Solved

I have an openstack setup and I cannot ping from host inward beyond the internal qrouter interface

Posted on 2014-10-13
5
280 Views
Last Modified: 2014-10-19
I have an openstack setup and I have full access out from VMs etc.  One thing that I cannot do though is ping from host internally beyond the qrouter internal interface.  Anyone suggest a resolution?

# traceroute -d 172.16.100.1
traceroute to 172.16.100.1 (172.16.100.1), 30 hops max, 60 byte packets
 1  172.16.100.1 (172.16.100.1)  0.348 ms  0.293 ms  0.313 ms

# traceroute -d 172.16.100.2    <- I would expect this to go via 172.16.100.1
traceroute to 172.16.100.2 (172.16.100.2), 30 hops max, 60 byte packets
 1  10.10.12.1 (10.10.12.1)  2.025 ms  4.112 ms  2.971 ms
 2  10.10.1.2 (10.10.1.2)  0.734 ms  1.148 ms  0.960 ms
 3  adsl1-p755.ras.network-ie.net (217.173.221.245)  3.964 ms  5.025 ms  3.950 ms

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.10.12.0      0.0.0.0         255.255.255.0   U     0      0        0 br-ex
172.16.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-ex
169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1017   0        0 br-ex
0.0.0.0         10.10.12.1      0.0.0.0         UG    0      0        0 br-ex

# ip netns
qdhcp-5760ed3e-aac4-423a-b245-bf55f7769d5c   <- 172.16.100.2
qrouter-b270939e-fc52-444f-a215-1cb203f6145a  <- 172.16.100.1

I can ping from namespace:
# ip netns exec qrouter-b270939e-fc52-444f-a215-1cb203f6145a ping 172.16.100.2
PING 172.16.100.2 (172.16.100.2) 56(84) bytes of data.
64 bytes from 172.16.100.2: icmp_seq=1 ttl=64 time=0.512 ms


A ping of 172.16.100.2 doesn't even hit qrouter.
0
Comment
Question by:mickt
  • 4
5 Comments
 
LVL 21

Expert Comment

by:Mazdajai
ID: 40379070
Is this NATed  and under which hypervisor? Do you have iptables running?
0
 

Author Comment

by:mickt
ID: 40379287
kvm & iptables is running.

