Hi there,
I'm running Grizzly on Ubuntu 12.04 in this topology:
http://docs.openstack.org/trunk/openstack-network/admin/content/connectivity.html
and using the per-tenant routers with private networks.
I just found out that my VMs (except just one) can't access internet
if I associate them a floating ip.
As soon as I disassociate the floating ip, the VM can ping 8.8.8.8
Did anyone experienced this?
Here is the iptables-save of the virtual router (configured thanks to
the l3 agent):
(the VMs floating IPs are 192.168.202.X. The even wierdest thing is
that only the VM using the 192.168.202.4 floating ip can access the
internet).
thanks for your help...
root@rajesh:~# ip netns exec
qrouter-e75c9ae7-c814-42c3-bd9e-9002c025aa95 iptables-save
# Generated by iptables-save v1.4.12 on Tue Apr 30 01:52:01 2013
*mangle
:PREROUTING ACCEPT [103801:72619178]
:INPUT ACCEPT [29779:8190400]
:FORWARD ACCEPT [73997:64361803]
:OUTPUT ACCEPT [3336:330688]
:POSTROUTING ACCEPT [77333:64692491]
COMMIT
# Completed on Tue Apr 30 01:52:01 2013
# Generated by iptables-save v1.4.12 on Tue Apr 30 01:52:01 2013
*nat
:PREROUTING ACCEPT [1:84]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:quantum-l3-agent-OUTPUT - [0:0]
:quantum-l3-agent-POSTROUTING - [0:0]
:quantum-l3-agent-PREROUTING - [0:0]
:quantum-l3-agent-float-snat - [0:0]
:quantum-l3-agent-snat - [0:0]
:quantum-postrouting-bottom - [0:0]
-A PREROUTING -j quantum-l3-agent-PREROUTING
-A OUTPUT -j quantum-l3-agent-OUTPUT
-A POSTROUTING -j quantum-l3-agent-POSTROUTING
-A POSTROUTING -j quantum-postrouting-bottom
-A quantum-l3-agent-OUTPUT -d 192.168.202.4/32 -j DNAT
--to-destination 10.0.0.4
-A quantum-l3-agent-OUTPUT -d 192.168.202.3/32 -j DNAT
--to-destination 10.0.0.2
-A quantum-l3-agent-OUTPUT -d 192.168.202.6/32 -j DNAT
--to-destination 10.0.0.5
-A quantum-l3-agent-POSTROUTING ! -i qg-53c422b7-8a ! -o
qg-53c422b7-8a -m conntrack ! --ctstate DNAT -j ACCEPT
-A quantum-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp
--dport 80 -j REDIRECT --to-ports 9697
-A quantum-l3-agent-PREROUTING -d 192.168.202.4/32 -j DNAT
--to-destination 10.0.0.4
-A quantum-l3-agent-PREROUTING -d 192.168.202.3/32 -j DNAT
--to-destination 10.0.0.2
-A quantum-l3-agent-PREROUTING -d 192.168.202.6/32 -j DNAT
--to-destination 10.0.0.5
-A quantum-l3-agent-float-snat -s 10.0.0.4/32 -j SNAT --to-source
192.168.202.4
-A quantum-l3-agent-float-snat -s 10.0.0.2/32 -j SNAT --to-source
192.168.202.3
-A quantum-l3-agent-float-snat -s 10.0.0.5/32 -j SNAT --to-source
192.168.202.6
-A quantum-l3-agent-snat -j quantum-l3-agent-float-snat
-A quantum-l3-agent-snat -s 10.0.0.0/24 -j SNAT --to-source 192.168.202.2
-A quantum-postrouting-bottom -j quantum-l3-agent-snat
COMMIT
# Completed on Tue Apr 30 01:52:01 2013
# Generated by iptables-save v1.4.12 on Tue Apr 30 01:52:01 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [23:2028]
:OUTPUT ACCEPT [0:0]
:quantum-filter-top - [0:0]
:quantum-l3-agent-FORWARD - [0:0]
:quantum-l3-agent-INPUT - [0:0]
:quantum-l3-agent-OUTPUT - [0:0]
:quantum-l3-agent-local - [0:0]
-A INPUT -j quantum-l3-agent-INPUT
-A FORWARD -j quantum-filter-top
-A FORWARD -j quantum-l3-agent-FORWARD
-A OUTPUT -j quantum-filter-top
-A OUTPUT -j quantum-l3-agent-OUTPUT
-A quantum-filter-top -j quantum-l3-agent-local
-A quantum-l3-agent-INPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9697
-j ACCEPT
COMMIT
# Completed on Tue Apr 30 01:52:01 2013
michaël
--
Michaël Van de Borne
R&D Engineer, SOA team, CETIC
Phone: +32 (0)71 49 07 45 Mobile: +32 (0)472 69 57 16, Skype: mikemowgli
www.cetic.be, rue des Frères Wright, 29/3, B-6041 Charleroi
_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to : openstack@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
