I have an openstack setup and I cannot ping from host inward beyond the internal qrouter interface

I have an openstack setup and I have full access out from VMs etc.  One thing that I cannot do though is ping from host internally beyond the qrouter internal interface.  Anyone suggest a resolution?

# traceroute -d 172.16.100.1
traceroute to 172.16.100.1 (172.16.100.1), 30 hops max, 60 byte packets
 1  172.16.100.1 (172.16.100.1)  0.348 ms  0.293 ms  0.313 ms

# traceroute -d 172.16.100.2    <- I would expect this to go via 172.16.100.1
traceroute to 172.16.100.2 (172.16.100.2), 30 hops max, 60 byte packets
 1  10.10.12.1 (10.10.12.1)  2.025 ms  4.112 ms  2.971 ms
 2  10.10.1.2 (10.10.1.2)  0.734 ms  1.148 ms  0.960 ms
 3  adsl1-p755.ras.network-ie.net (217.173.221.245)  3.964 ms  5.025 ms  3.950 ms

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.10.12.0      0.0.0.0         255.255.255.0   U     0      0        0 br-ex
172.16.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-ex
169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1017   0        0 br-ex
0.0.0.0         10.10.12.1      0.0.0.0         UG    0      0        0 br-ex

# ip netns
qdhcp-5760ed3e-aac4-423a-b245-bf55f7769d5c   <- 172.16.100.2
qrouter-b270939e-fc52-444f-a215-1cb203f6145a  <- 172.16.100.1

I can ping from namespace:
# ip netns exec qrouter-b270939e-fc52-444f-a215-1cb203f6145a ping 172.16.100.2
PING 172.16.100.2 (172.16.100.2) 56(84) bytes of data.
64 bytes from 172.16.100.2: icmp_seq=1 ttl=64 time=0.512 ms


A ping of 172.16.100.2 doesn't even hit qrouter.
micktAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MazdajaiCommented:
Is this NATed  and under which hypervisor? Do you have iptables running?
0
micktAuthor Commented:
kvm & iptables is running.

