<div dir="ltr"><div><div><div><div><div><div><div><div><div><div>Sorry for the delay, it was a busy day.<br></div>I'm missing a step here: are you able to ping all 3 compute nodes from a VM inside one of them, or can you ping for each VM only the corresponding node?<br>
</div>Can you now paste the output of:<br></div>ip addr list on hypervisor and VM<br></div>route -n on hypervisor and VM<br></div>brctl show on hypervisor<br></div>iptables -L -nv on hypervisor<br></div>iptables -L -nv -t nat on hypervisor<br>
</div><div>(I'm trying to avoid for now to track traffic with tcpdump, but it'll be next step if we cannot find the problem this way)<br><br></div>Do you have a standard iptables or do you have some custom rules? Also, what OS are the hypervisors running on?<br>
</div>Thanks,<br></div> Stefano<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Jan 8, 2013 at 12:10 PM, Umar Draz <span dir="ltr"><<a href="mailto:unix.co@gmail.com" target="_blank">unix.co@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>Hi Stefano,</div><div> </div><div>No Luck, Still same,</div><div> </div><div>I can ping all 3 compute nodes</div><div>
</div><div>192.168.1.133</div><div>192.168.1.134</div><div>192.168.1.135</div><div> </div><div>from any virtual machine, but I can not ping, 192.168.1.136 another linux machine on local network.</div>
<div> </div><div>Best Regards,</div><div> </div><div>Umar<br><br></div><div class="HOEnZb"><div class="h5"><div class="gmail_quote">On Tue, Jan 8, 2013 at 2:56 AM, Stefano Zanella <span dir="ltr"><<a href="mailto:zanella.stefano@gmail.com" target="_blank">zanella.stefano@gmail.com</a>></span> wrote:<br>
<blockquote style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid" class="gmail_quote"><div dir="ltr"><div><div><div><div><div>I think there's a mismatching here between configuration and intended behavior, I'm sorry not to have detected it before.<br>
With your configuration, you're bridging (Layer 2) two different networks (Layer3). They cannot communicate if not properly routed or masqueraded.<br>
<br></div><div>Do you need to NAT VMs directly with public IPs? If not, I'd suggest you to change the configuration as follows:<br># NETWORK<br></div>network_manager=nova.network.manager.FlatDHCPManager<br><div>force_dhcp_release=True<br>
dhcpbridge_flagfile=/etc/nova/nova.conf<br>my_ip=6x.1x.84.132<br>public_interface=eth1<br>flat_network_bridge=br100<br>fixed_range=<a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a></div><br></div>This way, nova-network will setup NAT between <a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> and <a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a> and you should be able to reach your LAN. Then, if you want to reach machines inside VMs private network, you could add a floating IP range and assign them to VMs.<br>
</div>Hope this could solve the problem.<br></div>Regards,<br></div> Stefano<br></div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Jan 7, 2013 at 9:14 PM, Umar Draz <span dir="ltr"><<a href="mailto:unix.co@gmail.com" target="_blank">unix.co@gmail.com</a>></span> wrote:<br>
<blockquote style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid" class="gmail_quote"><div>I did this on compute<br></div><div><a href="mailto:root@compute1" target="_blank">root@compute1</a>:~# echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter</div>
<p>and the result from vm</p><div><a href="mailto:root@vm" target="_blank">root@vm</a>:~# ping 192.168.1.134</div>
<div><br>PING 192.168.1.134 (192.168.1.134) 56(84) bytes of data.<br>From 10.0.0.2 icmp_seq=1 Destination Host Unreachable<br>From 10.0.0.2 icmp_seq=2 Destination Host Unreachable<br>From 10.0.0.2 icmp_seq=3 Destination Host Unreachable<br>
>From 10.0.0.2 icmp_seq=4 Destination Host Unreachable<br>From 10.0.0.2 icmp_seq=5 Destination Host Unreachable<br>From 10.0.0.2 icmp_seq=6 Destination Host Unreachable<br>From 10.0.0.2 icmp_seq=7 Destination Host Unreachable<br>
>From 10.0.0.2 icmp_seq=8 Destination Host Unreachable<br>From 10.0.0.2 icmp_seq=9 Destination Host Unreachable<br>From 10.0.0.2 icmp_seq=10 Destination Host Unreachable<br>From 10.0.0.2 icmp_seq=11 Destination Host Unreachable<br>
>From 10.0.0.2 icmp_seq=12 Destination Host Unreachable<br>From 10.0.0.2 icmp_seq=13 Destination Host Unreachable<br>From 10.0.0.2 icmp_seq=14 Destination Host Unreachable<br>From 10.0.0.2 icmp_seq=15 Destination Host Unreachable<br>
</div><div>Best Regards,</div><div> </div><div>Umar<br><br></div><div><div><div class="gmail_quote">On Tue, Jan 8, 2013 at 1:02 AM, Stefano Zanella <span dir="ltr"><<a href="mailto:zanella.stefano@gmail.com" target="_blank">zanella.stefano@gmail.com</a>></span> wrote:<br>
