openstack team mailing list archive

[Vishvananda Ishaya <vishvananda@xxxxxxxxx>]

Hi Markus,

It kind of depends on exactly how you are routing on the gateway host, but it might be libvirt-enabled ebtables filtering that is causing your problem here. By default we block traffic from a machine that is not coming from the same source ip and mac that is assigned to the instance. As a test you could try dropping libvirt's ebtables rules on the compute host and see if it fixes your issue:

sudo ebtables -t nat -F

If that fixes your problem you will need to figure out a way to allow certain vms to avoid getting filtering. We do something similar for cloudpipe images, so one option is to make a specific image for your gateway vms and set the conf option:

vpn_image_id=<image_uuid>

This will cause the image to be launched without filtering rules allowing it to send out packets from other macs. If the flush of ebtables doesn't fix your issue then it may be misconfiguration in the gateway vm or some quantum/ovs settings that are getting in your way.

Vish

On Jan 11, 2013, at 8:28 AM, Markus Breitlaender <Markus.Breitlaender@xxxxxxxxxxxxxx> wrote:

> Hi,
> 
> I am trying to setup a VM/instance with two NICs that should act as a gateway and provide routing service between two quantum networks.
> 
> Steps to reproduce:
> 
> - Install OpenStack Folsom with Quantum and Horizon
> - Quantum Configuration in nova.conf:
> 
> # Network settings
> network_api_class=nova.network.quantumv2.api.API
> quantum_url=http://10.129.16.10:9696
> quantum_auth_strategy=keystone
> quantum_admin_tenant_name=zzz
> quantum_admin_username=yyy
> quantum_admin_password=xxx
> quantum_admin_auth_url=http://10.129.16.10:35357/v2.0
> libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver
> linuxnet_interface_driver=nova.network.linux_net.LinuxOVSInterfaceDriver
> firewall_driver=nova.virt.libvirt.firewall.IptablesFirewallDriver
> 
> - I'm not running the quantum l3 agent. I am using the OVS plugin.
> - Using Horizon, create two new networks. Assign subnets 10.77.77.0/24 and 10.88.88.0/24
> - Spawn three VMs using Horizon
> - Name the first VM "gateway" and place it into both networks
> - Name the second VM "peer1" and put it into the 10.77.77.0/24 network
> - Name the third VM "peer2" and put it into the 10.88.88.0/24 network
> - Enable IP forwarding on "gateway"
> - Set the default gateway on peer1 to gateway's IP address in the 10.77.77.0/24 network
> - Set the default gateway on peer2 to gateway's IP address in the 10.88.88.0/24 network
> - Ping peer1 and peer2 from gateway - works fine for me
> - From peer1, ping gateway's interface on the 10.77.77.0/24 network.  works fine for me.
> - From peer2, ping gateway's interface on the 10.88.88.0/24 network. works fine for me.
> - Ping peer2 from peer1. Doesn't work for me, no error message
> - From peer1, ping gateway's interface on the 10.88.88.0/24 network. Doesn't work for me, no error message.
> - From peer2, ping gateway's interface on the 10.77.77.0/24 network. Doesn't work for me, no error message.
> 
> It seems that the packets with source address 10.77.77.x are not transported on the 10.88.88.x network and vice versa.
> 
> Cheers,
>    Markus
> 
> 
> 
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp