Solved

I have an openstack setup and I cannot ping from host inward beyond the internal qrouter interface

Posted on 2014-10-13
5
285 Views
Last Modified: 2014-10-19
I have an openstack setup and I have full access out from VMs etc.  One thing that I cannot do though is ping from host internally beyond the qrouter internal interface.  Anyone suggest a resolution?

# traceroute -d 172.16.100.1
traceroute to 172.16.100.1 (172.16.100.1), 30 hops max, 60 byte packets
 1  172.16.100.1 (172.16.100.1)  0.348 ms  0.293 ms  0.313 ms

# traceroute -d 172.16.100.2    <- I would expect this to go via 172.16.100.1
traceroute to 172.16.100.2 (172.16.100.2), 30 hops max, 60 byte packets
 1  10.10.12.1 (10.10.12.1)  2.025 ms  4.112 ms  2.971 ms
 2  10.10.1.2 (10.10.1.2)  0.734 ms  1.148 ms  0.960 ms
 3  adsl1-p755.ras.network-ie.net (217.173.221.245)  3.964 ms  5.025 ms  3.950 ms

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.10.12.0      0.0.0.0         255.255.255.0   U     0      0        0 br-ex
172.16.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-ex
169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1017   0        0 br-ex
0.0.0.0         10.10.12.1      0.0.0.0         UG    0      0        0 br-ex

# ip netns
qdhcp-5760ed3e-aac4-423a-b245-bf55f7769d5c   <- 172.16.100.2
qrouter-b270939e-fc52-444f-a215-1cb203f6145a  <- 172.16.100.1

I can ping from namespace:
# ip netns exec qrouter-b270939e-fc52-444f-a215-1cb203f6145a ping 172.16.100.2
PING 172.16.100.2 (172.16.100.2) 56(84) bytes of data.
64 bytes from 172.16.100.2: icmp_seq=1 ttl=64 time=0.512 ms


A ping of 172.16.100.2 doesn't even hit qrouter.
0
Comment
Question by:mickt
  • 4
5 Comments
 
LVL 21

Expert Comment

by:Mazdajai
ID: 40379070
Is this NATed  and under which hypervisor? Do you have iptables running?
0
 

Author Comment

by:mickt
ID: 40379287
kvm & iptables is running.

# iptables-save
# Generated by iptables-save v1.4.7 on Tue Oct 14 08:28:41 2014
*filter
:INPUT ACCEPT [10:360]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8315:2078088]
:neutron-filter-top - [0:0]
:neutron-openvswi-FORWARD - [0:0]
:neutron-openvswi-INPUT - [0:0]
:neutron-openvswi-OUTPUT - [0:0]
:neutron-openvswi-local - [0:0]
:neutron-openvswi-sg-chain - [0:0]
:neutron-openvswi-sg-fallback - [0:0]
:nova-api-FORWARD - [0:0]
:nova-api-INPUT - [0:0]
:nova-api-OUTPUT - [0:0]
:nova-api-local - [0:0]
:nova-filter-top - [0:0]
-A INPUT -j neutron-openvswi-INPUT
-A INPUT -j nova-api-INPUT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 5671,5672 -m comment --comment "001 amqp incoming amqp_10.10.12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 5671,5672 -m comment --comment "001 amqp incoming amqp_10.10.12.7" -j ACCEPT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 3260,8776 -m comment --comment "001 cinder incoming cinder_10.10.12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 3260,8776 -m comment --comment "001 cinder incoming cinder_10.10.12.7" -j ACCEPT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming glance_10.10.12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming glance_10.10.12.7" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001 horizon 80  incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 5000,35357 -m comment --comment "001 keystone incoming keystone" -j ACCEPT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 3306 -m comment --comment "001 mysql incoming mysql_10.10.12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 3306 -m comment --comment "001 mysql incoming mysql_10.10.12.7" -j ACCEPT
-A INPUT -p udp -m multiport --dports 67 -m comment --comment "001 neutron dhcp in:  incoming neutron_dhcp_in_10.10.12.7" -j ACCEPT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 9696 -m comment --comment "001 neutron server incoming neutron_server_10.10.12.7_10.10.12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 9696 -m comment --comment "001 neutron server incoming neutron_server_10.10.12.7_10.10.12.7" -j ACCEPT
-A INPUT -p udp -m multiport --dports 4789 -m comment --comment "001 neutron tunnel port incoming neutron_tunnel" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 5900:5999,16509 -m comment --comment "001 nova compute incoming nova_compute" -j ACCEPT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 16509,49152:49215 -m comment --comment "001 nova qemu migration incoming nova_qemu_migration_10.10.12.7_10.10.12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 16509,49152:49215 -m comment --comment "001 nova qemu migration incoming nova_qemu_migration_10.10.12.7_10.10.12.7" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8773,8774,8775 -m comment --comment "001 novaapi incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 6080 -m comment --comment "001 novncproxy incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8080 -m comment --comment "001 swift proxy incoming" -j ACCEPT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 6000,6001,6002,873 -m comment --comment "001 swift storage and rsync incoming swift_storage_and_rsync_10.10.12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 6000,6001,6002,873 -m comment --comment "001 swift storage and rsync incoming swift_storage_and_rsync_10.10.12.7" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-openvswi-FORWARD
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-api-FORWARD
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-openvswi-OUTPUT
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-api-OUTPUT
-A OUTPUT -p udp -m multiport --dports 68 -m comment --comment "001 neutron dhcp out:  outgoing neutron_dhcp_out_10.10.12.7" -j ACCEPT
-A OUTPUT -p gre -j ACCEPT
-A neutron-filter-top -j neutron-openvswi-local
-A neutron-openvswi-sg-fallback -j DROP
-A nova-api-INPUT -d 10.10.12.7/32 -p tcp -m tcp --dport 8775 -j ACCEPT
-A nova-filter-top -j nova-api-local
COMMIT
# Completed on Tue Oct 14 08:28:41 2014
# Generated by iptables-save v1.4.7 on Tue Oct 14 08:28:41 2014
*mangle
:PREROUTING ACCEPT [8540:2072504]
:INPUT ACCEPT [8384:2066264]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8316:2078788]
:POSTROUTING ACCEPT [8316:2078788]
:nova-api-POSTROUTING - [0:0]
-A POSTROUTING -j nova-api-POSTROUTING
COMMIT
# Completed on Tue Oct 14 08:28:41 2014
# Generated by iptables-save v1.4.7 on Tue Oct 14 08:28:41 2014
*nat
:PREROUTING ACCEPT [158:6336]
:POSTROUTING ACCEPT [49:3282]
:OUTPUT ACCEPT [49:3282]
:neutron-openvswi-OUTPUT - [0:0]
:neutron-openvswi-POSTROUTING - [0:0]
:neutron-openvswi-PREROUTING - [0:0]
:neutron-openvswi-float-snat - [0:0]
:neutron-openvswi-snat - [0:0]
:neutron-postrouting-bottom - [0:0]
:nova-api-OUTPUT - [0:0]
:nova-api-POSTROUTING - [0:0]
:nova-api-PREROUTING - [0:0]
:nova-api-float-snat - [0:0]
:nova-api-snat - [0:0]
:nova-postrouting-bottom - [0:0]
-A PREROUTING -j neutron-openvswi-PREROUTING
-A PREROUTING -j nova-api-PREROUTING
-A POSTROUTING -j neutron-openvswi-POSTROUTING
-A POSTROUTING -j neutron-postrouting-bottom
-A POSTROUTING -j nova-api-POSTROUTING
-A POSTROUTING -j nova-postrouting-bottom
-A OUTPUT -j neutron-openvswi-OUTPUT
-A OUTPUT -j nova-api-OUTPUT
-A neutron-openvswi-snat -j neutron-openvswi-float-snat
-A neutron-postrouting-bottom -j neutron-openvswi-snat
-A nova-api-snat -j nova-api-float-snat
-A nova-postrouting-bottom -j nova-api-snat
COMMIT
# Completed on Tue Oct 14 08:28:41 2014
0
 

Accepted Solution

by:
mickt earned 0 total points
ID: 40379473
should have added route with gateway 172.16.100.1, i.e.

route add -net 172.16.100.0/24 gateway 172.16.100.1

etc.

sorted now.
0
 

Author Comment

by:mickt
ID: 40379567
Also added

route add -net 172.16.0.0/16 gw 10.10.12.7  <- host IP

else you get SIOCADDRT: No such process error
0
 

Author Closing Comment

by:mickt
ID: 40389840
It answers my question.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
000webhost.com default error log 1 40
Linux Desktop suggestion for Dell Inspiron 3043 13 55
How can I make money on virtual money? 2 57
Hypervisor 1 U 10 38
This is an issue that we can get adding / removing permissions in the vCSA 6.0. We can also have issues searching for users / groups in the AD (using your identify sources). This is how one of the ways to handle this issues and fix it.
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question