openstack team mailing list archive

Thread
Date

Re: floating IPs not routed from inside

To: Christian Parpart <trapni@xxxxxxxxx>
From: Brian Haley <brian.haley@xxxxxx>
Date: Thu, 25 Oct 2012 13:52:05 -0400
Cc: "<openstack@xxxxxxxxxxxxxxxxxxx>" <openstack@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CA+qvzFO64_Zv3jY0cvrJkdrQac2eadv=TS5yqsNjH0aZni-m2A@mail.gmail.com>
Organization: HP Cloud Services
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121011 Thunderbird/16.0.1

On 10/25/2012 10:27 AM, Christian Parpart wrote:
> Hey all,
> 
> we're having quite a few compute nodes with Essex installed and one central
> nova-network gateway.
> 
> We now have a few floating IPs set up to route from the world through the
> gateway to these VMs.
> 
> However, accessing these floating (public) IPs from inside a *tenant's VM*
> results into timeouts,
> but accessing the very same IP from a compute node (hypervisor) hosting those
> VMs actually does work.

Is the floating IP assigned to the VM trying to access itself?  I know there was
a change to fix that (search for hairpin_mode) and pretty sure it was in Essex.

> Now I'm a bit confused, it seems like a routing issue or iptables NAT thing and
> would be really greatful
> if anyone can help me out with a hint. :)

What does tcpdump on the bridge show?  Are the packets going out and coming
back?  If not you need to start looking on other interfaces for it (or use -i
any), and if that doesn't help start looking at the iptables counters for the
rules associated with the instance.

> Is this known to not work or what do you need from me to actually understand my
> issue a bit more?

It should work assuming there is a security group rule allowing it, which is
something else to look at.

-Brian

References

floating IPs not routed from inside
From: Christian Parpart, 2012-10-25