[rhos-list] floating IP not reachable

Vogel Nicolas nicolas.vogel at heig-vd.ch
Thu Jul 25 06:37:01 UTC 2013


Hi,

Yes that's right, I can ping and connect via SSH to my VMs from my controller using the private IP 192.168.32.2.
My controller's name is IICT-SV1259 and my VMs' names are fed32-1 and fed64-1
Here's the output:

[admin at IICT-SV1259 ~(keystone_admin)]$ ping 192.168.32.2
PING 192.168.32.2 (192.168.32.2) 56(84) bytes of data.
64 bytes from 192.168.32.2: icmp_seq=1 ttl=64 time=0.501 ms
64 bytes from 192.168.32.2: icmp_seq=2 ttl=64 time=0.334 ms
64 bytes from 192.168.32.2: icmp_seq=3 ttl=64 time=0.296 ms
^C
--- 192.168.32.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2979ms
rtt min/avg/max/mdev = 0.296/0.377/0.501/0.089 ms
 
[admin at IICT-SV1259 ~(keystone_admin)]$ ping 192.168.32.3
PING 192.168.32.3 (192.168.32.3) 56(84) bytes of data.
64 bytes from 192.168.32.3: icmp_seq=1 ttl=64 time=0.407 ms
64 bytes from 192.168.32.3: icmp_seq=2 ttl=64 time=0.219 ms
64 bytes from 192.168.32.3: icmp_seq=3 ttl=64 time=0.207 ms
64 bytes from 192.168.32.3: icmp_seq=4 ttl=64 time=0.349 ms
^C
--- 192.168.32.3 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3292ms
rtt min/avg/max/mdev = 0.207/0.295/0.407/0.086 ms

[admin at IICT-SV1259 ~(keystone_admin)]$ sudo ssh -i grizzli_nova-network.pem fedora at 192.168.32.2
[sudo] password for admin: 
Last login: Wed Jul 24 15:31:43 2013 from 192.168.32.1
[fedora at fed32-1 ~]$ 
[fedora at fed32-1 ~]$ ping 192.168.32.3
PING 192.168.32.3 (192.168.32.3) 56(84) bytes of data.
64 bytes from 192.168.32.3: icmp_seq=1 ttl=64 time=0.291 ms
64 bytes from 192.168.32.3: icmp_seq=2 ttl=64 time=0.581 ms
64 bytes from 192.168.32.3: icmp_seq=3 ttl=64 time=0.614 ms
64 bytes from 192.168.32.3: icmp_seq=4 ttl=64 time=0.504 ms
^C
--- 192.168.32.3 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3001ms
rtt min/avg/max/mdev = 0.291/0.497/0.614/0.127 ms
[fedora at fed32-1 ~]$
[fedora at fed32-1 ~]$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3000ms

[fedora at fed32-1 ~]$ 
[fedora at fed32-1 ~]$ ping 10.192.75.1
PING 10.192.75.1 (10.192.75.1) 56(84) bytes of data.
^C
--- 10.192.75.1 ping statistics ---
9 packets transmitted, 0 received, 100% packet loss, time 8000ms

[fedora at fed32-1 ~]$ 
[fedora at fed32-1 ~]$ ping 10.192.76.1
PING 10.192.76.1 (10.192.76.1) 56(84) bytes of data.

As you can see I'm connected to the fed32-1 VM but I can only ping my private network IPs (192.168.32.xx). There is no way to reach the external world. 10.192.75.0/24 is my management network (also used for by all the openstack services) and 10.192.76.0/24 is the network for my floating IPs.

