<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Hi there,<div class=""><br class=""></div><div class="">In a fresh devstack(master branch) install, </div><div class=""><br class=""></div><div class="">1. I booted up a cirros instance and associated it with a floating ip. </div><div class="">2. Created a security group rule to allow tcp port 22 and associated it with the nova instance</div><div class="">3. From the qrouter namespace, I can ping both the private and fip address of the instance.</div><div class="">4. But, couldn’t ssh into the instance from the external network using its fip.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""><div style="margin: 0px;" class="">neutron net-list</div><div style="margin: 0px;" class="">+--------------------------------------+---------+----------------------------------------------------------+</div><div style="margin: 0px;" class="">| id | name | subnets |</div><div style="margin: 0px;" class="">+--------------------------------------+---------+----------------------------------------------------------+</div><div style="margin: 0px;" class="">| 376357b1-6abe-46c1-844b-548a051391d5 | public | 41b86431-41d6-4503-8329-767f84bad4d5 172.24.4.0/24 |</div><div style="margin: 0px;" class="">| | | 79f0bf72-8c98-478b-a463-b6e3a101e6b7 2001:db8::/64 |</div><div style="margin: 0px;" class="">| ebe713c9-5064-48ec-9094-e44e150d36ad | private | c7ebd45c-5a1f-4d97-a90e-b221f19c7177 10.0.0.0/24 |</div><div style="margin: 0px;" class="">| | | d7aac86f-0b2c-4dd4-88cf-246bfb58006e fd69:7a94:27b7::/64 |</div><div style="margin: 0px;" class="">+--------------------------------------+---------+—————————————————————————-----------------------------————+</div><div style="margin: 0px;" class=""><br class=""></div><div style="margin: 0px;" class=""><div style="margin: 0px;" class="">$ neutron router-list</div><div style="margin: 0px;" class=""><div style="margin: 0px;" class="">+--------------------------------------+---------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+-------+</div><div style="margin: 0px;" class="">| id | name | external_gateway_info | distributed | ha |</div><div style="margin: 0px;" class="">+--------------------------------------+---------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+-------+</div><div style="margin: 0px;" class="">| 46715086-3f9c-4fb1-91b4-b41da24baa2f | router1 | {"network_id": "376357b1-6abe-46c1-844b-548a051391d5", "enable_snat": true, "external_fixed_ips": [{"subnet_id": "41b86431-41d6-4503-8329-767f84bad4d5", "ip_address": "172.24.4.2"}, {"subnet_id": "79f0bf72-8c98-478b-a463-b6e3a101e6b7", "ip_address": "2001:db8::1"}]} | True | False |</div><div style="margin: 0px;" class=""><div style="margin: 0px;" class="">+--------------------------------------+---------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+-------+</div></div></div></div><div style="margin: 0px;" class=""><br class=""></div><div style="margin: 0px;" class=""><div style="margin: 0px;" class="">$ neutron security-group-rule-list</div><div style="margin: 0px;" class="">+--------------------------------------+----------------+-----------+-----------+---------------+-----------------+</div><div style="margin: 0px;" class="">| id | security_group | direction | ethertype | protocol/port | remote |</div><div style="margin: 0px;" class="">+--------------------------------------+----------------+-----------+-----------+---------------+-----------------+</div><div style="margin: 0px;" class="">| 1cfb9a69-61e0-4df3-b04c-f9f9f4a54cc3 | default | egress | IPv4 | any | any |</div><div style="margin: 0px;" class="">| 4afe5008-c192-4582-95c8-21b1f64ab2a5 | default | ingress | IPv6 | any | default (group) |</div><div style="margin: 0px;" class="">| 5ce1e34d-7b9d-41d8-9a15-94711824ae68 | secgroup1 | ingress | IPv4 | 22/tcp | any |</div><div style="margin: 0px;" class="">| 6b3a8008-b446-4004-a72a-6ea2c9bbf375 | default | egress | IPv6 | any | any |</div><div style="margin: 0px;" class="">| 7feb5969-5f9d-4525-93a3-a108db59f65b | default | egress | IPv6 | any | any |</div><div style="margin: 0px;" class="">| 7ff6a82f-6c8c-4bb5-b893-d06272b0d69b | default | ingress | IPv4 | any | default (group) |</div><div style="margin: 0px;" class="">| 90f385c9-de19-4ede-b4ef-bf199537b49b | secgroup1 | egress | IPv6 | any | any |</div><div style="margin: 0px;" class="">| c21ed80d-fbee-4db6-8518-60a1070aff20 | secgroup1 | egress | IPv4 | 22/tcp | any |</div><div style="margin: 0px;" class="">| c3d1f6ea-b7c4-47ea-ace3-f9b3b1bf8d25 | default | egress | IPv4 | any | any |</div><div style="margin: 0px;" class="">| dc09a10a-37db-4a33-9abc-00798221254e | secgroup1 | egress | IPv4 | any | any |</div><div style="margin: 0px;" class="">| df4d7930-6ce0-43c8-996f-ced126c7cba0 | default | ingress | IPv4 | any | default (group) |</div><div style="margin: 0px;" class="">| e0d84fea-e47c-48f6-a29b-d41231674256 | default | ingress | IPv6 | any | default (group) |</div><div style="margin: 0px;" class="">+--------------------------------------+----------------+-----------+-----------+---------------+-----------------+</div></div><div style="margin: 0px;" class=""><br class=""></div><div style="margin: 0px;" class=""><div style="margin: 0px;" class="">$ nova show node1</div><div style="margin: 0px;" class="">+--------------------------------------+-----------------------------------------------------------------+</div><div style="margin: 0px;" class="">| Property | Value |</div><div style="margin: 0px;" class="">+--------------------------------------+-----------------------------------------------------------------+</div><div style="margin: 0px;" class="">| OS-DCF:diskConfig | MANUAL |</div><div style="margin: 0px;" class="">| OS-EXT-AZ:availability_zone | nova |</div><div style="margin: 0px;" class="">| OS-EXT-SRV-ATTR:host | ubuntu |</div><div style="margin: 0px;" class="">| OS-EXT-SRV-ATTR:hostname | node1 |</div><div style="margin: 0px;" class="">| OS-EXT-SRV-ATTR:hypervisor_hostname | ubuntu |</div><div style="margin: 0px;" class="">| OS-EXT-SRV-ATTR:instance_name | instance-00000002 |</div><div style="margin: 0px;" class="">| OS-EXT-SRV-ATTR:kernel_id | |</div><div style="margin: 0px;" class="">| OS-EXT-SRV-ATTR:launch_index | 0 |</div><div style="margin: 0px;" class="">| OS-EXT-SRV-ATTR:ramdisk_id | |</div><div style="margin: 0px;" class="">| OS-EXT-SRV-ATTR:reservation_id | r-nokf6xx0 |</div><div style="margin: 0px;" class="">| OS-EXT-SRV-ATTR:root_device_name | /dev/vda |</div><div style="margin: 0px;" class="">| OS-EXT-SRV-ATTR:user_data | - |</div><div style="margin: 0px;" class="">| OS-EXT-STS:power_state | 1 |</div><div style="margin: 0px;" class="">| OS-EXT-STS:task_state | - |</div><div style="margin: 0px;" class="">| OS-EXT-STS:vm_state | active |</div><div style="margin: 0px;" class="">| OS-SRV-USG:launched_at | 2015-11-09T21:59:13.000000 |</div><div style="margin: 0px;" class="">| OS-SRV-USG:terminated_at | - |</div><div style="margin: 0px;" class="">| accessIPv4 | |</div><div style="margin: 0px;" class="">| accessIPv6 | |</div><div style="margin: 0px;" class="">| config_drive | True |</div><div style="margin: 0px;" class="">| created | 2015-11-09T21:59:03Z |</div><div style="margin: 0px;" class="">| flavor | m1.tiny (1) |</div><div style="margin: 0px;" class="">| hostId | 