[Openstack] Instances do not have access to internet

Imran Khakoo imran.khakoo at netronome.com
Thu Sep 29 10:07:19 UTC 2016 

Hi there,
I deleted all the rules and added them back one by one, seeing if each
change suddenly allowed connectivity. No improvement, unfortunately.

My current rules:
Direction
Ether Type
IP Protocol
Port Range
Remote IP Prefix
Remote Security Group
Actions
Ingress IPv4 ICMP Any 0.0.0.0/0 - Delete Rule

Egress IPv4 ICMP Any 0.0.0.0/0 - Delete Rule

Ingress IPv4 TCP 1 - 65535 0.0.0.0/0 - Delete Rule

Egress IPv4 TCP 1 - 65535 0.0.0.0/0 - Delete Rule

Ingress IPv4 TCP 1 - 65535 - default Delete Rule

Egress IPv4 TCP 1 - 65535 - default Delete Rule
Displaying 6 items
Going back to my instances, pinging google:

ubuntu at throwaway:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
>From 10.10.0.1 icmp_seq=17 Destination Net Unreachable
>From 10.10.0.1 icmp_seq=18 Destination Net Unreachable


ubuntu at throwaway:~$ ip route
default via 10.10.0.1 dev eth0
10.10.0.0/16 dev eth0  proto kernel  scope link  src 10.10.0.4
169.254.169.254 via 10.10.0.1 dev eth0

ubuntu at throwaway:~$ ip neigh
10.10.0.2 dev eth0 lladdr fa:16:3e:d7:e1:d5 STALE
10.10.0.1 dev eth0 lladdr fa:16:3e:7c:cf:b1 REACHABLE
10.10.0.3 dev eth0 lladdr fa:16:3e:13:c8:8b STALE

So the gateway is 10.10.0.1 and the VM can reach it, but it somehow can't
route to 8.8.8.8. Looking at my openstack router, I notice that it doesn't
have a public IP address, only an internal one.

NameFixed IPsStatusTypeAdmin StateActions

(af24a36f-6790)
<http://10.1.1.147/project/networks/ports/af24a36f-6790-4024-8ee2-b4fbbcb856ba/detail>

   - 10.10.0.1

Active Internal Interface UP Delete Interface
>From other advice I received, the router should have both a public
interface and a private one. So when I try to add a public interface, it
requires me to first add a subnet.

So I'm guessing I should be creating a subnet on the ext_net, in order to
attach the external interface to it. I get the following error:
*Error: *Failed to create subnet "172.26.1.0/24" for network "None": The
resource could not be found. Neutron server returns request_ids:
['req-0e2edc22-c6a8-4038-89fd-26feb25393c6']




On Wed, Sep 28, 2016 at 7:23 PM, Turbo Fredriksson <turbo at bayour.com> wrote:

> On Sep 28, 2016, at 5:32 PM, Imran Khakoo wrote:
>
> > I did add this rule to default security group, that was the first thing
> > before I even launched an instance.
>
> Yeah, that should have done it.
>
> > Egress  IPv4 Any  Any         0.0.0.0/0 -
> > Egress  IPv4 ICMP Any         -         default
> > Egress  IPv4 TCP   80 (HTTP)  -         default
> > Egress  IPv4 TCP  443 (HTTPS) -         default
> > Ingress IPv4 Any  Any         -         default
> > Ingress IPv4 ICMP Any         0.0.0.0/0 -
> > Ingress IPv4 TCP  22 (SSH)    0.0.0.0/0 -
>
> What strikes me is the sixth column. It is/should be the "Remote Security
> Group"
> column.
>
> I'm a little unsure on how to use that, but if all those rules come from
> the 'default' security group, then you'll probably end up with a loop
> or something..
>
>
> But because of the two Any/Any rules, you would not need the 80/443 rules.
> Nor the 22 one.
> --
> Life sucks and then you die
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160929/5791f3af/attachment.html>

More information about the Openstack mailing list