mickt
asked on
I have an openstack setup and I cannot ping from host inward beyond the internal qrouter interface
I have an openstack setup and I have full access out from VMs etc. One thing that I cannot do though is ping from host internally beyond the qrouter internal interface. Anyone suggest a resolution?
# traceroute -d 172.16.100.1
traceroute to 172.16.100.1 (172.16.100.1), 30 hops max, 60 byte packets
1 172.16.100.1 (172.16.100.1) 0.348 ms 0.293 ms 0.313 ms
# traceroute -d 172.16.100.2 <- I would expect this to go via 172.16.100.1
traceroute to 172.16.100.2 (172.16.100.2), 30 hops max, 60 byte packets
1 10.10.12.1 (10.10.12.1) 2.025 ms 4.112 ms 2.971 ms
2 10.10.1.2 (10.10.1.2) 0.734 ms 1.148 ms 0.960 ms
3 adsl1-p755.ras.network-ie. net (217.173.221.245) 3.964 ms 5.025 ms 3.950 ms
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.10.12.0 0.0.0.0 255.255.255.0 U 0 0 0 br-ex
172.16.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-ex
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1017 0 0 br-ex
0.0.0.0 10.10.12.1 0.0.0.0 UG 0 0 0 br-ex
# ip netns
qdhcp-5760ed3e-aac4-423a-b 245-bf55f7 769d5c <- 172.16.100.2
qrouter-b270939e-fc52-444f -a215-1cb2 03f6145a <- 172.16.100.1
I can ping from namespace:
# ip netns exec qrouter-b270939e-fc52-444f -a215-1cb2 03f6145a ping 172.16.100.2
PING 172.16.100.2 (172.16.100.2) 56(84) bytes of data.
64 bytes from 172.16.100.2: icmp_seq=1 ttl=64 time=0.512 ms
A ping of 172.16.100.2 doesn't even hit qrouter.
# traceroute -d 172.16.100.1
traceroute to 172.16.100.1 (172.16.100.1), 30 hops max, 60 byte packets
1 172.16.100.1 (172.16.100.1) 0.348 ms 0.293 ms 0.313 ms
# traceroute -d 172.16.100.2 <- I would expect this to go via 172.16.100.1
traceroute to 172.16.100.2 (172.16.100.2), 30 hops max, 60 byte packets
1 10.10.12.1 (10.10.12.1) 2.025 ms 4.112 ms 2.971 ms
2 10.10.1.2 (10.10.1.2) 0.734 ms 1.148 ms 0.960 ms
3 adsl1-p755.ras.network-ie.
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.10.12.0 0.0.0.0 255.255.255.0 U 0 0 0 br-ex
172.16.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-ex
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1017 0 0 br-ex
0.0.0.0 10.10.12.1 0.0.0.0 UG 0 0 0 br-ex
# ip netns
qdhcp-5760ed3e-aac4-423a-b
qrouter-b270939e-fc52-444f
I can ping from namespace:
# ip netns exec qrouter-b270939e-fc52-444f
PING 172.16.100.2 (172.16.100.2) 56(84) bytes of data.
64 bytes from 172.16.100.2: icmp_seq=1 ttl=64 time=0.512 ms
A ping of 172.16.100.2 doesn't even hit qrouter.
Is this NATed and under which hypervisor? Do you have iptables running?
ASKER
kvm & iptables is running.
# iptables-save
# Generated by iptables-save v1.4.7 on Tue Oct 14 08:28:41 2014
*filter
:INPUT ACCEPT [10:360]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8315:2078088]
:neutron-filter-top - [0:0]
:neutron-openvswi-FORWARD - [0:0]
:neutron-openvswi-INPUT - [0:0]
:neutron-openvswi-OUTPUT - [0:0]
:neutron-openvswi-local - [0:0]
:neutron-openvswi-sg-chain - [0:0]
:neutron-openvswi-sg-fallb ack - [0:0]
:nova-api-FORWARD - [0:0]
:nova-api-INPUT - [0:0]
:nova-api-OUTPUT - [0:0]
:nova-api-local - [0:0]
:nova-filter-top - [0:0]
-A INPUT -j neutron-openvswi-INPUT
-A INPUT -j nova-api-INPUT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 5671,5672 -m comment --comment "001 amqp incoming amqp_10.10.12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 5671,5672 -m comment --comment "001 amqp incoming amqp_10.10.12.7" -j ACCEPT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 3260,8776 -m comment --comment "001 cinder incoming cinder_10.10.12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 3260,8776 -m comment --comment "001 cinder incoming cinder_10.10.12.7" -j ACCEPT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming glance_10.10.12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming glance_10.10.12.7" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001 horizon 80 incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 5000,35357 -m comment --comment "001 keystone incoming keystone" -j ACCEPT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 3306 -m comment --comment "001 mysql incoming mysql_10.10.12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 3306 -m comment --comment "001 mysql incoming mysql_10.10.12.7" -j ACCEPT
-A INPUT -p udp -m multiport --dports 67 -m comment --comment "001 neutron dhcp in: incoming neutron_dhcp_in_10.10.12.7 " -j ACCEPT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 9696 -m comment --comment "001 neutron server incoming neutron_server_10.10.12.7_ 10.10.12.2 0" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 9696 -m comment --comment "001 neutron server incoming neutron_server_10.10.12.7_ 10.10.12.7 " -j ACCEPT
