<br><div>I should add, that it looks like none of the iptables rules are being setup for the floating IP. It is bound to the right interface in ip addr, but my iptables look as follows:</div><div><br></div><div>(You'll note that 10.0.40.129 is conspicuous by its absence)</div>
<div><br></div><div>Ideas?</div><div><br></div><div><div>Chain INPUT (policy ACCEPT 47238 packets, 20M bytes)</div><div> pkts bytes target prot opt in out source destination </div><div>47393 20M nova-network-INPUT all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div>
<div>47238 20M nova-compute-INPUT all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div>47238 20M nova-api-INPUT all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div>
<div> 0 0 ACCEPT udp -- virbr0 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> udp dpt:53</div><div> 0 0 ACCEPT tcp -- virbr0 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:53</div>
<div> 0 0 ACCEPT udp -- virbr0 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> udp dpt:67</div><div> 0 0 ACCEPT tcp -- virbr0 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:67</div>
<div><br></div><div>Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)</div><div> pkts bytes target prot opt in out source destination </div><div> 225 18900 nova-filter-top all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div>
<div> 208 17472 nova-network-FORWARD all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div> 0 0 nova-compute-FORWARD all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div>
<div> 0 0 nova-api-FORWARD all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div> 0 0 ACCEPT all -- * virbr0 <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://192.168.122.0/24">192.168.122.0/24</a> state RELATED,ESTABLISHED</div>
<div> 0 0 ACCEPT all -- virbr0 * <a href="http://192.168.122.0/24">192.168.122.0/24</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div> 0 0 ACCEPT all -- virbr0 virbr0 <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div>
<div> 0 0 REJECT all -- * virbr0 <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> reject-with icmp-port-unreachable</div><div> 0 0 REJECT all -- virbr0 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> reject-with icmp-port-unreachable</div>
<div><br></div><div>Chain OUTPUT (policy ACCEPT 38296 packets, 23M bytes)</div><div> pkts bytes target prot opt in out source destination </div><div>38667 23M nova-filter-top all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div>
<div>38296 23M nova-network-OUTPUT all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div>38296 23M nova-compute-OUTPUT all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div>
<div>38296 23M nova-api-OUTPUT all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div><br></div><div>Chain nova-api-FORWARD (1 references)</div>
<div> pkts bytes target prot opt in out source destination </div><div><br></div><div>Chain nova-api-INPUT (1 references)</div><div> pkts bytes target prot opt in out source destination </div>
<div> 0 0 ACCEPT tcp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> 10.0.0.250 tcp dpt:8775</div><div><br></div><div>Chain nova-api-OUTPUT (1 references)</div><div> pkts bytes target prot opt in out source destination </div>
<div><br></div><div>Chain nova-api-local (1 references)</div><div> pkts bytes target prot opt in out source destination </div><div><br></div><div>Chain nova-compute-FORWARD (1 references)</div>
<div> pkts bytes target prot opt in out source destination </div><div> 0 0 ACCEPT all -- br41 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div>
<div> 0 0 ACCEPT all -- * br41 <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div><br></div><div>Chain nova-compute-INPUT (1 references)</div>
<div> pkts bytes target prot opt in out source destination </div><div><br></div><div>Chain nova-compute-OUTPUT (1 references)</div><div> pkts bytes target prot opt in out source destination </div>
<div><br></div><div>Chain nova-compute-inst-2 (1 references)</div><div> pkts bytes target prot opt in out source destination </div><div> 0 0 DROP all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> state INVALID</div>
<div> 388 37807 ACCEPT all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> state RELATED,ESTABLISHED</div><div> 0 0 nova-compute-provider all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div>
<div> 0 0 ACCEPT udp -- * * 10.0.41.1 <a href="http://0.0.0.0/0">0.0.0.0/0</a> udp spt:67 dpt:68</div><div> 0 0 ACCEPT all -- * * <a href="http://10.0.41.0/24">10.0.41.0/24</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div>
</div><div><div> 0 0 ACCEPT icmp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div> 0 0 ACCEPT tcp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:22</div>
<div> 0 0 ACCEPT tcp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:80</div><div> 0 0 nova-compute-sg-fallback all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div>