3cd3087bf1edbd27ef36a03a5b862b810aa8653fed924c9efd6dca8b |</div><div style="margin: 0px;" class="">| id | c936d684-5a20-4842-b47d-f6c336eb4e96 |</div><div style="margin: 0px;" class="">| image | cirros-0.3.3-x86_64-disk (cc56d0b4-d143-4859-971d-5ef6ba9e2820) |</div><div style="margin: 0px;" class="">| key_name | - |</div><div style="margin: 0px;" class="">| metadata | {} |</div><div style="margin: 0px;" class="">| name | node1 |</div><div style="margin: 0px;" class="">| os-extended-volumes:volumes_attached | [] |</div><div style="margin: 0px;" class="">| private network | 10.0.0.4, fd69:7a94:27b7:0:f816:3eff:fe39:59ac, 172.24.4.5 |</div><div style="margin: 0px;" class="">| progress | 0 |</div><div style="margin: 0px;" class="">| security_groups | default, secgroup1 |</div><div style="margin: 0px;" class="">| status | ACTIVE |</div><div style="margin: 0px;" class="">| tenant_id | 5a93452f68c04785aff04fb4572f7472 |</div><div style="margin: 0px;" class="">| updated | 2015-11-09T21:59:13Z |</div><div style="margin: 0px;" class="">| user_id | 124d5155bc9742d2a3f7e018ada5bd07 |</div><div style="margin: 0px;" class="">+--------------------------------------+——————————————————————————---------------------------------——————+</div><div style="margin: 0px;" class=""><br class=""></div></div></div></div><div class=""><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">$ sudo ip route add 172.24.4.0/24 dev br-ex</div></div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""><br class=""></div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""><div style="margin: 0px;" class="">$ route -n</div><div style="margin: 0px;" class="">Kernel IP routing table</div><div style="margin: 0px;" class="">Destination Gateway Genmask Flags Metric Ref Use Iface</div><div style="margin: 0px;" class="">0.0.0.0 10.0.2.2 0.0.0.0 UG 0 0 0 eth0</div><div style="margin: 0px;" class="">10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0</div><div style="margin: 0px;" class="">172.24.4.0 0.0.0.0 255.255.255.0 U 0 0 0 br-ex</div><div style="margin: 0px;" class="">192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0</div><div style="margin: 0px;" class=""><br class=""></div><div style="margin: 0px;" class=""><div style="margin: 0px;" class="">$ ip netns </div><div style="margin: 0px;" class="">snat-46715086-3f9c-4fb1-91b4-b41da24baa2f</div><div style="margin: 0px;" class="">qrouter-46715086-3f9c-4fb1-91b4-b41da24baa2f</div><div style="margin: 0px;" class="">qdhcp-ebe713c9-5064-48ec-9094-e44e150d36ad</div></div><div class=""><br class=""></div></div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""><div style="margin: 0px;" class="">$ sudo ip netns exec qrouter-46715086-3f9c-4fb1-91b4-b41da24baa2f ssh <a href="mailto:cirros@10.0.0.4" class="">cirros@10.0.0.4</a></div><div style="margin: 0px;" class=""><a href="mailto:cirros@10.0.0.4" class="">cirros@10.0.0.4</a>'s password: </div><div style="margin: 0px;" class="">$ exit</div><div style="margin: 0px;" class="">Connection to 10.0.0.4 closed.</div><div style="margin: 0px;" class=""><br class=""></div><div style="margin: 0px;" class=""><div style="margin: 0px;" class="">$ sudo ip netns exec qrouter-46715086-3f9c-4fb1-91b4-b41da24baa2f ssh <a href="mailto:cirros@172.24.4.5" class="">cirros@172.24.4.5</a></div><div style="margin: 0px;" class="">The authenticity of host '172.24.4.5 (172.24.4.5)' can't be established.</div><div style="margin: 0px;" class="">RSA key fingerprint is 4a:96:f0:ea:1f:d0:4e:bb:0f:3f:74:f8:b4:3c:7e:75.</div><div style="margin: 0px;" class="">Are you sure you want to continue connecting (yes/no)? yes</div><div style="margin: 0px;" class="">Warning: Permanently added '172.24.4.5' (RSA) to the list of known hosts.