-A INPUT -p udp -m multiport --dports 4789 -m comment --comment "001 neutron tunnel port incoming neutron_tunnel" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 5900:5999,16509 -m comment --comment "001 nova compute incoming nova_compute" -j ACCEPT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 16509,49152:49215 -m comment --comment "001 nova qemu migration incoming nova_qemu_migration_10.10. 12.7_10.10 .12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 16509,49152:49215 -m comment --comment "001 nova qemu migration incoming nova_qemu_migration_10.10. 12.7_10.10 .12.7" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8773,8774,8775 -m comment --comment "001 novaapi incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 6080 -m comment --comment "001 novncproxy incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8080 -m comment --comment "001 swift proxy incoming" -j ACCEPT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 6000,6001,6002,873 -m comment --comment "001 swift storage and rsync incoming swift_storage_and_rsync_10 .10.12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 6000,6001,6002,873 -m comment --comment "001 swift storage and rsync incoming swift_storage_and_rsync_10 .10.12.7" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-openvswi-FORWARD
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-api-FORWARD
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-openvswi-OUTPUT
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-api-OUTPUT
-A OUTPUT -p udp -m multiport --dports 68 -m comment --comment "001 neutron dhcp out: outgoing neutron_dhcp_out_10.10.12. 7" -j ACCEPT
-A OUTPUT -p gre -j ACCEPT
-A neutron-filter-top -j neutron-openvswi-local
-A neutron-openvswi-sg-fallba ck -j DROP
-A nova-api-INPUT -d 10.10.12.7/32 -p tcp -m tcp --dport 8775 -j ACCEPT
-A nova-filter-top -j nova-api-local
COMMIT
# Completed on Tue Oct 14 08:28:41 2014
# Generated by iptables-save v1.4.7 on Tue Oct 14 08:28:41 2014
*mangle
:PREROUTING ACCEPT [8540:2072504]
:INPUT ACCEPT [8384:2066264]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8316:2078788]
:POSTROUTING ACCEPT [8316:2078788]
:nova-api-POSTROUTING - [0:0]
-A POSTROUTING -j nova-api-POSTROUTING
COMMIT
# Completed on Tue Oct 14 08:28:41 2014
# Generated by iptables-save v1.4.7 on Tue Oct 14 08:28:41 2014
*nat
:PREROUTING ACCEPT [158:6336]
:POSTROUTING ACCEPT [49:3282]
:OUTPUT ACCEPT [49:3282]
:neutron-openvswi-OUTPUT - [0:0]
:neutron-openvswi-POSTROUT ING - [0:0]
:neutron-openvswi-PREROUTI NG - [0:0]
:neutron-openvswi-float-sn at - [0:0]
:neutron-openvswi-snat - [0:0]
:neutron-postrouting-botto m - [0:0]
:nova-api-OUTPUT - [0:0]
:nova-api-POSTROUTING - [0:0]
:nova-api-PREROUTING - [0:0]
:nova-api-float-snat - [0:0]
:nova-api-snat - [0:0]
:nova-postrouting-bottom - [0:0]
-A PREROUTING -j neutron-openvswi-PREROUTIN G
-A PREROUTING -j nova-api-PREROUTING
-A POSTROUTING -j neutron-openvswi-POSTROUTI NG
-A POSTROUTING -j neutron-postrouting-bottom
-A POSTROUTING -j nova-api-POSTROUTING
-A POSTROUTING -j nova-postrouting-bottom
-A OUTPUT -j neutron-openvswi-OUTPUT
-A OUTPUT -j nova-api-OUTPUT
-A neutron-openvswi-snat -j neutron-openvswi-float-sna t
-A neutron-postrouting-bottom -j neutron-openvswi-snat
-A nova-api-snat -j nova-api-float-snat
-A nova-postrouting-bottom -j nova-api-snat
COMMIT
# Completed on Tue Oct 14 08:28:41 2014
# iptables-save
# Generated by iptables-save v1.4.7 on Tue Oct 14 08:28:41 2014
*filter
:INPUT ACCEPT [10:360]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8315:2078088]
:neutron-filter-top - [0:0]
:neutron-openvswi-FORWARD - [0:0]
:neutron-openvswi-INPUT - [0:0]
:neutron-openvswi-OUTPUT - [0:0]
:neutron-openvswi-local - [0:0]
:neutron-openvswi-sg-chain
:neutron-openvswi-sg-fallb
:nova-api-FORWARD - [0:0]
:nova-api-INPUT - [0:0]
:nova-api-OUTPUT - [0:0]
:nova-api-local - [0:0]
:nova-filter-top - [0:0]
-A INPUT -j neutron-openvswi-INPUT
-A INPUT -j nova-api-INPUT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 5671,5672 -m comment --comment "001 amqp incoming amqp_10.10.12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 5671,5672 -m comment --comment "001 amqp incoming amqp_10.10.12.7" -j ACCEPT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 3260,8776 -m comment --comment "001 cinder incoming cinder_10.10.12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 3260,8776 -m comment --comment "001 cinder incoming cinder_10.10.12.7" -j ACCEPT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming glance_10.10.12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming glance_10.10.12.7" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001 horizon 80 incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 5000,35357 -m comment --comment "001 keystone incoming keystone" -j ACCEPT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 3306 -m comment --comment "001 mysql incoming mysql_10.10.12.20" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 3306 -m comment --comment "001 mysql incoming mysql_10.10.12.7" -j ACCEPT
-A INPUT -p udp -m multiport --dports 67 -m comment --comment "001 neutron dhcp in: incoming neutron_dhcp_in_10.10.12.7
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 9696 -m comment --comment "001 neutron server incoming neutron_server_10.10.12.7_
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 9696 -m comment --comment "001 neutron server incoming neutron_server_10.10.12.7_
-A INPUT -p udp -m multiport --dports 4789 -m comment --comment "001 neutron tunnel port incoming neutron_tunnel" -j ACCEPT
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 5900:5999,16509 -m comment --comment "001 nova compute incoming nova_compute" -j ACCEPT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 16509,49152:49215 -m comment --comment "001 nova qemu migration incoming nova_qemu_migration_10.10.