Here's the ouput from "route" and "ifconfig" commands on my VM:
[fedora at fed32-1 ~]$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.32.1    0.0.0.0         UG    0      0        0 eth0
192.168.32.0    *               255.255.252.0   U     0      0        0 eth0

[fedora at fed32-1 ~]$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.32.2  netmask 255.255.252.0  broadcast 192.168.35.255
        inet6 fe80::f816:3eff:fe04:d9a2  prefixlen 64  scopeid 0x20<link>
        ether fa:16:3e:04:d9:a2  txqueuelen 1000  (Ethernet)
        RX packets 4319  bytes 639628 (624.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 5669  bytes 668617 (652.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

And here the same output on my controller:

[admin at IICT-SV1259 ~(keystone_admin)]$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.192.75.0     *               255.255.255.0   U     0      0        0 em1
192.168.122.0   *               255.255.255.0   U     0      0        0 virbr0
192.168.32.0    *               255.255.252.0   U     0      0        0 br100
link-local      *               255.255.0.0     U     1002   0        0 em1
default         10.192.75.1     0.0.0.0         UG    0      0        0 em1

[admin at IICT-SV1259 ~(keystone_admin)]$ ifconfig
br100     Link encap:Ethernet  HWaddr FE:16:3E:04:D9:A2  
          inet addr:192.168.32.1  Bcast:192.168.35.255  Mask:255.255.252.0
          inet6 addr: fe80::3c6c:d7ff:fe0b:c6af/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5930 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6039 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:980212 (957.2 KiB)  TX bytes:1083240 (1.0 MiB)

em1       Link encap:Ethernet  HWaddr 84:2B:2B:6C:FD:0F  
          inet addr:10.192.75.190  Bcast:10.192.75.255  Mask:255.255.255.0
          inet6 addr: fe80::862b:2bff:fe6c:fd0f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:168093 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18570 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:17214443 (16.4 MiB)  TX bytes:2952682 (2.8 MiB)

em2       Link encap:Ethernet  HWaddr 84:2B:2B:6C:FD:10  
          inet addr:10.192.76.135  Bcast:0.0.0.0  Mask:255.255.255.255
          inet6 addr: fe80::862b:2bff:fe6c:fd10/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:47875 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3960287 (3.7 MiB)  TX bytes:492 (492.0 b)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1989973 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1989973 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1091699634 (1.0 GiB)  TX bytes:1091699634 (1.0 GiB)

virbr0    Link encap:Ethernet  HWaddr 52:54:00:D6:4F:DA  
          inet addr:192.168.122.1  Bcast:192.168.122.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

vnet0     Link encap:Ethernet  HWaddr FE:16:3E:04:D9:A2  
          inet6 addr: fe80::fc16:3eff:fe04:d9a2/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5720 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4361 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:675343 (659.5 KiB)  TX bytes:643288 (628.2 KiB)

vnet1     Link encap:Ethernet  HWaddr FE:16:3E:2F:A5:0E  
          inet6 addr: fe80::fc16:3eff:fe2f:a50e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5163 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3624 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:596811 (582.8 KiB)  TX bytes:570388 (557.0 KiB)

I hope that can help.
What about my nova.conf file? Is everything all right with it?
Should I modify something with the lo interface?

Thanks,
Nicolas.



-----Original Message-----
From: rhos-list-bounces at redhat.com [mailto:rhos-list-bounces at redhat.com] On Behalf Of Rhys Oxenham
Sent: mercredi 24 juillet 2013 23:49
To: Nicolas VOGEL
Cc: rhos-list at redhat.com
Subject: Re: [rhos-list] floating IP not reachable

Hi Nicolas,

Thanks for sending that over, it looks good to me; the important NAT rules are in-place, e.g. 

-A nova-network-OUTPUT -d 10.192.76.135/32 -j DNAT --to-destination 192.168.32.3 -A nova-network-OUTPUT -d 10.192.76.136/32 -j DNAT --to-destination 192.168.32.2 (And associated SNAT)

And then for the security groups-

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
ACCEPT     icmp --  anywhere             anywhere    

Your em2 interface is also listening on the correct IP addresses:

inet 10.192.76.135/32 scope global em2
inet 10.192.76.136/32 scope global em2

So you're saying that you can directly access your instances by using the internal IP, i.e. the 192.168.32.0/22 network? But NOT via the floating IP's? I just need to understand what you cannot currently access; my concern is that there's no link between the local loopback device and your instances so I need to establish what works and what doesn't.

