[rhos-list] floating IP not reachable
Vogel Nicolas
nicolas.vogel at heig-vd.ch
Thu Jul 25 06:37:01 UTC 2013
Hi,
Yes that's right, I can ping and connect via SSH to my VMs from my controller using the private IP 192.168.32.2.
My controller's name is IICT-SV1259 and my VMs' names are fed32-1 and fed64-1
Here's the output:
[admin at IICT-SV1259 ~(keystone_admin)]$ ping 192.168.32.2
PING 192.168.32.2 (192.168.32.2) 56(84) bytes of data.
64 bytes from 192.168.32.2: icmp_seq=1 ttl=64 time=0.501 ms
64 bytes from 192.168.32.2: icmp_seq=2 ttl=64 time=0.334 ms
64 bytes from 192.168.32.2: icmp_seq=3 ttl=64 time=0.296 ms
^C
--- 192.168.32.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2979ms
rtt min/avg/max/mdev = 0.296/0.377/0.501/0.089 ms
[admin at IICT-SV1259 ~(keystone_admin)]$ ping 192.168.32.3
PING 192.168.32.3 (192.168.32.3) 56(84) bytes of data.
64 bytes from 192.168.32.3: icmp_seq=1 ttl=64 time=0.407 ms
64 bytes from 192.168.32.3: icmp_seq=2 ttl=64 time=0.219 ms
64 bytes from 192.168.32.3: icmp_seq=3 ttl=64 time=0.207 ms
64 bytes from 192.168.32.3: icmp_seq=4 ttl=64 time=0.349 ms
^C
--- 192.168.32.3 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3292ms
rtt min/avg/max/mdev = 0.207/0.295/0.407/0.086 ms
[admin at IICT-SV1259 ~(keystone_admin)]$ sudo ssh -i grizzli_nova-network.pem fedora at 192.168.32.2
[sudo] password for admin:
Last login: Wed Jul 24 15:31:43 2013 from 192.168.32.1
[fedora at fed32-1 ~]$
[fedora at fed32-1 ~]$ ping 192.168.32.3
PING 192.168.32.3 (192.168.32.3) 56(84) bytes of data.
64 bytes from 192.168.32.3: icmp_seq=1 ttl=64 time=0.291 ms
64 bytes from 192.168.32.3: icmp_seq=2 ttl=64 time=0.581 ms
64 bytes from 192.168.32.3: icmp_seq=3 ttl=64 time=0.614 ms
64 bytes from 192.168.32.3: icmp_seq=4 ttl=64 time=0.504 ms
^C
--- 192.168.32.3 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3001ms
rtt min/avg/max/mdev = 0.291/0.497/0.614/0.127 ms
[fedora at fed32-1 ~]$
[fedora at fed32-1 ~]$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3000ms
[fedora at fed32-1 ~]$
[fedora at fed32-1 ~]$ ping 10.192.75.1
PING 10.192.75.1 (10.192.75.1) 56(84) bytes of data.
^C
--- 10.192.75.1 ping statistics ---
9 packets transmitted, 0 received, 100% packet loss, time 8000ms
[fedora at fed32-1 ~]$
[fedora at fed32-1 ~]$ ping 10.192.76.1
PING 10.192.76.1 (10.192.76.1) 56(84) bytes of data.
As you can see I'm connected to the fed32-1 VM but I can only ping my private network IPs (192.168.32.xx). There is no way to reach the external world. 10.192.75.0/24 is my management network (also used for by all the openstack services) and 10.192.76.0/24 is the network for my floating IPs.
