all -- anywhere anywhere
Chain nova-compute-local (1 references)
target prot opt source destination
nova-compute-inst-2 all -- anywhere 192.168.32.2
nova-compute-inst-3 all -- anywhere 192.168.32.3
Chain nova-compute-provider (2 references)
target prot opt source destination
Chain nova-compute-sg-fallback (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain nova-filter-top (2 references)
target prot opt source destination
nova-network-local all -- anywhere anywhere
nova-compute-local all -- anywhere anywhere
nova-api-local all -- anywhere anywhere
Chain nova-network-FORWARD (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain nova-network-INPUT (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
Chain nova-network-OUTPUT (1 references)
target prot opt source destination
Chain nova-network-local (1 references)
target prot opt source destination
================================================================================
8) iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
nova-network-PREROUTING all -- anywhere anywhere
nova-compute-PREROUTING all -- anywhere anywhere
nova-api-PREROUTING all -- anywhere anywhere
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
nova-network-POSTROUTING all -- anywhere anywhere
nova-compute-POSTROUTING all -- anywhere anywhere
nova-api-POSTROUTING all -- anywhere anywhere
MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE udp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24
nova-postrouting-bottom all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
nova-network-OUTPUT all -- anywhere anywhere
nova-compute-OUTPUT all -- anywhere anywhere
nova-api-OUTPUT all -- anywhere anywhere
Chain nova-api-OUTPUT (1 references)
target prot opt source destination
Chain nova-api-POSTROUTING (1 references)
target prot opt source destination
Chain nova-api-PREROUTING (1 references)
target prot opt source destination
Chain nova-api-float-snat (1 references)
target prot opt source destination
Chain nova-api-snat (1 references)
target prot opt source destination
nova-api-float-snat all -- anywhere anywhere
Chain nova-compute-OUTPUT (1 references)
target prot opt source destination
Chain nova-compute-POSTROUTING (1 references)
target prot opt source destination
Chain nova-compute-PREROUTING (1 references)
target prot opt source destination
Chain nova-compute-float-snat (1 references)
target prot opt source destination
Chain nova-compute-snat (1 references)
target prot opt source destination
nova-compute-float-snat all -- anywhere anywhere
Chain nova-network-OUTPUT (1 references)
target prot opt source destination
DNAT all -- anywhere 10.192.76.135 to:192.168.32.3
DNAT all -- anywhere 10.192.76.136 to:192.168.32.2
Chain nova-network-POSTROUTING (1 references)
target prot opt source destination
ACCEPT all -- 192.168.32.0/22 10.192.75.190
ACCEPT all -- 192.168.32.0/22 192.168.32.0/22 ! ctstate DNAT
SNAT all -- 192.168.32.3 anywhere ctstate DNAT to:10.192.76.135
SNAT all -- 192.168.32.2 anywhere ctstate DNAT to:10.192.76.136
Chain nova-network-PREROUTING (1 references)
target prot opt source destination
DNAT tcp -- anywhere 169.254.169.254 tcp dpt:http to:10.192.75.190:8775
DNAT all -- anywhere 10.192.76.135 to:192.168.32.3
DNAT all -- anywhere 10.192.76.136 to:192.168.32.2
Chain nova-network-float-snat (1 references)
target prot opt source destination
SNAT all -- 192.168.32.3 192.168.32.3 to:10.192.76.135
SNAT all -- 192.168.32.3 anywhere to:10.192.76.135
SNAT all -- 192.168.32.2 192.168.32.2 to:10.192.76.136
SNAT all -- 192.168.32.2 anywhere to:10.192.76.136
Chain nova-network-snat (1 references)
target prot opt source destination
nova-network-float-snat all -- anywhere anywhere
SNAT all -- 192.168.32.0/22 anywhere to:10.192.75.190
Chain nova-postrouting-bottom (1 references)
target prot opt source destination
nova-network-snat all -- anywhere anywhere
nova-compute-snat all -- anywhere anywhere
nova-api-snat all -- anywhere anywhere
===========================================================================
9) iptables -S -t nat
-P PREROUTING ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT
-N nova-api-OUTPUT
-N nova-api-POSTROUTING
-N nova-api-PREROUTING
-N nova-api-float-snat
-N nova-api-snat
-N nova-compute-OUTPUT
-N nova-compute-POSTROUTING
-N nova-compute-PREROUTING
-N nova-compute-float-snat
-N nova-compute-snat
-N nova-network-OUTPUT
-N nova-network-POSTROUTING
-N nova-network-PREROUTING
-N nova-network-float-snat
-N nova-network-snat
-N nova-postrouting-bottom
-A PREROUTING -j nova-network-PREROUTING
-A PREROUTING -j nova-compute-PREROUTING
-A PREROUTING -j nova-api-PREROUTING
-A POSTROUTING -j nova-network-POSTROUTING
-A POSTROUTING -j nova-compute-POSTROUTING
-A POSTROUTING -j nova-api-POSTROUTING
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -j nova-postrouting-bottom
-A OUTPUT -j nova-network-OUTPUT
-A OUTPUT -j nova-compute-OUTPUT
-A OUTPUT -j nova-api-OUTPUT