Cheers
Rhys


On 24 Jul 2013, at 16:43, Nicolas VOGEL <nvogel67 at hotmail.com> wrote:

> Hello Rhys,
> 
> Thanks for your answer.
> I put all the outputs you asked.
> The outputs were made with two VMs running and floating IPs associated (192.168.32.2/10.192.76.136 and 192.168.32.3/10.192.76.135, see nova list output).
> I connected via ssh to the first VM and I could ping the second, the I thing internal communication is OK.
> I put the complete output from iptables commands because I don't know what you want to verify and I'm not very good with iptables.
> Thanks for your help!
> 
> 1) ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
>    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>    inet 127.0.0.1/8 scope host lo
>    inet 169.254.169.254/32 scope link lo
>    inet6 ::1/128 scope host 
>       valid_lft forever preferred_lft forever
> 2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
>    link/ether 84:2b:2b:6c:fd:0f brd ff:ff:ff:ff:ff:ff
>    inet 10.192.75.190/24 brd 10.192.75.255 scope global em1
>    inet6 fe80::862b:2bff:fe6c:fd0f/64 scope link 
>       valid_lft forever preferred_lft forever
> 3: em2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
>    link/ether 84:2b:2b:6c:fd:10 brd ff:ff:ff:ff:ff:ff
>    inet 10.192.76.135/32 scope global em2
>    inet 10.192.76.136/32 scope global em2
>    inet6 fe80::862b:2bff:fe6c:fd10/64 scope link 
>       valid_lft forever preferred_lft forever
> 4: p1p1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
>    link/ether 00:1b:21:7c:b8:38 brd ff:ff:ff:ff:ff:ff
> 5: p1p2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
>    link/ether 00:1b:21:7c:b8:39 brd ff:ff:ff:ff:ff:ff
> 6: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN 
>    link/ether 52:54:00:d6:4f:da brd ff:ff:ff:ff:ff:ff
>    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
> 7: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 500
>    link/ether 52:54:00:d6:4f:da brd ff:ff:ff:ff:ff:ff
> 9: br100: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN 
>    link/ether fe:16:3e:04:d9:a2 brd ff:ff:ff:ff:ff:ff
>    inet 192.168.32.1/22 brd 192.168.35.255 scope global br100
>    inet6 fe80::3c6c:d7ff:fe0b:c6af/64 scope link 
>       valid_lft forever preferred_lft forever
> 10: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
>    link/ether fe:16:3e:04:d9:a2 brd ff:ff:ff:ff:ff:ff
>    inet6 fe80::fc16:3eff:fe04:d9a2/64 scope link 
>       valid_lft forever preferred_lft forever
> 11: vnet1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
>    link/ether fe:16:3e:2f:a5:0e brd ff:ff:ff:ff:ff:ff
>    inet6 fe80::fc16:3eff:fe2f:a50e/64 scope link 
>       valid_lft forever preferred_lft forever 
> ==================================================================
> 
> 2) brctl show
> bridge name     bridge id               STP enabled     interfaces
> br100           8000.fe163e04d9a2       no              vnet0
>                                                        vnet1
> virbr0          8000.525400d64fda       yes             virbr0-nic
> ==================================================================
> 
> 3) nova list
> +--------------------------------------+---------+--------+-----------------------------------------+
> | ID                                   | Name    | Status | Networks                                |
> +--------------------------------------+---------+--------+-----------------------------------------+
> | 0dd1311a-f188-4570-af5d-dbf0fe62d50e | fed32-1 | ACTIVE | 
> | novanetwork=192.168.32.2, 10.192.76.136 |
> | 57960ee0-e2f2-4a08-8560-3bf39c489b78 | fed64-1 | ACTIVE | 
> | novanetwork=192.168.32.3, 10.192.76.135 |
> +--------------------------------------+---------+--------+-----------------------------------------+
> ==================================================================
> 
> 4) nova-manage network-list
> id      IPv4                    IPv6            start address   DNS1            DNS2            VlanID          project         uuid           