Here's the ouput from "route" and "ifconfig" commands on my VM:
[fedora at fed32-1 ~]$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.32.1 0.0.0.0 UG 0 0 0 eth0
192.168.32.0 * 255.255.252.0 U 0 0 0 eth0
[fedora at fed32-1 ~]$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.32.2 netmask 255.255.252.0 broadcast 192.168.35.255
inet6 fe80::f816:3eff:fe04:d9a2 prefixlen 64 scopeid 0x20<link>
ether fa:16:3e:04:d9:a2 txqueuelen 1000 (Ethernet)
RX packets 4319 bytes 639628 (624.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5669 bytes 668617 (652.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
And here the same output on my controller:
[admin at IICT-SV1259 ~(keystone_admin)]$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.192.75.0 * 255.255.255.0 U 0 0 0 em1
192.168.122.0 * 255.255.255.0 U 0 0 0 virbr0
192.168.32.0 * 255.255.252.0 U 0 0 0 br100
link-local * 255.255.0.0 U 1002 0 0 em1
default 10.192.75.1 0.0.0.0 UG 0 0 0 em1
[admin at IICT-SV1259 ~(keystone_admin)]$ ifconfig
br100 Link encap:Ethernet HWaddr FE:16:3E:04:D9:A2
inet addr:192.168.32.1 Bcast:192.168.35.255 Mask:255.255.252.0
inet6 addr: fe80::3c6c:d7ff:fe0b:c6af/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5930 errors:0 dropped:0 overruns:0 frame:0
TX packets:6039 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:980212 (957.2 KiB) TX bytes:1083240 (1.0 MiB)
em1 Link encap:Ethernet HWaddr 84:2B:2B:6C:FD:0F
inet addr:10.192.75.190 Bcast:10.192.75.255 Mask:255.255.255.0
inet6 addr: fe80::862b:2bff:fe6c:fd0f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:168093 errors:0 dropped:0 overruns:0 frame:0
TX packets:18570 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:17214443 (16.4 MiB) TX bytes:2952682 (2.8 MiB)
em2 Link encap:Ethernet HWaddr 84:2B:2B:6C:FD:10
inet addr:10.192.76.135 Bcast:0.0.0.0 Mask:255.255.255.255
inet6 addr: fe80::862b:2bff:fe6c:fd10/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:47875 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3960287 (3.7 MiB) TX bytes:492 (492.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1989973 errors:0 dropped:0 overruns:0 frame:0
TX packets:1989973 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1091699634 (1.0 GiB) TX bytes:1091699634 (1.0 GiB)
virbr0 Link encap:Ethernet HWaddr 52:54:00:D6:4F:DA
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
vnet0 Link encap:Ethernet HWaddr FE:16:3E:04:D9:A2
inet6 addr: fe80::fc16:3eff:fe04:d9a2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5720 errors:0 dropped:0 overruns:0 frame:0
TX packets:4361 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:675343 (659.5 KiB) TX bytes:643288 (628.2 KiB)
vnet1 Link encap:Ethernet HWaddr FE:16:3E:2F:A5:0E
inet6 addr: fe80::fc16:3eff:fe2f:a50e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5163 errors:0 dropped:0 overruns:0 frame:0
TX packets:3624 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:596811 (582.8 KiB) TX bytes:570388 (557.0 KiB)
I hope that can help.
What about my nova.conf file? Is everything all right with it?
Should I modify something with the lo interface?
Thanks,
Nicolas.
-----Original Message-----
From: rhos-list-bounces at redhat.com [mailto:rhos-list-bounces at redhat.com] On Behalf Of Rhys Oxenham
Sent: mercredi 24 juillet 2013 23:49
To: Nicolas VOGEL
Cc: rhos-list at redhat.com
Subject: Re: [rhos-list] floating IP not reachable
Hi Nicolas,
Thanks for sending that over, it looks good to me; the important NAT rules are in-place, e.g.
-A nova-network-OUTPUT -d 10.192.76.135/32 -j DNAT --to-destination 192.168.32.3 -A nova-network-OUTPUT -d 10.192.76.136/32 -j DNAT --to-destination 192.168.32.2 (And associated SNAT)
And then for the security groups-
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere
Your em2 interface is also listening on the correct IP addresses:
inet 10.192.76.135/32 scope global em2
inet 10.192.76.136/32 scope global em2
So you're saying that you can directly access your instances by using the internal IP, i.e. the 192.168.32.0/22 network? But NOT via the floating IP's? I just need to understand what you cannot currently access; my concern is that there's no link between the local loopback device and your instances so I need to establish what works and what doesn't.
Cheers
Rhys
On 24 Jul 2013, at 16:43, Nicolas VOGEL <nvogel67 at hotmail.com> wrote:
> Hello Rhys,
>
> Thanks for your answer.
> I put all the outputs you asked.
