openstack team mailing list archive

[Steven Dake <sdake@xxxxxxxxxx>]

On 04/25/2012 01:03 PM, Calvin Walton wrote:
> On Mon, 2012-04-23 at 06:45 -0700, Mike Scherbakov wrote:
>> Hi Calvin,
> Sorry I didn't respond earlier, the email temporarily got lost :)
> 
>> show us iptables -nL -t nat | grep NAT on the node with nova-network.
> 
> (192.168.0.101 is the nova-network node's "external" address)
> 
> DNAT       all  --  0.0.0.0/0            192.168.0.33        to:192.168.22.35
> DNAT       all  --  0.0.0.0/0            192.168.0.88         to:192.168.22.41
> ACCEPT     all  --  192.168.22.32/27     192.168.22.32/27     ! ctstate DNAT
> DNAT       tcp  --  0.0.0.0/0            169.254.169.254      tcp dpt:80 to:192.168.0.101:8775
> DNAT       all  --  0.0.0.0/0            192.168.0.33         to:192.168.22.35
> DNAT       all  --  0.0.0.0/0            192.168.0.88         to:192.168.22.41
> SNAT       all  --  192.168.22.35        0.0.0.0/0            to:192.168.0.33
> SNAT       all  --  192.168.22.41        0.0.0.0/0            to:192.168.0.88
> SNAT       all  --  192.168.22.32/27     0.0.0.0/0            to:192.168.0.101
> 
> Note that the nova-network is actually colocated on a machine that also
> runs nova-compute; this is a small 2-node lab deployment.
> 
>> Could it be that your fixed_range flag in nova.conf covers both
>> subnets,
>> like 192.168.0.0/16 ?
> 
> My fixed_range is very small, and doesn't overlap:
> --fixed_range=192.168.22.32/27
> 
>> Second reason - I presume that the traffic from VM will go via your
>> router if you access another VM via floating IP,
>> so router should know the route to 192.168.0.x (static/ospf?)
> 
> 192.168.0.x is the office network, and communication between other
> machines on that network and the router on that network all work fine.
> 
> In the course of trying some other things out, I found that when I
> enabled ipv4 forwarding on the nova-network box:
>   echo 1 >/proc/sys/net/ipv4/ip_forward
> Then the virtual machines /were/ able to communicate with each-other via
> their floating IP addresses. I'm still not sure about what's going on,
> but it's good enough for our lab use now.
> 

In lab environments where openstack network isn't routed, you will need
some special magic.  Linux iptables doesn't allow a nat through a nat.

Read more details here:
https://github.com/heat-api/heat/wiki/Configuring-Floating-IPs

>>
>> Regards,
>>
>> On Fri, Apr 20, 2012 at 7:03 AM, Calvin Walton
>> <calvin.walton@xxxxxxxxxx> wrote:
>>         Hi,
>>         
>>         I have instances running in Openstack using FlatDHCP
>>         networking mode.
>>         Each one has an IP address in the internal subnet
>>         (192.168.22.x) and a
>>         floating IP from the external subnet (192.168.0.x).
>>         
>>         I've found that from one instance, I cannot connect to another
>>         instance
>>         (or, in fact, even the same instance) via the external
>>         floating address
>>         (I have some monitoring tools that attempt to do this to
>>         verify that a
>>         server is running). Connections from external computers work
>>         fine.
>>         
>>         My best guess is that there is an issue with the NAT on my
>>         nova-network
>>         node not allowing loopback connections. Is this intentional,
>>         or a bug?
>>         Is there a workaround available?
>>         
>>         For reference, I'm currently using OpenStack from the
>>         'latest-milestone-test' OpenStack PPA on Ubuntu 12.04 Precise.
> 
>