> 1       192.168.32.0/22         None            192.168.32.2    8.8.4.4         None            None            None            e2e597a5-7606-4335-911a-d8cadcb840d6
> ===================================================================
> 
> 5) nova secgroup-list
> +---------+-------------+
> | Name    | Description |
> +---------+-------------+
> | default | default     |
> +---------+-------------+
> ====================================================================
> 
> 6) nova secgroup-list-rules <your assigned group>
> +-------------+-----------+---------+-----------+--------------+
> | IP Protocol | From Port | To Port | IP Range  | Source Group |
> +-------------+-----------+---------+-----------+--------------+
> | icmp        | -1        | -1      | 0.0.0.0/0 |              |
> | tcp         | 22        | 22      | 0.0.0.0/0 |              |
> +-------------+-----------+---------+-----------+--------------+
> ======================================================================
> ======
> 
> 7) iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination         
> nova-network-INPUT  all  --  anywhere             anywhere            
> nova-compute-INPUT  all  --  anywhere             anywhere            
> nova-api-INPUT  all  --  anywhere             anywhere            
> ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
> ACCEPT     tcp  --  anywhere             anywhere            multiport dports http /* 001 horizon incoming */ 
> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain 
> ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps 
> ACCEPT     tcp  --  anywhere             anywhere            multiport dports http /* 001 nagios incoming */ 
> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps 
> ACCEPT     tcp  --  anywhere             anywhere            multiport dports iscsi-target,8776 /* 001 cinder incoming */ 
> ACCEPT     tcp  --  anywhere             anywhere            multiport dports 5666 /* 001 nrpe incoming */ 
> ACCEPT     tcp  --  anywhere             anywhere            multiport dports armtechdaemon /* 001 glance incoming */ 
> ACCEPT     tcp  --  anywhere             anywhere            multiport dports rsync /* 001 rsync incoming */ 
> ACCEPT     tcp  --  anywhere             anywhere            multiport dports webcache /* 001 swift proxy incoming */ 
> ACCEPT     tcp  --  anywhere             anywhere            multiport dports x11,6001,6002,rsync /* 001 swift storage incoming */ 
> ACCEPT     tcp  --  anywhere             anywhere            multiport dports commplex-main,35357 /* 001 keystone incoming */ 
> ACCEPT     tcp  --  anywhere             anywhere            multiport dports vnc-server:cvsup /* 001 nova compute incoming */ 
> ACCEPT     tcp  --  anywhere             anywhere            multiport dports mysql /* 001 mysql incoming */ 
> ACCEPT     tcp  --  anywhere             anywhere            multiport dports 6080 /* 001 novncproxy incoming */ 
> ACCEPT     tcp  --  anywhere             anywhere            multiport dports 8773,8774,8775 /* 001 novaapi incoming */ 
> ACCEPT     tcp  --  anywhere             anywhere            multiport dports amqp /* 001 qpid incoming */ 
> ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
> ACCEPT     icmp --  anywhere             anywhere            
> ACCEPT     all  --  anywhere             anywhere            
> ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
> REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination         
> nova-filter-top  all  --  anywhere             anywhere            
> nova-network-FORWARD  all  --  anywhere             anywhere            
> nova-compute-FORWARD  all  --  anywhere             anywhere            
> nova-api-FORWARD  all  --  anywhere             anywhere            
> ACCEPT     all  --  anywhere             192.168.122.0/24    state RELATED,ESTABLISHED 
> ACCEPT     all  --  192.168.122.0/24     anywhere            
