Hey guys,<div><br></div><div>Ignore this q. I didn't really have my head around how Openstack works and I think I get it now. </div><div><br></div><div>Thanks for all your help.</div><div><br></div><div> -- joe.</div><div>
<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On 12 November 2012 10:12, Joe Warren-Meeks <span dir="ltr"><<a href="mailto:joe.warren.meeks@gmail.com" target="_blank">joe.warren.meeks@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Vish et al.<div><br></div><div>I still can't make head nor tail of it. ICMP works in both directions fine, but when I try to ssh out from the VM (even with the dmz_cidr flags) the SYN gets through un-snatted ok, then my desktop SYN-ACKs back, but the virt never gets to see it. Instead, the snat layer sends a RST.</div>
<div><br></div><div>I don't want any NAT at all. I just want the virts bridged on to the VLAN. Is there a way to do that?</div><div><br></div><div>Kind regards</div><span class="HOEnZb"><font color="#888888"><div><br>
</div><div> -- joe.</div></font></span><div class="HOEnZb"><div class="h5"><div><br></div><div class="gmail_extra">
<br><br><div class="gmail_quote">On 9 November 2012 19:56, Vishvananda Ishaya <span dir="ltr"><<a href="mailto:vishvananda@gmail.com" target="_blank">vishvananda@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">What is the ip address of your workstation? You may be running into something similar to this issue:<div><br></div><div><a href="http://lists.openstack.org/pipermail/openstack-dev/2012-September/001212.html" target="_blank">http://lists.openstack.org/pipermail/openstack-dev/2012-September/001212.html</a></div>
<div><br></div><div>I suspect either:</div><div><br></div><div>a) Traffic not getting snatted when it should. This is usually due to overlapping ranges between your internal network and fixed_range</div><div><br></div><div>
this would be fixed by limiting fixed_range in your config file to just the instances range: (fixed_range=<a href="http://10.0.41.0/24" target="_blank">10.0.41.0/24</a> ?)</div><div><br></div><div>or</div><div><br></div>
<div>
b) Traffic getting snatted when it shouldn't. This is usually because your workstation ip is on an ip that is internally routable but not routable from the external network of the compute host, so it can't get back to the snatted ip</div>
<div><br></div><div>this is fixed by stopping snatting to the workstation by setting dmz_cidr to a value that includes your workstation network: (dmz_cidr=<a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> ?)</div>
<div><br></div><div>Vish</div><div><br><div><div><div><div>On Nov 9, 2012, at 9:14 AM, Joe Warren-Meeks <<a href="mailto:joe.warren.meeks@gmail.com" target="_blank">joe.warren.meeks@gmail.com</a>> wrote:</div>
<br></div></div><blockquote type="cite"><div><div>Hi all,<div><br></div><div>I've managed to get Openstack pretty much up and running as I wanted it. I do have, however, a rather strange networking issue.</div>
<div><br></div><div>I created the network with</div><div>nova-manage network create --fixed_range_v4=<a href="http://10.0.41.0/24" target="_blank">10.0.41.0/24</a> --num_networks=1 --bridge=br41 --bridge_interface=eth0 --label=development --gateway=10.0.41.1 --dns1=10.0.0.2 --vlan=41 --project_id=XXXXXXX<br>
</div><div><br></div><div>And i can boot instances fine. I've configured the default security group to allow port 22, 80 and ICMP -1 in and I can ping from my work station to the virtual instance ok:</div><div><br></div>
<div><div>joe@kaneda:~$ ping 10.0.41.3</div><div>PING 10.0.41.3 (10.0.41.3) 56(84) bytes of data.</div><div>64 bytes from <a href="http://10.0.41.3/" target="_blank">10.0.41.3</a>: icmp_req=1 ttl=63 time=1.18 ms</div></div>
<div><br></div>
<div>And i can ping from the virt back too:</div><div><div>ubuntu@test:~$ ping 10.0.0.240</div><div>PING 10.0.0.240 (10.0.0.240) 56(84) bytes of data.</div><div>64 bytes from <a href="http://10.0.0.240/" target="_blank">10.0.0.240</a>: icmp_req=1 ttl=64 time=0.713 ms</div>
</div><div><br></div><div><br></div><div>I can SSH out from the virt to a host in the outside world fine:</div><div><div>ubuntu@test:~$ ssh joe@XXXXX</div><div>joe@XXXXXX password: </div></div><div><div>-bash: fortune: command not found</div>
<div>joe@dixon:~ $ </div></div><div><br></div><div>BUT I can't ssh from the virt to my workstation, nor from my workstation to the Virt. Neither does http work.</div><div><br></div><div>What I am seeing in Tcpdump is a lot of incorrect cksums. This happens with all Tcp connections. </div>
<div><br></div><div><div>17:12:38.539784 IP (tos 0x0, ttl 64, id 53611, offset 0, flags [DF], proto TCP (6), length 60)</div><div> 10.0.0.240.56791 > 10.0.41.3.22: Flags [S], cksum 0x3e21 (incorrect -> 0x6de2), seq 2650163743, win 14600, options [mss 1460,sackOK,TS val 28089204 ecr 0,nop,wscale 6], length 0</div>
</div><div><br></div><div><br></div><div><div>17:12:38.585279 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)</div><div> 10.0.41.3.22 > 10.0.0.240.56791: Flags [S.], cksum 0x3e21 (incorrect -> 0xe5c5), seq 1530502549, ack <a href="tel:3098447117" value="+13098447117" target="_blank">3098447117</a>, win 14480, options [mss 1460,sackOK,TS val 340493 ecr 28089204,nop,wscale 3], length 0</div>
</div><div><br></div><div>Anyone come across this before?</div><div><br></div><div> -- joe.</div><div><br></div></div></div>
_______________________________________________<br>Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
</blockquote></div><br></div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>