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 16509,49152:49215 -m comment --comment "001 nova qemu migration incoming nova_qemu_migration_10.10.
-A INPUT -p tcp -m multiport --dports 8773,8774,8775 -m comment --comment "001 novaapi incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 6080 -m comment --comment "001 novncproxy incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8080 -m comment --comment "001 swift proxy incoming" -j ACCEPT
-A INPUT -s 10.10.12.20/32 -p tcp -m multiport --dports 6000,6001,6002,873 -m comment --comment "001 swift storage and rsync incoming swift_storage_and_rsync_10
-A INPUT -s 10.10.12.7/32 -p tcp -m multiport --dports 6000,6001,6002,873 -m comment --comment "001 swift storage and rsync incoming swift_storage_and_rsync_10
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-openvswi-FORWARD
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-api-FORWARD
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-openvswi-OUTPUT
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-api-OUTPUT
-A OUTPUT -p udp -m multiport --dports 68 -m comment --comment "001 neutron dhcp out: outgoing neutron_dhcp_out_10.10.12.
-A OUTPUT -p gre -j ACCEPT
-A neutron-filter-top -j neutron-openvswi-local
-A neutron-openvswi-sg-fallba
-A nova-api-INPUT -d 10.10.12.7/32 -p tcp -m tcp --dport 8775 -j ACCEPT
-A nova-filter-top -j nova-api-local
COMMIT
# Completed on Tue Oct 14 08:28:41 2014
# Generated by iptables-save v1.4.7 on Tue Oct 14 08:28:41 2014
*mangle
:PREROUTING ACCEPT [8540:2072504]
:INPUT ACCEPT [8384:2066264]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8316:2078788]
:POSTROUTING ACCEPT [8316:2078788]
:nova-api-POSTROUTING - [0:0]
-A POSTROUTING -j nova-api-POSTROUTING
COMMIT
# Completed on Tue Oct 14 08:28:41 2014
# Generated by iptables-save v1.4.7 on Tue Oct 14 08:28:41 2014
*nat
:PREROUTING ACCEPT [158:6336]
:POSTROUTING ACCEPT [49:3282]
:OUTPUT ACCEPT [49:3282]
:neutron-openvswi-OUTPUT - [0:0]
:neutron-openvswi-POSTROUT
:neutron-openvswi-PREROUTI
:neutron-openvswi-float-sn
:neutron-openvswi-snat - [0:0]
:neutron-postrouting-botto
:nova-api-OUTPUT - [0:0]
:nova-api-POSTROUTING - [0:0]
:nova-api-PREROUTING - [0:0]
:nova-api-float-snat - [0:0]
:nova-api-snat - [0:0]
:nova-postrouting-bottom - [0:0]
-A PREROUTING -j neutron-openvswi-PREROUTIN
-A PREROUTING -j nova-api-PREROUTING
-A POSTROUTING -j neutron-openvswi-POSTROUTI
-A POSTROUTING -j neutron-postrouting-bottom
-A POSTROUTING -j nova-api-POSTROUTING
-A POSTROUTING -j nova-postrouting-bottom
-A OUTPUT -j neutron-openvswi-OUTPUT
-A OUTPUT -j nova-api-OUTPUT
-A neutron-openvswi-snat -j neutron-openvswi-float-sna
-A neutron-postrouting-bottom
-A nova-api-snat -j nova-api-float-snat
-A nova-postrouting-bottom -j nova-api-snat
COMMIT
# Completed on Tue Oct 14 08:28:41 2014
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Also added
route add -net 172.16.0.0/16 gw 10.10.12.7 <- host IP
else you get SIOCADDRT: No such process error
route add -net 172.16.0.0/16 gw 10.10.12.7 <- host IP
else you get SIOCADDRT: No such process error
ASKER
It answers my question.