yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2097610] Re: No connection from outside host to VPNaaS host after upgrading from Ussuri to Victoria/Wallaby

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <2097610@xxxxxxxxxxxxxxxxxx>
Date: Wed, 16 Apr 2025 04:26:17 -0000
Reply-to: Bug 2097610 <2097610@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

[Expired for neutron because there has been no activity for 60 days.]

** Changed in: neutron
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2097610

Title:
  No connection from outside host to VPNaaS host after upgrading from
  Ussuri to Victoria/Wallaby

Status in neutron:
  Expired

Bug description:
  Here's what I have (the update process to Wallaby is currently underway):
  - Neutron controller v.Wallaby
  - Neutron net-node1 v.Wallaby
  - Neutron net-node2 v.Victoria
  - Neutron net-node3 v.Ussuri

  There is the following topology (10.5.4.0/24 - IPSec - 192.168.255.0/24):
  """
  10.5.4.4 (VPNaaS host) -> 10.5.4.1 (VPNaaS) -> 192.168.255.21 (outside OPNsense/Mikrotik) -> 192.168.255.30 (outside host)
  """

  When I move the project router to net-node v.Ussuri then:
  i see next rules in namespace, FORWARD chain
  """
  iptables -L FORWARD -n
  Chain FORWARD (policy ACCEPT)
  target     prot opt source               destination         
  ACCEPT     all  --  192.168.255.0/24     10.5.4.0/24          policy match dir in pol ipsec reqid 1 proto 50
  ACCEPT     all  --  10.5.4.0/24          192.168.255.0/24     policy match dir out pol ipsec reqid 1 proto 50
  neutron-filter-top  all  --  0.0.0.0/0            0.0.0.0/0
  neutron-l3-agent-FORWARD  all  --  0.0.0.0/0            0.0.0.0/0
  """
  and
  - ping from 10.5.4.4 to 192.168.255.30 - OK (0% loss)
  - ping from 192.168.255.30 to 10.5.4.1 - OK (0% loss)
  - ping from 192.168.255.30 to 10.5.4.4 - OK (0% loss)

  When I move the project router to net-node v.Victoria or Wallaby then:
  i see next rules in namespace, FORWARD chain
  """
  iptables -L FORWARD -n
  Chain FORWARD (policy ACCEPT)
  target     prot opt source               destination         
  neutron-filter-top  all  --  0.0.0.0/0            0.0.0.0/0           
  neutron-l3-agent-FORWARD  all  --  0.0.0.0/0            0.0.0.0/0
  """
  and
  - ping from 10.5.4.4 to 192.168.255.30 - OK (0% loss)
  - ping from 192.168.255.30 to 10.5.4.1 - OK (0% loss)
  - ping from 192.168.255.30 to 10.5.4.4 - not OK (100% loss)

  To fix the situation, I need to add the following rule in the project namespace:
  """
  iptables -I FORWARD 1 -s 192.168.255.0/24 -d 10.5.4.0/24 -m policy --dir in --pol ipsec -j ACCEPT

  iptables -L FORWARD -n --line-numbers
  Chain FORWARD (policy ACCEPT)
  num  target     prot opt source               destination         
  1    ACCEPT     all  --  192.168.255.0/24     10.5.4.0/24          policy match dir in pol ipsec
  2    neutron-filter-top  all  --  0.0.0.0/0            0.0.0.0/0           
  3    neutron-l3-agent-FORWARD  all  --  0.0.0.0/0            0.0.0.0/0
  """
  then i see that
  - ping from 192.168.255.30 to 10.5.4.4 - OK (0% loss)

  
  What could be the problem and how to fix it?

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2097610/+subscriptions

References

[Bug 2097610] [NEW] No connection from outside host to VPNaaS host after upgrading from Ussuri to Victoria/Wallaby
From: Dmytro Kostinov, 2025-02-07