> ACCEPT     all  --  anywhere             anywhere            
> REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 
> REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 
> REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination         
> nova-filter-top  all  --  anywhere             anywhere            
> nova-network-OUTPUT  all  --  anywhere             anywhere            
> nova-compute-OUTPUT  all  --  anywhere             anywhere            
> nova-api-OUTPUT  all  --  anywhere             anywhere            
> 
> Chain nova-api-FORWARD (1 references)
> target     prot opt source               destination         
> 
> Chain nova-api-INPUT (1 references)
> target     prot opt source               destination         
> ACCEPT     tcp  --  anywhere             10.192.75.190       tcp dpt:8775 
> 
> Chain nova-api-OUTPUT (1 references)
> target     prot opt source               destination         
> 
> Chain nova-api-local (1 references)
> target     prot opt source               destination         
> 
> Chain nova-compute-FORWARD (1 references)
> target     prot opt source               destination         
> ACCEPT     udp  --  default              255.255.255.255     udp spt:bootpc dpt:bootps 
> ACCEPT     all  --  anywhere             anywhere            
> ACCEPT     all  --  anywhere             anywhere            
> 
> Chain nova-compute-INPUT (1 references)
> target     prot opt source               destination         
> ACCEPT     udp  --  default              255.255.255.255     udp spt:bootpc dpt:bootps 
> 
> Chain nova-compute-OUTPUT (1 references)
> target     prot opt source               destination         
> 
> Chain nova-compute-inst-2 (1 references)
> target     prot opt source               destination         
> DROP       all  --  anywhere             anywhere            state INVALID 
> ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
> nova-compute-provider  all  --  anywhere             anywhere            
> ACCEPT     udp  --  192.168.32.1         anywhere            udp spt:bootps dpt:bootpc 
> ACCEPT     all  --  192.168.32.0/22      anywhere            
> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
> ACCEPT     icmp --  anywhere             anywhere            
> nova-compute-sg-fallback  all  --  anywhere             anywhere            
> 
> Chain nova-compute-inst-3 (1 references)
> target     prot opt source               destination         
> DROP       all  --  anywhere             anywhere            state INVALID 
> ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
> nova-compute-provider  all  --  anywhere             anywhere            
> ACCEPT     udp  --  192.168.32.1         anywhere            udp spt:bootps dpt:bootpc 
> ACCEPT     all  --  192.168.32.0/22      anywhere            
> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
> ACCEPT     icmp --  anywhere             anywhere            
> nova-compute-sg-fallback  all  --  anywhere             anywhere            
> 
> Chain nova-compute-local (1 references)
> target     prot opt source               destination         
> nova-compute-inst-2  all  --  anywhere             192.168.32.2        
> nova-compute-inst-3  all  --  anywhere             192.168.32.3        
> 
> Chain nova-compute-provider (2 references)
> target     prot opt source               destination         
> 
> Chain nova-compute-sg-fallback (2 references)
> target     prot opt source               destination         
> DROP       all  --  anywhere             anywhere            
> 
> Chain nova-filter-top (2 references)
> target     prot opt source               destination         
> nova-network-local  all  --  anywhere             anywhere            
> nova-compute-local  all  --  anywhere             anywhere            
> nova-api-local  all  --  anywhere             anywhere            
> 
> Chain nova-network-FORWARD (1 references)
