Solved

I have an openstack setup and I cannot ping from host inward beyond the internal qrouter interface

Posted on 2014-10-13
5
277 Views
Last Modified: 2014-10-19
I have an openstack setup and I have full access out from VMs etc.  One thing that I cannot do though is ping from host internally beyond the qrouter internal interface.  Anyone suggest a resolution?

# traceroute -d 172.16.100.1
traceroute to 172.16.100.1 (172.16.100.1), 30 hops max, 60 byte packets
 1  172.16.100.1 (172.16.100.1)  0.348 ms  0.293 ms  0.313 ms

# traceroute -d 172.16.100.2    <- I would expect this to go via 172.16.100.1
traceroute to 172.16.100.2 (172.16.100.2), 30 hops max, 60 byte packets
 1  10.10.12.1 (10.10.12.1)  2.025 ms  4.112 ms  2.971 ms
 2  10.10.1.2 (10.10.1.2)  0.734 ms  1.148 ms  0.960 ms
 3  adsl1-p755.ras.network-ie.net (217.173.221.245)  3.964 ms  5.025 ms  3.950 ms

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.10.12.0      0.0.0.0         255.255.255.0   U     0      0        0 br-ex
172.16.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-ex
169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1017   0        0 br-ex
0.0.0.0         10.10.12.1      0.0.0.0         UG    0      0        0 br-ex

# ip netns
qdhcp-5760ed3e-aac4-423a-b245-bf55f7769d5c   <- 172.16.100.2
qrouter-b270939e-fc52-444f-a215-1cb203f6145a  <- 172.16.100.1

I can ping from namespace:
# ip netns exec qrouter-b270939e-fc52-444f-a215-1cb203f6145a ping 172.16.100.2
PING 172.16.100.2 (172.16.100.2) 56(84) bytes of data.
64 bytes from 172.16.100.2: icmp_seq=1 ttl=64 time=0.512 ms


A ping of 172.16.100.2 doesn't even hit qrouter.
0
Comment
Question by:mickt
  • 4
5 Comments
 
LVL 21

Expert Comment

by:Mazdajai
ID: 40379070
Is this NATed  and under which hypervisor? Do you have iptables running?
0
 

Author Comment

by:mickt
ID: 40379287
kvm & iptables is running.