-A nova-api-snat -j nova-api-float-snat
-A nova-compute-snat -j nova-compute-float-snat
-A nova-network-OUTPUT -d 10.192.76.135/32 -j DNAT --to-destination 192.168.32.3
-A nova-network-OUTPUT -d 10.192.76.136/32 -j DNAT --to-destination 192.168.32.2
-A nova-network-POSTROUTING -s 192.168.32.0/22 -d 10.192.75.190/32 -j ACCEPT
-A nova-network-POSTROUTING -s 192.168.32.0/22 -d 192.168.32.0/22 -m conntrack ! --ctstate DNAT -j ACCEPT
-A nova-network-POSTROUTING -s 192.168.32.3/32 -m conntrack --ctstate DNAT -j SNAT --to-source 10.192.76.135
-A nova-network-POSTROUTING -s 192.168.32.2/32 -m conntrack --ctstate DNAT -j SNAT --to-source 10.192.76.136
-A nova-network-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.192.75.190:8775
-A nova-network-PREROUTING -d 10.192.76.135/32 -j DNAT --to-destination 192.168.32.3
-A nova-network-PREROUTING -d 10.192.76.136/32 -j DNAT --to-destination 192.168.32.2
-A nova-network-float-snat -s 192.168.32.3/32 -d 192.168.32.3/32 -j SNAT --to-source 10.192.76.135
-A nova-network-float-snat -s 192.168.32.3/32 -o em2 -j SNAT --to-source 10.192.76.135
-A nova-network-float-snat -s 192.168.32.2/32 -d 192.168.32.2/32 -j SNAT --to-source 10.192.76.136
-A nova-network-float-snat -s 192.168.32.2/32 -o em2 -j SNAT --to-source 10.192.76.136
-A nova-network-snat -j nova-network-float-snat
-A nova-network-snat -s 192.168.32.0/22 -o em2 -j SNAT --to-source 10.192.75.190
-A nova-postrouting-bottom -j nova-network-snat
-A nova-postrouting-bottom -j nova-compute-snat
-A nova-postrouting-bottom -j nova-api-snat
========================================================================================
10)em1 config file
DEVICE=em1
HWADDR=84:2B:2B:6C:FD:0F
TYPE=Ethernet
UUID=e65a3f54-594e-4b2a-bd63-b488ba0d7adb
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=none
IPADDR=10.192.75.190
PREFIX=24
GATEWAY=10.192.75.1
DNS1=10.192.48.100
DNS2=10.192.48.101
==================================================================================================
11) em2 config file
DEVICE=em2
HWADDR=84:2B:2B:6C:FD:10
TYPE=Ethernet
UUID=ad6f5595-1df3-437d-b231-8b9e5db9c260
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=none
=================================================================================================
=================================================================================================
-----Original Message-----
From: Rhys Oxenham [mailto:roxenham at redhat.com]
Sent: mercredi 24 juillet 2013 17:16
To: Nicolas VOGEL
Cc: rhos-list at redhat.com
Subject: Re: [rhos-list] floating IP not reachable
Hi Nicolas,
When you've got the instance running and a floating-ip assigned, can you please pastebin the output of-
1) ip a
2) brctl show
3) nova list
4) nova-manage network-list
5) nova secgroup-list
6) nova secgroup-list-rules <your assigned group>
7) iptables -L
8) iptables -L -t nat
9) iptables -S -t nat
Oh, and when you have more than one instance running, can you ping between the instances via 192.168.32.0/22? Make sure to sanitise anything you need to in the pastes.
Many thanks!
Rhys
On 24 Jul 2013, at 16:05, Nicolas VOGEL <nvogel67 at hotmail.com> wrote:
> Hi,
>
> I just installed a new all-in-one controller without quantum. Everything works fine and now I wan't to use floating IPs like described here:http://openstack.redhat.com/Floating_IP_range. I want to use my second NIC (em2) for this purpose. For the installation, I use my first NIC (em1) and packstack automatically created a bridge (br100).
>
> I deleted the default network and created a new one, which is matching the subnet on which em2 is connected. After that I modified the public_interface in the nova.conf to em2 and also the floating_range with the subnet I just created. I didn't modify the flat_interface and let the default value (lo).
>
> I just enabled the em2 interface but didn't assign any IP address to it.
> I added two rules to the default group to allow ping and SSH.
>
> I can start VMs and they got an internal IP address (from 192.168.32.0/22). I can also associate a floating IP to each VM. But I'm unable to ping a floating IP.
>
> If someone has any idea to resolve the problem it would be very helpful.
> And if someone has a configuration who runs correctly I would be interested how you configured your network interfaces and your nova.conf.
>
> Thanks, Nicolas.
>
> Here’s an output from my nova.conf :
> public_interface=em2
> default_floating_pool=nova
> novncproxy_port=6080
> dhcp_domain=novalocal
> libvirt_type=kvm
> floating_range=10.192.76.0/25
> fixed_range=192.168.32.0/22
> auto_assign_floating_ip=False
> novncproxy_base_url=http://10.192.75.190:6080/vnc_auto.html
> flat_interface=lo
> vnc_enabled=True
> flat_network_bridge=br100
>
>
> _______________________________________________
> rhos-list mailing list
> rhos-list at redhat.com
> https://www.redhat.com/mailman/listinfo/rhos-list
More information about the rhos-list
mailing list