# iptables-save
# Generated by iptables-save v1.4.7 on Tue Oct 14 08:28:41 2014
*filter
:INPUT ACCEPT [10:360]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8315:2078088]
:neutron-filter-top - [0:0]
:neutron-openvswi-FORWARD - [0:0]
:neutron-openvswi-INPUT - [0:0]
:neutron-openvswi-OUTPUT - [0:0]
:neutron-openvswi-local - [0:0]
:neutron-openvswi-sg-chain - [0:0]
:neutron-openvswi-sg-fallback - [0:0]
:nova-api-FORWARD - [0:0]
:nova-api-INPUT - [0:0]
:nova-api-OUTPUT - [0:0]
:nova-api-local - [0:0]
:nova-filter-top - [0:0]
-A INPUT -j neutron-openvswi-INPUT
-A INPUT -j nova-api-INPUT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 5671,5672 -m comment --comment "001 amqp incoming amqp_10.10.12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 5671,5672 -m comment --comment "001 amqp incoming amqp_10.10.12.7" -j ACCEPT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 3260,8776 -m comment --comment "001 cinder incoming cinder_10.10.12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 3260,8776 -m comment --comment "001 cinder incoming cinder_10.10.12.7" -j ACCEPT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming glance_10.10.12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming glance_10.10.12.7" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001 horizon 80  incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 5000,35357 -m comment --comment "001 keystone incoming keystone" -j ACCEPT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 3306 -m comment --comment "001 mysql incoming mysql_10.10.12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 3306 -m comment --comment "001 mysql incoming mysql_10.10.12.7" -j ACCEPT
-A INPUT -p udp -m multiport --dports 67 -m comment --comment "001 neutron dhcp in:  incoming neutron_dhcp_in_10.10.12.7" -j ACCEPT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 9696 -m comment --comment "001 neutron server incoming neutron_server_10.10.12.7_10.10.12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 9696 -m comment --comment "001 neutron server incoming neutron_server_10.10.12.7_10.10.12.7" -j ACCEPT
-A INPUT -p udp -m multiport --dports 4789 -m comment --comment "001 neutron tunnel port incoming neutron_tunnel" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 5900:5999,16509 -m comment --comment "001 nova compute incoming nova_compute" -j ACCEPT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 16509,49152:49215 -m comment --comment "001 nova qemu migration incoming nova_qemu_migration_10.10.12.7_10.10.12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 16509,49152:49215 -m comment --comment "001 nova qemu migration incoming nova_qemu_migration_10.10.12.7_10.10.12.7" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8773,8774,8775 -m comment --comment "001 novaapi incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 6080 -m comment --comment "001 novncproxy incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8080 -m comment --comment "001 swift proxy incoming" -j ACCEPT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 6000,6001,6002,873 -m comment --comment "001 swift storage and rsync incoming swift_storage_and_rsync_10.10.12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 6000,6001,6002,873 -m comment --comment "001 swift storage and rsync incoming swift_storage_and_rsync_10.10.12.7" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-openvswi-FORWARD
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-api-FORWARD
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-openvswi-OUTPUT
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-api-OUTPUT
-A OUTPUT -p udp -m multiport --dports 68 -m comment --comment "001 neutron dhcp out:  outgoing neutron_dhcp_out_10.10.12.7" -j ACCEPT
-A OUTPUT -p gre -j ACCEPT
-A neutron-filter-top -j neutron-openvswi-local
-A neutron-openvswi-sg-fallback -j DROP
-A nova-api-INPUT -d 10.10.12.7/32 -p tcp -m tcp --dport 8775 -j ACCEPT
-A nova-filter-top -j nova-api-local
COMMIT
# Completed on Tue Oct 14 08:28:41 2014
# Generated by iptables-save v1.4.7 on Tue Oct 14 08:28:41 2014
*mangle
:PREROUTING ACCEPT [8540:2072504]
:INPUT ACCEPT [8384:2066264]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8316:2078788]
:POSTROUTING ACCEPT [8316:2078788]
:nova-api-POSTROUTING - [0:0]
-A POSTROUTING -j nova-api-POSTROUTING
COMMIT
# Completed on Tue Oct 14 08:28:41 2014
# Generated by iptables-save v1.4.7 on Tue Oct 14 08:28:41 2014
*nat
:PREROUTING ACCEPT [158:6336]
:POSTROUTING ACCEPT [49:3282]
:OUTPUT ACCEPT [49:3282]
:neutron-openvswi-OUTPUT - [0:0]
:neutron-openvswi-POSTROUTING - [0:0]
:neutron-openvswi-PREROUTING - [0:0]
:neutron-openvswi-float-snat - [0:0]
:neutron-openvswi-snat - [0:0]
:neutron-postrouting-bottom - [0:0]
:nova-api-OUTPUT - [0:0]
:nova-api-POSTROUTING - [0:0]
:nova-api-PREROUTING - [0:0]
:nova-api-float-snat - [0:0]
:nova-api-snat - [0:0]
:nova-postrouting-bottom - [0:0]
-A PREROUTING -j neutron-openvswi-PREROUTING
-A PREROUTING -j nova-api-PREROUTING
-A POSTROUTING -j neutron-openvswi-POSTROUTING
-A POSTROUTING -j neutron-postrouting-bottom
-A POSTROUTING -j nova-api-POSTROUTING
-A POSTROUTING -j nova-postrouting-bottom
-A OUTPUT -j neutron-openvswi-OUTPUT
-A OUTPUT -j nova-api-OUTPUT
-A neutron-openvswi-snat -j neutron-openvswi-float-snat
-A neutron-postrouting-bottom -j neutron-openvswi-snat
-A nova-api-snat -j nova-api-float-snat
-A nova-postrouting-bottom -j nova-api-snat
COMMIT
# Completed on Tue Oct 14 08:28:41 2014
0
 

Accepted Solution

by:
mickt earned 0 total points
ID: 40379473
should have added route with gateway 172.16.100.1, i.e.

route add -net 172.16.100.0/24 gateway 172.16.100.1

etc.

sorted now.
0
 

Author Comment

by:mickt
ID: 40379567
Also added

route add -net 172.16.0.0/16 gw 10.10.12.7  <- host IP

else you get SIOCADDRT: No such process error
0
 

Author Closing Comment

by:mickt
ID: 40389840
It answers my question.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Vsphere 6 Lab Setup 4 85
su - oracle could not open session 6 72
Quadro graphics cards for ESX 6 18 37
Set linux box as ip router 3 20
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now