> The outputs were made with two VMs running and floating IPs associated (192.168.32.2/10.192.76.136 and 192.168.32.3/10.192.76.135, see nova list output).
> I connected via ssh to the first VM and I could ping the second, the I thing internal communication is OK.
> I put the complete output from iptables commands because I don't know what you want to verify and I'm not very good with iptables.
> Thanks for your help!
>
> 1) ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet 169.254.169.254/32 scope link lo
> inet6 ::1/128 scope host
> valid_lft forever preferred_lft forever
> 2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
> link/ether 84:2b:2b:6c:fd:0f brd ff:ff:ff:ff:ff:ff
> inet 10.192.75.190/24 brd 10.192.75.255 scope global em1
> inet6 fe80::862b:2bff:fe6c:fd0f/64 scope link
> valid_lft forever preferred_lft forever
> 3: em2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
> link/ether 84:2b:2b:6c:fd:10 brd ff:ff:ff:ff:ff:ff
> inet 10.192.76.135/32 scope global em2
> inet 10.192.76.136/32 scope global em2
> inet6 fe80::862b:2bff:fe6c:fd10/64 scope link
> valid_lft forever preferred_lft forever
> 4: p1p1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
> link/ether 00:1b:21:7c:b8:38 brd ff:ff:ff:ff:ff:ff
> 5: p1p2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
> link/ether 00:1b:21:7c:b8:39 brd ff:ff:ff:ff:ff:ff
> 6: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
> link/ether 52:54:00:d6:4f:da brd ff:ff:ff:ff:ff:ff
> inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
> 7: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 500
> link/ether 52:54:00:d6:4f:da brd ff:ff:ff:ff:ff:ff
> 9: br100: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
> link/ether fe:16:3e:04:d9:a2 brd ff:ff:ff:ff:ff:ff
> inet 192.168.32.1/22 brd 192.168.35.255 scope global br100
> inet6 fe80::3c6c:d7ff:fe0b:c6af/64 scope link
> valid_lft forever preferred_lft forever
> 10: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
> link/ether fe:16:3e:04:d9:a2 brd ff:ff:ff:ff:ff:ff
> inet6 fe80::fc16:3eff:fe04:d9a2/64 scope link
> valid_lft forever preferred_lft forever
> 11: vnet1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
> link/ether fe:16:3e:2f:a5:0e brd ff:ff:ff:ff:ff:ff
> inet6 fe80::fc16:3eff:fe2f:a50e/64 scope link
> valid_lft forever preferred_lft forever
> ==================================================================
>
> 2) brctl show
> bridge name bridge id STP enabled interfaces
> br100 8000.fe163e04d9a2 no vnet0
> vnet1
> virbr0 8000.525400d64fda yes virbr0-nic
> ==================================================================
>
> 3) nova list
> +--------------------------------------+---------+--------+-----------------------------------------+
> | ID | Name | Status | Networks |
> +--------------------------------------+---------+--------+-----------------------------------------+
> | 0dd1311a-f188-4570-af5d-dbf0fe62d50e | fed32-1 | ACTIVE |
> | novanetwork=192.168.32.2, 10.192.76.136 |
> | 57960ee0-e2f2-4a08-8560-3bf39c489b78 | fed64-1 | ACTIVE |
> | novanetwork=192.168.32.3, 10.192.76.135 |
> +--------------------------------------+---------+--------+-----------------------------------------+
> ==================================================================
>
> 4) nova-manage network-list
> id IPv4 IPv6 start address DNS1 DNS2 VlanID project uuid
> 1 192.168.32.0/22 None 192.168.32.2 8.8.4.4 None None None e2e597a5-7606-4335-911a-d8cadcb840d6
> ===================================================================
>
> 5) nova secgroup-list
> +---------+-------------+
> | Name | Description |
> +---------+-------------+
> | default | default |
> +---------+-------------+
> ====================================================================
>
> 6) nova secgroup-list-rules <your assigned group>
> +-------------+-----------+---------+-----------+--------------+