> target     prot opt source               destination         
> ACCEPT     all  --  anywhere             anywhere            
> ACCEPT     all  --  anywhere             anywhere            
> 
> Chain nova-network-INPUT (1 references)
> target     prot opt source               destination         
> ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps 
> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps 
> ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain 
> 
> Chain nova-network-OUTPUT (1 references)
> target     prot opt source               destination         
> 
> Chain nova-network-local (1 references)
> target     prot opt source               destination         
> ======================================================================
> ==========
> 
> 8) iptables -L -t nat
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination         
> nova-network-PREROUTING  all  --  anywhere             anywhere            
> nova-compute-PREROUTING  all  --  anywhere             anywhere            
> nova-api-PREROUTING  all  --  anywhere             anywhere            
> 
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination         
> nova-network-POSTROUTING  all  --  anywhere             anywhere            
> nova-compute-POSTROUTING  all  --  anywhere             anywhere            
> nova-api-POSTROUTING  all  --  anywhere             anywhere            
> MASQUERADE  tcp  --  192.168.122.0/24    !192.168.122.0/24    masq ports: 1024-65535 
> MASQUERADE  udp  --  192.168.122.0/24    !192.168.122.0/24    masq ports: 1024-65535 
> MASQUERADE  all  --  192.168.122.0/24    !192.168.122.0/24    
> nova-postrouting-bottom  all  --  anywhere             anywhere            
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination         
> nova-network-OUTPUT  all  --  anywhere             anywhere            
> nova-compute-OUTPUT  all  --  anywhere             anywhere            
> nova-api-OUTPUT  all  --  anywhere             anywhere            
> 
> Chain nova-api-OUTPUT (1 references)
> target     prot opt source               destination         
> 
> Chain nova-api-POSTROUTING (1 references)
> target     prot opt source               destination         
> 
> Chain nova-api-PREROUTING (1 references)
> target     prot opt source               destination         
> 
> Chain nova-api-float-snat (1 references)
> target     prot opt source               destination         
> 
> Chain nova-api-snat (1 references)
> target     prot opt source               destination         
> nova-api-float-snat  all  --  anywhere             anywhere            
> 
> Chain nova-compute-OUTPUT (1 references)
> target     prot opt source               destination         
> 
> Chain nova-compute-POSTROUTING (1 references)
> target     prot opt source               destination         
> 
> Chain nova-compute-PREROUTING (1 references)
> target     prot opt source               destination         
> 
> Chain nova-compute-float-snat (1 references)
> target     prot opt source               destination         
> 
> Chain nova-compute-snat (1 references)
> target     prot opt source               destination         
> nova-compute-float-snat  all  --  anywhere             anywhere            
> 
> Chain nova-network-OUTPUT (1 references)
> target     prot opt source               destination         
> DNAT       all  --  anywhere             10.192.76.135       to:192.168.32.3 
> DNAT       all  --  anywhere             10.192.76.136       to:192.168.32.2 
> 
> Chain nova-network-POSTROUTING (1 references)
> target     prot opt source               destination         
> ACCEPT     all  --  192.168.32.0/22      10.192.75.190       
> ACCEPT     all  --  192.168.32.0/22      192.168.32.0/22     ! ctstate DNAT 
> SNAT       all  --  192.168.32.3         anywhere            ctstate DNAT to:10.192.76.135 
> SNAT       all  --  192.168.32.2         anywhere            ctstate DNAT to:10.192.76.136 
> 