# iptables-save
# Generated by iptables-save v1.4.7 on Tue Oct 14 08:28:41 2014
*filter
:INPUT ACCEPT [10:360]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8315:2078088]
:neutron-filter-top - [0:0]
:neutron-openvswi-FORWARD - [0:0]
:neutron-openvswi-INPUT - [0:0]
:neutron-openvswi-OUTPUT - [0:0]
:neutron-openvswi-local - [0:0]
:neutron-openvswi-sg-chain - [0:0]
:neutron-openvswi-sg-fallback - [0:0]
:nova-api-FORWARD - [0:0]
:nova-api-INPUT - [0:0]
:nova-api-OUTPUT - [0:0]
:nova-api-local - [0:0]
:nova-filter-top - [0:0]
-A INPUT -j neutron-openvswi-INPUT
-A INPUT -j nova-api-INPUT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 5671,5672 -m comment --comment "001 amqp incoming amqp_10.10.12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 5671,5672 -m comment --comment "001 amqp incoming amqp_10.10.12.7" -j ACCEPT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 3260,8776 -m comment --comment "001 cinder incoming cinder_10.10.12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 3260,8776 -m comment --comment "001 cinder incoming cinder_10.10.12.7" -j ACCEPT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming glance_10.10.12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming glance_10.10.12.7" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001 horizon 80  incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 5000,35357 -m comment --comment "001 keystone incoming keystone" -j ACCEPT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 3306 -m comment --comment "001 mysql incoming mysql_10.10.12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 3306 -m comment --comment "001 mysql incoming mysql_10.10.12.7" -j ACCEPT
-A INPUT -p udp -m multiport --dports 67 -m comment --comment "001 neutron dhcp in:  incoming neutron_dhcp_in_10.10.12.7" -j ACCEPT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 9696 -m comment --comment "001 neutron server incoming neutron_server_10.10.12.7_10.10.12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 9696 -m comment --comment "001 neutron server incoming neutron_server_10.10.12.7_10.10.12.7" -j ACCEPT
-A INPUT -p udp -m multiport --dports 4789 -m comment --comment "001 neutron tunnel port incoming neutron_tunnel" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 5900:5999,16509 -m comment --comment "001 nova compute incoming nova_compute" -j ACCEPT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 16509,49152:49215 -m comment --comment "001 nova qemu migration incoming nova_qemu_migration_10.10.12.7_10.10.12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 16509,49152:49215 -m comment --comment "001 nova qemu migration incoming nova_qemu_migration_10.10.12.7_10.10.12.7" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8773,8774,8775 -m comment --comment "001 novaapi incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 6080 -m comment --comment "001 novncproxy incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8080 -m comment --comment "001 swift proxy incoming" -j ACCEPT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 6000,6001,6002,873 -m comment --comment "001 swift storage and rsync incoming swift_storage_and_rsync_10.10.12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 6000,6001,6002,873 -m comment --comment "001 swift storage and rsync incoming swift_storage_and_rsync_10.10.12.7" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-openvswi-FORWARD
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-api-FORWARD
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-openvswi-OUTPUT
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-api-OUTPUT
-A OUTPUT -p udp -m multiport --dports 68 -m comment --comment "001 neutron dhcp out:  outgoing neutron_dhcp_out_10.10.12.7" -j ACCEPT
-A OUTPUT -p gre -j ACCEPT
-A neutron-filter-top -j neutron-openvswi-local
-A neutron-openvswi-sg-fallback -j DROP
-A nova-api-INPUT -d 10.10.12.7/32 -p tcp -m tcp --dport 8775 -j ACCEPT
-A nova-filter-top -j nova-api-local
COMMIT
# Completed on Tue Oct 14 08:28:41 2014
# Generated by iptables-save v1.4.7 on Tue Oct 14 08:28:41 2014
*mangle
:PREROUTING ACCEPT [8540:2072504]
:INPUT ACCEPT [8384:2066264]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8316:2078788]
:POSTROUTING ACCEPT [8316:2078788]
:nova-api-POSTROUTING - [0:0]
-A POSTROUTING -j nova-api-POSTROUTING
COMMIT
# Completed on Tue Oct 14 08:28:41 2014
# Generated by iptables-save v1.4.7 on Tue Oct 14 08:28:41 2014
*nat
:PREROUTING ACCEPT [158:6336]
:POSTROUTING ACCEPT [49:3282]
:OUTPUT ACCEPT [49:3282]
:neutron-openvswi-OUTPUT - [0:0]
:neutron-openvswi-POSTROUTING - [0:0]
:neutron-openvswi-PREROUTING - [0:0]
:neutron-openvswi-float-snat - [0:0]
:neutron-openvswi-snat - [0:0]
:neutron-postrouting-bottom - [0:0]
:nova-api-OUTPUT - [0:0]
:nova-api-POSTROUTING - [0:0]
:nova-api-PREROUTING - [0:0]
:nova-api-float-snat - [0:0]
:nova-api-snat - [0:0]
:nova-postrouting-bottom - [0:0]
-A PREROUTING -j neutron-openvswi-PREROUTING
-A PREROUTING -j nova-api-PREROUTING
-A POSTROUTING -j neutron-openvswi-POSTROUTING
-A POSTROUTING -j neutron-postrouting-bottom
-A POSTROUTING -j nova-api-POSTROUTING
-A POSTROUTING -j nova-postrouting-bottom
-A OUTPUT -j neutron-openvswi-OUTPUT
-A OUTPUT -j nova-api-OUTPUT
-A neutron-openvswi-snat -j neutron-openvswi-float-snat
-A neutron-postrouting-bottom -j neutron-openvswi-snat
-A nova-api-snat -j nova-api-float-snat
-A nova-postrouting-bottom -j nova-api-snat
COMMIT
# Completed on Tue Oct 14 08:28:41 2014
0
 

Accepted Solution

by:
mickt earned 0 total points
ID: 40379473
should have added route with gateway 172.16.100.1, i.e.

route add -net 172.16.100.0/24 gateway 172.16.100.1

etc.

sorted now.
0
 

Author Comment

by:mickt
ID: 40379567
Also added

route add -net 172.16.0.0/16 gw 10.10.12.7  <- host IP

else you get SIOCADDRT: No such process error
0
 

Author Closing Comment

by:mickt
ID: 40389840
It answers my question.
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

VMware Update Manager(VUM) “error code: 15” during ESXi 6.0 Remediate update in VUM operation
Last article we focus in how to VMware: How to create and use VMs TAGs – Part 1 so before follow this article and perform the next tasks, you should read the first article how to create the TAG before using them in Veeam Backup Jobs.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now