</div><div style="margin: 0px;" class=""><a href="mailto:cirros@172.24.4.5" class="">cirros@172.24.4.5</a>'s password: </div><div style="margin: 0px;" class="">$ exit</div><div style="margin: 0px;" class="">Connection to 172.24.4.5 closed.</div><div style="margin: 0px;" class=""><br class=""></div><div style="margin: 0px;" class=""><div style="margin: 0px;" class="">$ sudo ip netns exec qrouter-46715086-3f9c-4fb1-91b4-b41da24baa2f ip a </div><div style="margin: 0px;" class="">1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default </div><div style="margin: 0px;" class=""> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00</div><div style="margin: 0px;" class=""> inet 127.0.0.1/8 scope host lo</div><div style="margin: 0px;" class=""> valid_lft forever preferred_lft forever</div><div style="margin: 0px;" class=""> inet6 ::1/128 scope host </div><div style="margin: 0px;" class=""> valid_lft forever preferred_lft forever</div><div style="margin: 0px;" class="">2: rfp-46715086-3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000</div><div style="margin: 0px;" class=""> link/ether ca:fb:c6:7d:05:36 brd ff:ff:ff:ff:ff:ff</div><div style="margin: 0px;" class=""> inet 169.254.31.28/31 scope global rfp-46715086-3</div><div style="margin: 0px;" class=""> valid_lft forever preferred_lft forever</div><div style="margin: 0px;" class=""> inet 172.24.4.5/32 brd 172.24.4.5 scope global rfp-46715086-3</div><div style="margin: 0px;" class=""> valid_lft forever preferred_lft forever</div><div style="margin: 0px;" class=""> inet6 fe80::c8fb:c6ff:fe7d:536/64 scope link </div><div style="margin: 0px;" class=""> valid_lft forever preferred_lft forever</div><div style="margin: 0px;" class="">6: qr-f97ba294-61: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default </div><div style="margin: 0px;" class=""> link/ether fa:16:3e:db:4e:c1 brd ff:ff:ff:ff:ff:ff</div><div style="margin: 0px;" class=""> inet6 fd69:7a94:27b7::1/64 scope global </div><div style="margin: 0px;" class=""> valid_lft forever preferred_lft forever</div><div style="margin: 0px;" class=""> inet6 fe80::f816:3eff:fedb:4ec1/64 scope link </div><div style="margin: 0px;" class=""> valid_lft forever preferred_lft forever</div><div style="margin: 0px;" class="">8: qr-2eedb07a-73: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default </div><div style="margin: 0px;" class=""> link/ether fa:16:3e:36:70:4d brd ff:ff:ff:ff:ff:ff</div><div style="margin: 0px;" class=""> inet 10.0.0.1/24 brd 10.0.0.255 scope global qr-2eedb07a-73</div><div style="margin: 0px;" class=""> valid_lft forever preferred_lft forever</div><div style="margin: 0px;" class=""> inet6 fe80::f816:3eff:fe36:704d/64 scope link </div><div style="margin: 0px;" class=""> valid_lft forever preferred_lft forever</div><div style="margin: 0px;" class=""><br class=""></div><div style="margin: 0px;" class=""><div style="margin: 0px;" class="">$ sudo ip netns exec qrouter-46715086-3f9c-4fb1-91b4-b41da24baa2f route -n</div><div style="margin: 0px;" class="">Kernel IP routing table</div><div style="margin: 0px;" class="">Destination Gateway Genmask Flags Metric Ref Use Iface</div><div style="margin: 0px;" class="">10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 qr-2eedb07a-73</div><div style="margin: 0px;" class="">169.254.31.28 0.0.0.0 255.255.255.254 U 0 0 0 rfp-46715086-3</div></div><div style="margin: 0px;" class=""><br class=""></div></div></div></div><div class="">Can some one please point out what is going wrong here? Thank you!</div><div class=""><br class=""></div><div class="">-Aishwarya.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div></body></html>