> | IP Protocol | From Port | To Port | IP Range | Source Group |
> +-------------+-----------+---------+-----------+--------------+
> | icmp | -1 | -1 | 0.0.0.0/0 | |
> | tcp | 22 | 22 | 0.0.0.0/0 | |
> +-------------+-----------+---------+-----------+--------------+
> ======================================================================
> ======
>
> 7) iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> nova-network-INPUT all -- anywhere anywhere
> nova-compute-INPUT all -- anywhere anywhere
> nova-api-INPUT all -- anywhere anywhere
> ACCEPT udp -- anywhere anywhere udp dpt:domain
> ACCEPT tcp -- anywhere anywhere multiport dports http /* 001 horizon incoming */
> ACCEPT tcp -- anywhere anywhere tcp dpt:domain
> ACCEPT udp -- anywhere anywhere udp dpt:bootps
> ACCEPT tcp -- anywhere anywhere multiport dports http /* 001 nagios incoming */
> ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
> ACCEPT tcp -- anywhere anywhere multiport dports iscsi-target,8776 /* 001 cinder incoming */
> ACCEPT tcp -- anywhere anywhere multiport dports 5666 /* 001 nrpe incoming */
> ACCEPT tcp -- anywhere anywhere multiport dports armtechdaemon /* 001 glance incoming */
> ACCEPT tcp -- anywhere anywhere multiport dports rsync /* 001 rsync incoming */
> ACCEPT tcp -- anywhere anywhere multiport dports webcache /* 001 swift proxy incoming */
> ACCEPT tcp -- anywhere anywhere multiport dports x11,6001,6002,rsync /* 001 swift storage incoming */
> ACCEPT tcp -- anywhere anywhere multiport dports commplex-main,35357 /* 001 keystone incoming */
> ACCEPT tcp -- anywhere anywhere multiport dports vnc-server:cvsup /* 001 nova compute incoming */
> ACCEPT tcp -- anywhere anywhere multiport dports mysql /* 001 mysql incoming */
> ACCEPT tcp -- anywhere anywhere multiport dports 6080 /* 001 novncproxy incoming */
> ACCEPT tcp -- anywhere anywhere multiport dports 8773,8774,8775 /* 001 novaapi incoming */
> ACCEPT tcp -- anywhere anywhere multiport dports amqp /* 001 qpid incoming */
> ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
> ACCEPT icmp -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
> REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> nova-filter-top all -- anywhere anywhere
> nova-network-FORWARD all -- anywhere anywhere
> nova-compute-FORWARD all -- anywhere anywhere
> nova-api-FORWARD all -- anywhere anywhere
> ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
> ACCEPT all -- 192.168.122.0/24 anywhere
> ACCEPT all -- anywhere anywhere
> REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
> REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
> REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> nova-filter-top all -- anywhere anywhere
> nova-network-OUTPUT all -- anywhere anywhere
> nova-compute-OUTPUT all -- anywhere anywhere
> nova-api-OUTPUT all -- anywhere anywhere
>
> Chain nova-api-FORWARD (1 references)
> target prot opt source destination
>
> Chain nova-api-INPUT (1 references)
> target prot opt source destination
> ACCEPT tcp -- anywhere 10.192.75.190 tcp dpt:8775
>
> Chain nova-api-OUTPUT (1 references)
> target prot opt source destination
>
> Chain nova-api-local (1 references)
> target prot opt source destination
>
> Chain nova-compute-FORWARD (1 references)
> target prot opt source destination
> ACCEPT udp -- default 255.255.255.255 udp spt:bootpc dpt:bootps
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
>
> Chain nova-compute-INPUT (1 references)
> target prot opt source destination
> ACCEPT udp -- default 255.255.255.255 udp spt:bootpc dpt:bootps
>
> Chain nova-compute-OUTPUT (1 references)
> target prot opt source destination
>
> Chain nova-compute-inst-2 (1 references)
> target prot opt source destination
> DROP all -- anywhere anywhere state INVALID
> ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
> nova-compute-provider all -- anywhere anywhere
> ACCEPT udp -- 192.168.32.1 anywhere udp spt:bootps dpt:bootpc
