[neutron] Floating ips instances not appear in tcpdump

Sean Mooney smooney at redhat.com
Fri Nov 20 15:09:28 UTC 2020


On Fri, 2020-11-20 at 11:41 +0100, Cristina Mayo wrote:
> I'm using installation guides with the self service network option (that includes ML2 plugin and linux bridge agent): 
> https://docs.openstack.org/neutron/train/install/install-ubuntu.html (
> https://link.getmailspring.com/link/1B1F2725-083F-4138-B760-1865E91E9D24@getmailspring.com/0?redirect=https%3A%2F%2Fdocs.openstack.org%2Fneutron%2Ftrain%2Finstall%2Finstall-ubuntu.html&recipient=c21vb25leUByZWRoYXQuY29t
> )
> What I mean is, for example, if I have an apache server running on an instance with a public ip address (floating ip). When I access to that apache
> server from whatever external network and I capture the traffic on the instance, all packages come from the same IP.
that is not how neutron shoudl work by defualt.
it sould like you have set up a nat on the external interface.

how did you connect the external interface to the the outside world.

normally you would create a neutron external network and attach and attach your tenats router to that network.
you would then configre the subnet of that external network on your infracture routere assigning your phyical router the gateway ip adress of the
network.

basically did you nat the traffic to the host 

https://www.rdoproject.org/networking/networking-in-too-much-detail/#network-host-external-traffic-kl

e.g. something like this 
ip addr add 172.24.4.225/28 dev br-ex
# iptables -A FORWARD -d 172.24.4.224/28 -j ACCEPT 
# iptables -A FORWARD -s 172.24.4.224/28 -j ACCEPT 
# iptables -t nat -I POSTROUTING 1 -s 172.24.4.224/28 -j MASQUERADE



or did you add the interface to the birdge like this

ovs-vsctl add-port br-ex eth2

that how you would do it for ovs but for linux bridge its similar.
https://docs.openstack.org/install-guide/launch-instance-networks-provider.html
descibes how to configre proder network with linux brdige

my best guess is that you have assinged the external netwrok gateway ip to the openstack contoler with ip 172.24.4.100
and that is nating the traffic.



> I supposed that the controller node is retransmitting the packages and putting its ip address on them.
> I capture some packets with tcpdump in this openstack instance with a public ip (floating_ip), for example: 172.24.4.228/32 ( 
> https://link.getmailspring.com/link/1B1F2725-083F-4138-B760-1865E91E9D24@getmailspring.com/1?redirect=172.24.4.228%2F32&recipient=c21vb25leUByZWRoYXQuY29t
> ) and I have a controller node with a public IP, for example 172.24.4.100/32, ( 
> https://link.getmailspring.com/link/1B1F2725-083F-4138-B760-1865E91E9D24@getmailspring.com/2?redirect=172.24.4.228%2F32&recipient=c21vb25leUByZWRoYXQuY29t
> ) the traces of traffic are something like this, but they should have others external sources IPs:
> 
> # tcpdump tcp and port 443 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens7, link-type EN10MB
> (Ethernet), capture size 262144 bytes
> 13:21:17.272668 IP 172.24.4.100 ( 
> https://link.getmailspring.com/link/1B1F2725-083F-4138-B760-1865E91E9D24@getmailspring.com/3?redirect=172.24.4.228%2F32&recipient=c21vb25leUByZWRoYXQuY29t
> ): ( 
> https://link.getmailspring.com/link/1B1F2725-083F-4138-B760-1865E91E9D24@getmailspring.com/4?redirect=172.24.4.228%2F32&recipient=c21vb25leUByZWRoYXQuY29t)49718
>  ( 
> https://link.getmailspring.com/link/1B1F2725-083F-4138-B760-1865E91E9D24@getmailspring.com/5?redirect=hermes.gsic.uva.es.49718&recipient=c21vb25leUByZWRoYXQuY29t
> ) > 172.24.4.228.https: Flags [S], seq 3072401769, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 911923475 ecr 0,sackOK,eol], length 0
> 13:21:17.272787 IP 172.24.4.228.https > 172.24.4.100 ( 
> https://link.getmailspring.com/link/1B1F2725-083F-4138-B760-1865E91E9D24@getmailspring.com/6?redirect=172.24.4.228%2F32&recipient=c21vb25leUByZWRoYXQuY29t
> ): ( 
> https://link.getmailspring.com/link/1B1F2725-083F-4138-B760-1865E91E9D24@getmailspring.com/7?redirect=172.24.4.228%2F32&recipient=c21vb25leUByZWRoYXQuY29t)49718
> : ( 
> https://link.getmailspring.com/link/1B1F2725-083F-4138-B760-1865E91E9D24@getmailspring.com/8?redirect=hermes.gsic.uva.es.49718%3A&recipient=c21vb25leUByZWRoYXQuY29t
> ) Flags [S.], seq 678353364, ack 3072401770, win 64308, options [mss 1410,sackOK,TS val 246556960 ecr 911923475,nop,wscale 7], length 0
> 13:21:17.273556 IP 172.24.4.10 ( 
> https://link.getmailspring.com/link/1B1F2725-083F-4138-B760-1865E91E9D24@getmailspring.com/9?redirect=172.24.4.228%2F32&recipient=c21vb25leUByZWRoYXQuY29t)0
> : ( 
> https://link.getmailspring.com/link/1B1F2725-083F-4138-B760-1865E91E9D24@getmailspring.com/10?redirect=172.24.4.228%2F32&recipient=c21vb25leUByZWRoYXQuY29t)49718
>  ( 
> https://link.getmailspring.com/link/1B1F2725-083F-4138-B760-1865E91E9D24@getmailspring.com/11?redirect=hermes.gsic.uva.es.49718&recipient=c21vb25leUByZWRoYXQuY29t
> ) > 172.24.4.228.https: Flags [.], ack 1, win 2053, options [nop,nop,TS val 911923476 ecr 246556960], length 0
> 
> So, I can't filter the traffic (in this case http/https) received in the openstack instance because all have the same IP address. The only way that
> I can see the original ips are capturing packages on the controller node.
> I don't have a lot experienced and I'd like to understand it. I hope I have explained better than before.





More information about the openstack-discuss mailing list