<html><head></head><body><div class="ydpc45a297yahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:13px;"><div></div>
<div dir="ltr" data-setdir="false">Hi, Laurent, Slawek,</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">Removing the port security did indeed solve the issue for me so I really appreciate the advice from both of you.</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">On your point below Slawek:</div><div dir="ltr" data-setdir="false"><div dir="ltr" data-setdir="false"><span style="font-family: Helvetica Neue, Helvetica, Arial, sans-serif;">ML2/Linuxbridge don't supports distributed routing (DVR) at all. What do You </span><span style="font-family: Helvetica Neue, Helvetica, Arial, sans-serif;">mean by "distributed routing" here?"</span></div><div dir="ltr" data-setdir="false"><span style="font-family: Helvetica Neue, Helvetica, Arial, sans-serif;"><br></span></div><div dir="ltr" data-setdir="false"><span style="font-family: Helvetica Neue, Helvetica, Arial, sans-serif;">We have enabled DVR on the nodes in the following locations:</span></div><div dir="ltr" data-setdir="false"><span style="font-family: Helvetica Neue, Helvetica, Arial, sans-serif;"><br></span></div><div dir="ltr" data-setdir="false"><div><div>plugins/ml2/ml2_conf.ini:enable_distributed_routing = True</div><div>plugins/ml2/linuxbridge_agent.ini:enable_distributed_routing = True</div></div><div dir="ltr" data-setdir="false"><span>neutron.conf:router_distributed = True</span><br></div><div dir="ltr" data-setdir="false"><span><br></span></div><div dir="ltr" data-setdir="false"><span>We have obviously been mistaken here, we had assumed this was working as the VM's on each compute can continue working fine if the controller is shut down. Would this be a reason that if we spin up a neutron router the interface is always down and we cannot bring it up? We're a little caught on the networking side of things.</span></div><div dir="ltr" data-setdir="false"><span><br></span></div><div dir="ltr" data-setdir="false"><span>Regards,</span></div><div dir="ltr" data-setdir="false"><span>Derek</span></div><div dir="ltr" data-setdir="false"><span><br></span></div><div dir="ltr" data-setdir="false"><span><br></span></div><div dir="ltr" data-setdir="false"><span><br></span></div></div></div><div> </div>
</div><div id="yahoo_quoted_5820706375" class="yahoo_quoted">
<div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">
<div>
On Tuesday 15 February 2022, 09:41:54 GMT, Slawek Kaplonski <skaplons@redhat.com> wrote:
</div>
<div><br></div>
<div><br></div>
<div><div dir="ltr">Hi,<br clear="none"><br clear="none">On piÄ…tek, 11 lutego 2022 20:31:24 CET Laurent Dumont wrote:<br clear="none">> You might want to look at port-security if you are using an Openstack VM as<br clear="none">> more of a router. By default, it will permit only it's own mac-address +<br clear="none">> ip-address from exiting the interface.<br clear="none">> <br clear="none">> You can fully disable it to see if it's the root cause.<br clear="none">> <br clear="none">> 1. Remove allowed-address-pairs.<br clear="none">> 2. Remove security-groups<br clear="none">> 3. Disable port-security.<br clear="none"><br clear="none">It is very likely that the issue is caused by the port security on the <br clear="none">internal interface of the external vm (where packets are dropped).<br clear="none"><br clear="none">> <br clear="none">> <br clear="none">> On Thu, Feb 10, 2022 at 11:17 AM Derek O keeffe <<a shape="rect" ymailto="mailto:derekokeeffe85@yahoo.ie" href="mailto:derekokeeffe85@yahoo.ie">derekokeeffe85@yahoo.ie</a>><br clear="none">> <br clear="none">> wrote:<br clear="none">> > Hi all,<br clear="none">> > <br clear="none">> > We have an openstack cluster with one controller and 4 computes (Victoria)<br clear="none">> > we have set it up using vlan provider networks with linuxbridge agent,<br clear="none">> > distributed routing & ml2 (I am only partly on the networking so there<br clear="none">> > could be more to that which I can find out if needed)<br clear="none"><br clear="none">ML2/Linuxbridge don't supports distributed routing (DVR) at all. What do You <br clear="none">mean by "distributed routing" here?<div class="yqt9480489563" id="yqtfd06443"><br clear="none"><br clear="none">> > <br clear="none">> > So I was tasked with creating two Instances, one (lets call it the<br clear="none">> > external vm) with an external interface 10.55.9.67 and internal interface<br clear="none">> > 192.168.1.2. A second instance (lets call it the internal vm) would then <br clear="none">be<br clear="none">> > placed on the 192.168.1.0 network.<br clear="none">> > <br clear="none">> > I configured masquerading on the "external vm" and tried to ping the<br clear="none">> > outside world from the "internal" vm as per something like this<br clear="none">> > <a shape="rect" href="https://kifarunix.com/configure-ubuntu-20-04-as-linux-router/?unapproved=49" target="_blank">https://kifarunix.com/configure-ubuntu-20-04-as-linux-router/?unapproved=49</a><br clear="none">> > 571&moderation-hash=b5168c04420557dcdc088994ffa4bdbb#comment-49571<br clear="none">> > <br clear="none">> > <br clear="none">> > Both VM's were instantiated on the same compute host (I've tried it with<br clear="none">> > them on separate hosts as well).<br clear="none">> > <br clear="none">> > I can see the ping leave using tcpdumps along the way and it makes it all<br clear="none">> > the way back to the internal interface on the external machine. It just<br clear="none">> > fails on the last hop to the internal machine. I've tried everything in my<br clear="none">> > power to find why this won't work so I would be grateful for any advice at<br clear="none">> > all. I have added the below to show how I followed the ping manually and<br clear="none">> > where it went and when it failed. Thank you in advance.<br clear="none">> > <br clear="none">> > Following the ping from source to destination and back:<br clear="none">> > Generated on the private VM<br clear="none">> > sent to the internal interface on the external vm<br clear="none">> > sent to the external interface on the external vm<br clear="none">> > sent to the tap interface on the compute<br clear="none">> > sent to the physical nic on the compute<br clear="none">> > sent to the nic on the network device out to the internet<br clear="none">> > <br clear="none">> > received on nic on the network devicefrom the internet<br clear="none">> > received on physical nic on the compute<br clear="none">> > received on tap interface on compute<br clear="none">> > received on external interface on the external vm<br clear="none">> > received on the internal interface on the external vm<br clear="none">> > NEVER gets to last step on the internal vm<br clear="none">> > <br clear="none">> > Regards,<br clear="none">> > Derek</div><br clear="none"><br clear="none"><br clear="none"><br clear="none">-- <br clear="none">Slawek Kaplonski<br clear="none">Principal Software Engineer<br clear="none">Red Hat</div></div>
</div>
</div></body></html>