> ACCEPT all -- 192.168.32.0/22 anywhere
> ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
> ACCEPT icmp -- anywhere anywhere
> nova-compute-sg-fallback all -- anywhere anywhere
>
> Chain nova-compute-inst-3 (1 references)
> target prot opt source destination
> DROP all -- anywhere anywhere state INVALID
> ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
> nova-compute-provider all -- anywhere anywhere
> ACCEPT udp -- 192.168.32.1 anywhere udp spt:bootps dpt:bootpc
> ACCEPT all -- 192.168.32.0/22 anywhere
> ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
> ACCEPT icmp -- anywhere anywhere
> nova-compute-sg-fallback all -- anywhere anywhere
>
> Chain nova-compute-local (1 references)
> target prot opt source destination
> nova-compute-inst-2 all -- anywhere 192.168.32.2
> nova-compute-inst-3 all -- anywhere 192.168.32.3
>
> Chain nova-compute-provider (2 references)
> target prot opt source destination
>
> Chain nova-compute-sg-fallback (2 references)
> target prot opt source destination
> DROP all -- anywhere anywhere
>
> Chain nova-filter-top (2 references)
> target prot opt source destination
> nova-network-local all -- anywhere anywhere
> nova-compute-local all -- anywhere anywhere
> nova-api-local all -- anywhere anywhere
>
> Chain nova-network-FORWARD (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
>
> Chain nova-network-INPUT (1 references)
> target prot opt source destination
> ACCEPT udp -- anywhere anywhere udp dpt:bootps
> ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
> ACCEPT udp -- anywhere anywhere udp dpt:domain
> ACCEPT tcp -- anywhere anywhere tcp dpt:domain
>
> Chain nova-network-OUTPUT (1 references)
> target prot opt source destination
>
> Chain nova-network-local (1 references)
> target prot opt source destination
> ======================================================================
> ==========
>
> 8) iptables -L -t nat
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> nova-network-PREROUTING all -- anywhere anywhere
> nova-compute-PREROUTING all -- anywhere anywhere
> nova-api-PREROUTING all -- anywhere anywhere
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
> nova-network-POSTROUTING all -- anywhere anywhere
> nova-compute-POSTROUTING all -- anywhere anywhere
> nova-api-POSTROUTING all -- anywhere anywhere
> MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
> MASQUERADE udp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
> MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24
> nova-postrouting-bottom all -- anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> nova-network-OUTPUT all -- anywhere anywhere
> nova-compute-OUTPUT all -- anywhere anywhere
> nova-api-OUTPUT all -- anywhere anywhere
>
> Chain nova-api-OUTPUT (1 references)
> target prot opt source destination
>
> Chain nova-api-POSTROUTING (1 references)
> target prot opt source destination
>
> Chain nova-api-PREROUTING (1 references)
> target prot opt source destination
>
> Chain nova-api-float-snat (1 references)
> target prot opt source destination
>
> Chain nova-api-snat (1 references)
> target prot opt source destination
> nova-api-float-snat all -- anywhere anywhere
>
> Chain nova-compute-OUTPUT (1 references)
> target prot opt source destination
>
> Chain nova-compute-POSTROUTING (1 references)
> target prot opt source destination
>
> Chain nova-compute-PREROUTING (1 references)
> target prot opt source destination
>
> Chain nova-compute-float-snat (1 references)
> target prot opt source destination
>
> Chain nova-compute-snat (1 references)
> target prot opt source destination
> nova-compute-float-snat all -- anywhere anywhere
>
> Chain nova-network-OUTPUT (1 references)
> target prot opt source destination
> DNAT all -- anywhere 10.192.76.135 to:192.168.32.3
> DNAT all -- anywhere 10.192.76.136 to:192.168.32.2
>
> Chain nova-network-POSTROUTING (1 references)