> Chain nova-network-PREROUTING (1 references)
> target     prot opt source               destination         
> DNAT       tcp  --  anywhere             169.254.169.254     tcp dpt:http to:10.192.75.190:8775 
> DNAT       all  --  anywhere             10.192.76.135       to:192.168.32.3 
> DNAT       all  --  anywhere             10.192.76.136       to:192.168.32.2 
> 
> Chain nova-network-float-snat (1 references)
> target     prot opt source               destination         
> SNAT       all  --  192.168.32.3         192.168.32.3        to:10.192.76.135 
> SNAT       all  --  192.168.32.3         anywhere            to:10.192.76.135 
> SNAT       all  --  192.168.32.2         192.168.32.2        to:10.192.76.136 
> SNAT       all  --  192.168.32.2         anywhere            to:10.192.76.136 
> 
> Chain nova-network-snat (1 references)
> target     prot opt source               destination         
> nova-network-float-snat  all  --  anywhere             anywhere            
> SNAT       all  --  192.168.32.0/22      anywhere            to:10.192.75.190 
> 
> Chain nova-postrouting-bottom (1 references)
> target     prot opt source               destination         
> nova-network-snat  all  --  anywhere             anywhere            
> nova-compute-snat  all  --  anywhere             anywhere            
> nova-api-snat  all  --  anywhere             anywhere            
> ======================================================================
> =====
> 
> 9) iptables -S -t nat
> -P PREROUTING ACCEPT
> -P POSTROUTING ACCEPT
> -P OUTPUT ACCEPT
> -N nova-api-OUTPUT
> -N nova-api-POSTROUTING
> -N nova-api-PREROUTING
> -N nova-api-float-snat
> -N nova-api-snat
> -N nova-compute-OUTPUT
> -N nova-compute-POSTROUTING
> -N nova-compute-PREROUTING
> -N nova-compute-float-snat
> -N nova-compute-snat
> -N nova-network-OUTPUT
> -N nova-network-POSTROUTING
> -N nova-network-PREROUTING
> -N nova-network-float-snat
> -N nova-network-snat
> -N nova-postrouting-bottom
> -A PREROUTING -j nova-network-PREROUTING -A PREROUTING -j 
> nova-compute-PREROUTING -A PREROUTING -j nova-api-PREROUTING -A 
> POSTROUTING -j nova-network-POSTROUTING -A POSTROUTING -j 
> nova-compute-POSTROUTING -A POSTROUTING -j nova-api-POSTROUTING -A 
> POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j 
> MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 ! 
> -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 -A 
> POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE -A 
> POSTROUTING -j nova-postrouting-bottom -A OUTPUT -j 
> nova-network-OUTPUT -A OUTPUT -j nova-compute-OUTPUT -A OUTPUT -j 
> nova-api-OUTPUT -A nova-api-snat -j nova-api-float-snat -A 
> nova-compute-snat -j nova-compute-float-snat -A nova-network-OUTPUT -d 
> 10.192.76.135/32 -j DNAT --to-destination 192.168.32.3 -A 
> nova-network-OUTPUT -d 10.192.76.136/32 -j DNAT --to-destination 
> 192.168.32.2 -A nova-network-POSTROUTING -s 192.168.32.0/22 -d 
> 10.192.75.190/32 -j ACCEPT -A nova-network-POSTROUTING -s 
> 192.168.32.0/22 -d 192.168.32.0/22 -m conntrack ! --ctstate DNAT -j 
> ACCEPT -A nova-network-POSTROUTING -s 192.168.32.3/32 -m conntrack 
> --ctstate DNAT -j SNAT --to-source 10.192.76.135 -A 
> nova-network-POSTROUTING -s 192.168.32.2/32 -m conntrack --ctstate 
> DNAT -j SNAT --to-source 10.192.76.136 -A nova-network-PREROUTING -d 
> 169.254.169.254/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 
> 10.192.75.190:8775 -A nova-network-PREROUTING -d 10.192.76.135/32 -j 
> DNAT --to-destination 192.168.32.3 -A nova-network-PREROUTING -d 
> 10.192.76.136/32 -j DNAT --to-destination 192.168.32.2 -A 
> nova-network-float-snat -s 192.168.32.3/32 -d 192.168.32.3/32 -j SNAT 
> --to-source 10.192.76.135 -A nova-network-float-snat -s 
> 192.168.32.3/32 -o em2 -j SNAT --to-source 10.192.76.135 -A 
> nova-network-float-snat -s 192.168.32.2/32 -d 192.168.32.2/32 -j SNAT 
> --to-source 10.192.76.136 -A nova-network-float-snat -s 
> 192.168.32.2/32 -o em2 -j SNAT --to-source 10.192.76.136 -A 