<div><br></div><div>Chain nova-compute-local (1 references)</div><div> pkts bytes target prot opt in out source destination </div><div> 388 37807 nova-compute-inst-2 all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> 10.0.41.4 </div>
<div><br></div><div>Chain nova-compute-provider (1 references)</div><div> pkts bytes target prot opt in out source destination </div><div><br></div><div>Chain nova-compute-sg-fallback (1 references)</div>
<div> pkts bytes target prot opt in out source destination </div><div> 0 0 DROP all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div>
<div><br></div><div>Chain nova-filter-top (2 references)</div><div> pkts bytes target prot opt in out source destination </div><div>38892 23M nova-network-local all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div>
<div>38892 23M nova-compute-local all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div>38504 23M nova-api-local all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div>
<div><br></div><div>Chain nova-network-FORWARD (1 references)</div><div> pkts bytes target prot opt in out source destination </div><div> 208 17472 ACCEPT all -- br41 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div>
<div> 0 0 ACCEPT all -- * br41 <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div> 0 0 ACCEPT udp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> 10.0.41.2 udp dpt:1194</div>
<div><br></div><div>Chain nova-network-INPUT (1 references)</div><div> pkts bytes target prot opt in out source destination </div><div> 27 8856 ACCEPT udp -- br41 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> udp dpt:67</div>
<div> 0 0 ACCEPT tcp -- br41 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:67</div><div> 128 8576 ACCEPT udp -- br41 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> udp dpt:53</div>
<div> 0 0 ACCEPT tcp -- br41 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:53</div><div><br></div><div>Chain nova-network-OUTPUT (1 references)</div>
<div> pkts bytes target prot opt in out source destination </div><div><br></div><div>Chain nova-network-local (1 references)</div><div> pkts bytes target prot opt in out source destination </div>
</div><div><br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On 9 November 2012 17:14, Joe Warren-Meeks <span dir="ltr"><<a href="mailto:joe.warren.meeks@gmail.com" target="_blank">joe.warren.meeks@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi all,<div><br></div><div>I've managed to get Openstack pretty much up and running as I wanted it. I do have, however, a rather strange networking issue.</div>
<div><br></div><div>I created the network with</div><div>nova-manage network create --fixed_range_v4=<a href="http://10.0.41.0/24" target="_blank">10.0.41.0/24</a> --num_networks=1 --bridge=br41 --bridge_interface=eth0 --label=development --gateway=10.0.41.1 --dns1=10.0.0.2 --vlan=41 --project_id=XXXXXXX<br>
</div><div><br></div><div>And i can boot instances fine. I've configured the default security group to allow port 22, 80 and ICMP -1 in and I can ping from my work station to the virtual instance ok:</div><div><br></div>
<div><div>joe@kaneda:~$ ping 10.0.41.3</div><div>PING 10.0.41.3 (10.0.41.3) 56(84) bytes of data.</div><div>64 bytes from <a href="http://10.0.41.3" target="_blank">10.0.41.3</a>: icmp_req=1 ttl=63 time=1.18 ms</div></div>
<div><br></div>
<div>And i can ping from the virt back too:</div><div><div>ubuntu@test:~$ ping 10.0.0.240</div><div>PING 10.0.0.240 (10.0.0.240) 56(84) bytes of data.</div><div>64 bytes from <a href="http://10.0.0.240" target="_blank">10.0.0.240</a>: icmp_req=1 ttl=64 time=0.713 ms</div>
</div><div><br></div><div><br></div><div>I can SSH out from the virt to a host in the outside world fine:</div><div><div>ubuntu@test:~$ ssh joe@XXXXX</div><div>joe@XXXXXX password: </div></div><div><div>-bash: fortune: command not found</div>
<div>joe@dixon:~ $ </div></div><div><br></div><div>BUT I can't ssh from the virt to my workstation, nor from my workstation to the Virt. Neither does http work.</div><div><br></div><div>What I am seeing in Tcpdump is a lot of incorrect cksums. This happens with all Tcp connections. </div>
<div><br></div><div><div>17:12:38.539784 IP (tos 0x0, ttl 64, id 53611, offset 0, flags [DF], proto TCP (6), length 60)</div><div> 10.0.0.240.56791 > 10.0.41.3.22: Flags [S], cksum 0x3e21 (incorrect -> 0x6de2), seq 2650163743, win 14600, options [mss 1460,sackOK,TS val 28089204 ecr 0,nop,wscale 6], length 0</div>
</div><div><br></div><div><br></div><div><div>17:12:38.585279 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)</div><div> 10.0.41.3.22 > 10.0.0.240.56791: Flags [S.], cksum 0x3e21 (incorrect -> 0xe5c5), seq 1530502549, ack <a href="tel:3098447117" value="+13098447117" target="_blank">3098447117</a>, win 14480, options [mss 1460,sackOK,TS val 340493 ecr 28089204,nop,wscale 3], length 0</div>
</div><div><br></div><div>Anyone come across this before?</div><span class="HOEnZb"><font color="#888888"><div><br></div><div> -- joe.</div><div><br></div>
</font></span></blockquote></div><br></div>