> target prot opt source destination
> ACCEPT all -- 192.168.32.0/22 10.192.75.190
> ACCEPT all -- 192.168.32.0/22 192.168.32.0/22 ! ctstate DNAT
> SNAT all -- 192.168.32.3 anywhere ctstate DNAT to:10.192.76.135
> SNAT all -- 192.168.32.2 anywhere ctstate DNAT to:10.192.76.136
>
> Chain nova-network-PREROUTING (1 references)
> target prot opt source destination
> DNAT tcp -- anywhere 169.254.169.254 tcp dpt:http to:10.192.75.190:8775
> DNAT all -- anywhere 10.192.76.135 to:192.168.32.3
> DNAT all -- anywhere 10.192.76.136 to:192.168.32.2
>
> Chain nova-network-float-snat (1 references)
> target prot opt source destination
> SNAT all -- 192.168.32.3 192.168.32.3 to:10.192.76.135
> SNAT all -- 192.168.32.3 anywhere to:10.192.76.135
> SNAT all -- 192.168.32.2 192.168.32.2 to:10.192.76.136
> SNAT all -- 192.168.32.2 anywhere to:10.192.76.136
>
> Chain nova-network-snat (1 references)
> target prot opt source destination
> nova-network-float-snat all -- anywhere anywhere
> SNAT all -- 192.168.32.0/22 anywhere to:10.192.75.190
>
> Chain nova-postrouting-bottom (1 references)
> target prot opt source destination
> nova-network-snat all -- anywhere anywhere
> nova-compute-snat all -- anywhere anywhere
> nova-api-snat all -- anywhere anywhere
> ======================================================================
> =====
>
> 9) iptables -S -t nat
> -P PREROUTING ACCEPT
> -P POSTROUTING ACCEPT
> -P OUTPUT ACCEPT
> -N nova-api-OUTPUT
> -N nova-api-POSTROUTING
> -N nova-api-PREROUTING
> -N nova-api-float-snat
> -N nova-api-snat
> -N nova-compute-OUTPUT
> -N nova-compute-POSTROUTING
> -N nova-compute-PREROUTING
> -N nova-compute-float-snat
> -N nova-compute-snat
> -N nova-network-OUTPUT
> -N nova-network-POSTROUTING
> -N nova-network-PREROUTING
> -N nova-network-float-snat
> -N nova-network-snat
> -N nova-postrouting-bottom
> -A PREROUTING -j nova-network-PREROUTING -A PREROUTING -j
> nova-compute-PREROUTING -A PREROUTING -j nova-api-PREROUTING -A
> POSTROUTING -j nova-network-POSTROUTING -A POSTROUTING -j
> nova-compute-POSTROUTING -A POSTROUTING -j nova-api-POSTROUTING -A
> POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j
> MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 !
> -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 -A
> POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE -A
> POSTROUTING -j nova-postrouting-bottom -A OUTPUT -j
> nova-network-OUTPUT -A OUTPUT -j nova-compute-OUTPUT -A OUTPUT -j
> nova-api-OUTPUT -A nova-api-snat -j nova-api-float-snat -A
> nova-compute-snat -j nova-compute-float-snat -A nova-network-OUTPUT -d
> 10.192.76.135/32 -j DNAT --to-destination 192.168.32.3 -A
> nova-network-OUTPUT -d 10.192.76.136/32 -j DNAT --to-destination
> 192.168.32.2 -A nova-network-POSTROUTING -s 192.168.32.0/22 -d
> 10.192.75.190/32 -j ACCEPT -A nova-network-POSTROUTING -s
> 192.168.32.0/22 -d 192.168.32.0/22 -m conntrack ! --ctstate DNAT -j
> ACCEPT -A nova-network-POSTROUTING -s 192.168.32.3/32 -m conntrack
> --ctstate DNAT -j SNAT --to-source 10.192.76.135 -A
> nova-network-POSTROUTING -s 192.168.32.2/32 -m conntrack --ctstate
> DNAT -j SNAT --to-source 10.192.76.136 -A nova-network-PREROUTING -d
> 169.254.169.254/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination
> 10.192.75.190:8775 -A nova-network-PREROUTING -d 10.192.76.135/32 -j
> DNAT --to-destination 192.168.32.3 -A nova-network-PREROUTING -d
> 10.192.76.136/32 -j DNAT --to-destination 192.168.32.2 -A
> nova-network-float-snat -s 192.168.32.3/32 -d 192.168.32.3/32 -j SNAT
> --to-source 10.192.76.135 -A nova-network-float-snat -s
> 192.168.32.3/32 -o em2 -j SNAT --to-source 10.192.76.135 -A
> nova-network-float-snat -s 192.168.32.2/32 -d 192.168.32.2/32 -j SNAT
> --to-source 10.192.76.136 -A nova-network-float-snat -s
> 192.168.32.2/32 -o em2 -j SNAT --to-source 10.192.76.136 -A
> nova-network-snat -j nova-network-float-snat -A nova-network-snat -s