> nova-network-snat -j nova-network-float-snat -A nova-network-snat -s 
> 192.168.32.0/22 -o em2 -j SNAT --to-source 10.192.75.190 -A 
> nova-postrouting-bottom -j nova-network-snat -A 
> nova-postrouting-bottom -j nova-compute-snat -A 
> nova-postrouting-bottom -j nova-api-snat 
> ======================================================================
> ==================
> 
> 10)em1 config file
> DEVICE=em1
> HWADDR=84:2B:2B:6C:FD:0F
> TYPE=Ethernet
> UUID=e65a3f54-594e-4b2a-bd63-b488ba0d7adb
> ONBOOT=yes
> NM_CONTROLLED=no
> BOOTPROTO=none
> IPADDR=10.192.75.190
> PREFIX=24
> GATEWAY=10.192.75.1
> DNS1=10.192.48.100
> DNS2=10.192.48.101
> ======================================================================
> ============================
> 
> 11) em2 config file
> DEVICE=em2
> HWADDR=84:2B:2B:6C:FD:10
> TYPE=Ethernet
> UUID=ad6f5595-1df3-437d-b231-8b9e5db9c260
> ONBOOT=yes
> NM_CONTROLLED=no
> BOOTPROTO=none
> 
> ======================================================================
> =========================== 
> ======================================================================
> ===========================
> 
> -----Original Message-----
> From: Rhys Oxenham [mailto:roxenham at redhat.com]
> Sent: mercredi 24 juillet 2013 17:16
> To: Nicolas VOGEL
> Cc: rhos-list at redhat.com
> Subject: Re: [rhos-list] floating IP not reachable
> 
> Hi Nicolas,
> 
> When you've got the instance running and a floating-ip assigned, can 
> you please pastebin the output of-
> 
> 1) ip a
> 2) brctl show
> 3) nova list
> 4) nova-manage network-list
> 5) nova secgroup-list
> 6) nova secgroup-list-rules <your assigned group>
> 7) iptables -L
> 8) iptables -L -t nat
> 9) iptables -S -t nat
> 
> Oh, and when you have more than one instance running, can you ping between the instances via 192.168.32.0/22? Make sure to sanitise anything you need to in the pastes.
> 
> Many thanks!
> Rhys
> 
> 
> On 24 Jul 2013, at 16:05, Nicolas VOGEL <nvogel67 at hotmail.com> wrote:
> 
>> Hi,
>> 
>> I just installed a new all-in-one controller without quantum. Everything works fine and now I wan't to use floating IPs like described here:http://openstack.redhat.com/Floating_IP_range. I want to use my second NIC (em2) for this purpose. For the installation, I use my first NIC (em1) and packstack automatically created a bridge (br100).
>> 
>> I deleted the default network and created a new one, which is matching the subnet on which em2 is connected. After that I modified the public_interface in the nova.conf to em2 and also the floating_range with the subnet I just created. I didn't modify the flat_interface and let the default value (lo).
>> 
>> I just enabled the em2 interface but didn't assign any IP address to it.
>> I added two rules to the default group to allow ping and SSH.
>> 
>> I can start VMs and they got an internal IP address (from 192.168.32.0/22). I can also associate a floating IP to each VM. But I'm unable to ping a floating IP.
>> 
>> If someone has any idea to resolve the problem it would be very helpful.
>> And if someone has a configuration who runs correctly I would be interested how you configured your network interfaces and your nova.conf.
>> 
>> Thanks,  Nicolas.
>> 
>> Here’s an output from my nova.conf :
>> public_interface=em2
>> default_floating_pool=nova
>> novncproxy_port=6080
>> dhcp_domain=novalocal
>> libvirt_type=kvm
>> floating_range=10.192.76.0/25
>> fixed_range=192.168.32.0/22
>> auto_assign_floating_ip=False
>> novncproxy_base_url=http://10.192.75.190:6080/vnc_auto.html
>> flat_interface=lo
>> vnc_enabled=True
>> flat_network_bridge=br100
>> 
>> 
>> _______________________________________________
>> rhos-list mailing list
>> rhos-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/rhos-list
> 


_______________________________________________
rhos-list mailing list
rhos-list at redhat.com
https://www.redhat.com/mailman/listinfo/rhos-list




More information about the rhos-list mailing list