# iptables-save
# Generated by iptables-save v1.4.7 on Tue Oct 14 08:28:41 2014
*filter
:INPUT ACCEPT [10:360]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8315:2078088]
:neutron-filter-top - [0:0]
:neutron-openvswi-FORWARD - [0:0]
:neutron-openvswi-INPUT - [0:0]
:neutron-openvswi-OUTPUT - [0:0]
:neutron-openvswi-local - [0:0]
:neutron-openvswi-sg-chain - [0:0]
:neutron-openvswi-sg-fallback - [0:0]
:nova-api-FORWARD - [0:0]
:nova-api-INPUT - [0:0]
:nova-api-OUTPUT - [0:0]
:nova-api-local - [0:0]
:nova-filter-top - [0:0]
-A INPUT -j neutron-openvswi-INPUT
-A INPUT -j nova-api-INPUT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 5671,5672 -m comment --comment "001 amqp incoming amqp_10.10.12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 5671,5672 -m comment --comment "001 amqp incoming amqp_10.10.12.7" -j ACCEPT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 3260,8776 -m comment --comment "001 cinder incoming cinder_10.10.12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 3260,8776 -m comment --comment "001 cinder incoming cinder_10.10.12.7" -j ACCEPT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming glance_10.10.12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming glance_10.10.12.7" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001 horizon 80  incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 5000,35357 -m comment --comment "001 keystone incoming keystone" -j ACCEPT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 3306 -m comment --comment "001 mysql incoming mysql_10.10.12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 3306 -m comment --comment "001 mysql incoming mysql_10.10.12.7" -j ACCEPT
-A INPUT -p udp -m multiport --dports 67 -m comment --comment "001 neutron dhcp in:  incoming neutron_dhcp_in_10.10.12.7" -j ACCEPT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 9696 -m comment --comment "001 neutron server incoming neutron_server_10.10.12.7_10.10.12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 9696 -m comment --comment "001 neutron server incoming neutron_server_10.10.12.7_10.10.12.7" -j ACCEPT
-A INPUT -p udp -m multiport --dports 4789 -m comment --comment "001 neutron tunnel port incoming neutron_tunnel" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 5900:5999,16509 -m comment --comment "001 nova compute incoming nova_compute" -j ACCEPT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 16509,49152:49215 -m comment --comment "001 nova qemu migration incoming nova_qemu_migration_10.10.12.7_10.10.12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 16509,49152:49215 -m comment --comment "001 nova qemu migration incoming nova_qemu_migration_10.10.12.7_10.10.12.7" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8773,8774,8775 -m comment --comment "001 novaapi incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 6080 -m comment --comment "001 novncproxy incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8080 -m comment --comment "001 swift proxy incoming" -j ACCEPT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 6000,6001,6002,873 -m comment --comment "001 swift storage and rsync incoming swift_storage_and_rsync_10.10.12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 6000,6001,6002,873 -m comment --comment "001 swift storage and rsync incoming swift_storage_and_rsync_10.10.12.7" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-openvswi-FORWARD
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-api-FORWARD
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-openvswi-OUTPUT
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-api-OUTPUT
-A OUTPUT -p udp -m multiport --dports 68 -m comment --comment "001 neutron dhcp out:  outgoing neutron_dhcp_out_10.10.12.7" -j ACCEPT
-A OUTPUT -p gre -j ACCEPT
-A neutron-filter-top -j neutron-openvswi-local
-A neutron-openvswi-sg-fallback -j DROP
-A nova-api-INPUT -d 10.10.12.7/32 -p tcp -m tcp --dport 8775 -j ACCEPT
-A nova-filter-top -j nova-api-local
COMMIT
# Completed on Tue Oct 14 08:28:41 2014
# Generated by iptables-save v1.4.7 on Tue Oct 14 08:28:41 2014
*mangle
:PREROUTING ACCEPT [8540:2072504]
:INPUT ACCEPT [8384:2066264]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8316:2078788]
:POSTROUTING ACCEPT [8316:2078788]
:nova-api-POSTROUTING - [0:0]
-A POSTROUTING -j nova-api-POSTROUTING
COMMIT
# Completed on Tue Oct 14 08:28:41 2014
# Generated by iptables-save v1.4.7 on Tue Oct 14 08:28:41 2014
*nat
:PREROUTING ACCEPT [158:6336]
:POSTROUTING ACCEPT [49:3282]
:OUTPUT ACCEPT [49:3282]
:neutron-openvswi-OUTPUT - [0:0]
:neutron-openvswi-POSTROUTING - [0:0]
:neutron-openvswi-PREROUTING - [0:0]
:neutron-openvswi-float-snat - [0:0]
:neutron-openvswi-snat - [0:0]
:neutron-postrouting-bottom - [0:0]
:nova-api-OUTPUT - [0:0]
:nova-api-POSTROUTING - [0:0]
:nova-api-PREROUTING - [0:0]
:nova-api-float-snat - [0:0]
:nova-api-snat - [0:0]
:nova-postrouting-bottom - [0:0]
-A PREROUTING -j neutron-openvswi-PREROUTING
-A PREROUTING -j nova-api-PREROUTING
-A POSTROUTING -j neutron-openvswi-POSTROUTING
-A POSTROUTING -j neutron-postrouting-bottom
-A POSTROUTING -j nova-api-POSTROUTING
-A POSTROUTING -j nova-postrouting-bottom
-A OUTPUT -j neutron-openvswi-OUTPUT
-A OUTPUT -j nova-api-OUTPUT
-A neutron-openvswi-snat -j neutron-openvswi-float-snat
-A neutron-postrouting-bottom -j neutron-openvswi-snat
-A nova-api-snat -j nova-api-float-snat
-A nova-postrouting-bottom -j nova-api-snat
COMMIT
# Completed on Tue Oct 14 08:28:41 2014
0
micktAuthor Commented:
should have added route with gateway 172.16.100.1, i.e.

route add -net 172.16.100.0/24 gateway 172.16.100.1

etc.

sorted now.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
micktAuthor Commented:
Also added

route add -net 172.16.0.0/16 gw 10.10.12.7  <- host IP

else you get SIOCADDRT: No such process error
0
micktAuthor Commented:
It answers my question.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.