> 192.168.32.0/22 -o em2 -j SNAT --to-source 10.192.75.190 -A
> nova-postrouting-bottom -j nova-network-snat -A
> nova-postrouting-bottom -j nova-compute-snat -A
> nova-postrouting-bottom -j nova-api-snat
> ======================================================================
> ==================
>
> 10)em1 config file
> DEVICE=em1
> HWADDR=84:2B:2B:6C:FD:0F
> TYPE=Ethernet
> UUID=e65a3f54-594e-4b2a-bd63-b488ba0d7adb
> ONBOOT=yes
> NM_CONTROLLED=no
> BOOTPROTO=none
> IPADDR=10.192.75.190
> PREFIX=24
> GATEWAY=10.192.75.1
> DNS1=10.192.48.100
> DNS2=10.192.48.101
> ======================================================================
> ============================
>
> 11) em2 config file
> DEVICE=em2
> HWADDR=84:2B:2B:6C:FD:10
> TYPE=Ethernet
> UUID=ad6f5595-1df3-437d-b231-8b9e5db9c260
> ONBOOT=yes
> NM_CONTROLLED=no
> BOOTPROTO=none
>
> ======================================================================
> ===========================
> ======================================================================
> ===========================
>
> -----Original Message-----
> From: Rhys Oxenham [mailto:roxenham at redhat.com]
> Sent: mercredi 24 juillet 2013 17:16
> To: Nicolas VOGEL
> Cc: rhos-list at redhat.com
> Subject: Re: [rhos-list] floating IP not reachable
>
> Hi Nicolas,
>
> When you've got the instance running and a floating-ip assigned, can
> you please pastebin the output of-
>
> 1) ip a
> 2) brctl show
> 3) nova list
> 4) nova-manage network-list
> 5) nova secgroup-list
> 6) nova secgroup-list-rules <your assigned group>
> 7) iptables -L
> 8) iptables -L -t nat
> 9) iptables -S -t nat
>
> Oh, and when you have more than one instance running, can you ping between the instances via 192.168.32.0/22? Make sure to sanitise anything you need to in the pastes.
>
> Many thanks!
> Rhys
>
>
> On 24 Jul 2013, at 16:05, Nicolas VOGEL <nvogel67 at hotmail.com> wrote:
>
>> Hi,
>>
>> I just installed a new all-in-one controller without quantum. Everything works fine and now I wan't to use floating IPs like described here:http://openstack.redhat.com/Floating_IP_range. I want to use my second NIC (em2) for this purpose. For the installation, I use my first NIC (em1) and packstack automatically created a bridge (br100).
>>
>> I deleted the default network and created a new one, which is matching the subnet on which em2 is connected. After that I modified the public_interface in the nova.conf to em2 and also the floating_range with the subnet I just created. I didn't modify the flat_interface and let the default value (lo).
>>
>> I just enabled the em2 interface but didn't assign any IP address to it.
>> I added two rules to the default group to allow ping and SSH.
>>
>> I can start VMs and they got an internal IP address (from 192.168.32.0/22). I can also associate a floating IP to each VM. But I'm unable to ping a floating IP.
>>
>> If someone has any idea to resolve the problem it would be very helpful.
>> And if someone has a configuration who runs correctly I would be interested how you configured your network interfaces and your nova.conf.
>>
>> Thanks, Nicolas.
>>
>> Here’s an output from my nova.conf :
>> public_interface=em2
>> default_floating_pool=nova
>> novncproxy_port=6080
>> dhcp_domain=novalocal
>> libvirt_type=kvm
>> floating_range=10.192.76.0/25
>> fixed_range=192.168.32.0/22
>> auto_assign_floating_ip=False
>> novncproxy_base_url=http://10.192.75.190:6080/vnc_auto.html
>> flat_interface=lo
>> vnc_enabled=True
>> flat_network_bridge=br100
>>
>>
>> _______________________________________________
>> rhos-list mailing list
>> rhos-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/rhos-list
>
_______________________________________________
rhos-list mailing list
rhos-list at redhat.com
https://www.redhat.com/mailman/listinfo/rhos-list
More information about the rhos-list
mailing list