<blockquote style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid" class="gmail_quote"><div dir="ltr"><div><div><div>Can you try to set rp_filter to 0? I needed to disable it today, otherwise I was facing problem similar to yours.<br>
</div>Try to ping with rp_filter disabled, let's see if we can resolve the problem that way.<br>
</div>Regards,<br></div> Stefano<br></div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Jan 7, 2013 at 8:57 PM, Umar Draz <span dir="ltr"><<a href="mailto:unix.co@gmail.com" target="_blank">unix.co@gmail.com</a>></span> wrote:<br>
<blockquote style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid" class="gmail_quote"><div><div>Hi</div><div> </div><div>Here is the result</div>
<div> </div></div><div><a href="mailto:root@compute1" target="_blank">root@compute1</a>:~# cat /proc/sys/net/ipv4/ip_forward<br>
1</div><div><br><a href="mailto:root@compute1" target="_blank">root@compute1</a>:~# cat /proc/sys/net/ipv4/conf/default/rp_filter<br>
1</div><div> </div><div><a href="mailto:root@compute1" target="_blank">root@compute1</a>:~# nova secgroup-list-rules default<br></div><div>+-------------+-----------+---------+-----------+--------------+<br>| IP Protocol | From Port | To Port | IP Range | Source Group |<br>
+-------------+-----------+---------+-----------+--------------+<br>| icmp | -1 | -1 | <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> | |<br>| tcp | 22 | 22 | <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> | |<br>
| tcp | 80 | 80 | <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> | |<br>| tcp | 443 | 443 | <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> | |<br>
| tcp | 16667 | 16667 | <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> | |<br>
+-------------+-----------+---------+-----------+--------------+</div><div><br>Best Regards,</div><div> </div><div>Umar<br></div><div><div><div class="gmail_quote">On Tue, Jan 8, 2013 at 12:52 AM, Stefano Zanella <span dir="ltr"><<a href="mailto:zanella.stefano@gmail.com" target="_blank">zanella.stefano@gmail.com</a>></span> wrote:<br>
<blockquote style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid" class="gmail_quote"><div dir="ltr"><div><div><div><div><div>Routing and IP setup looks ok. What's the output of<br>
</div> cat /proc/sys/net/ipv4/ip_forward<br></div>and<br> cat /proc/sys/net/ipv4/conf/default/rp_filter<br><br></div>Also, did you setup security groups correctly? What's the output of<br>
nova secgroup-list-rules default<br><br></div><div>You should have setup at least a rule for allowing icmp traffic.<br></div>Thanks,<br></div> Stefano<br></div><div><div><div class="gmail_extra">
<br><br><div class="gmail_quote">
On Mon, Jan 7, 2013 at 8:39 PM, Umar Draz <span dir="ltr"><<a href="mailto:unix.co@gmail.com" target="_blank">unix.co@gmail.com</a>></span> wrote:<br><blockquote style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid" class="gmail_quote">
<div>Hi</div><div> </div><div>Here is the result</div><div> </div><div>Compute node<br>------------</div><div> </div><div><strong>brctl show</strong></div><div> </div><div>bridge name bridge id STP enabled interfaces<br>
br100 8000.002590976edb no eth1<br> vnet0</div><div><strong>ip addr list</strong></div><div> </div><div>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN<br>
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br> inet <a href="http://127.0.0.1/8" target="_blank">127.0.0.1/8</a> scope host lo<br> inet <a href="http://169.254.169.254/32" target="_blank">169.254.169.254/32</a> scope link lo<br>
inet6 ::1/128 scope host<br>
valid_lft forever preferred_lft forever<br>2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000<br> link/ether 00:25:90:97:6e:da brd ff:ff:ff:ff:ff:ff<br> inet <a href="http://69.155.84.133/25" target="_blank">69.155.84.133/25</a> brd 85.195.84.255 scope global eth0<br>
inet <a href="http://69.155.84.142/32" target="_blank">69.155.84.142/32</a> scope global eth0<br> inet6 fe80::225:90ff:fe97:6eda/64 scope link<br> valid_lft forever preferred_lft forever<br>3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br100 state UP qlen 1000<br>
link/ether 00:25:90:97:6e:db brd ff:ff:ff:ff:ff:ff<br>4: br100: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP<br> link/ether 00:25:90:97:6e:db brd ff:ff:ff:ff:ff:ff<br> inet <a href="http://10.0.0.3/24" target="_blank">10.0.0.3/24</a> brd 10.0.0.255 scope global br100<br>
inet <a href="http://192.168.1.133/24" target="_blank">192.168.1.133/24</a> brd 192.168.1.255 scope global br100<br> inet6 fe80::225:90ff:fe97:6edb/64 scope link<br> valid_lft forever preferred_lft forever<br>
9: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br100 state UNKNOWN qlen 500<br>
link/ether fe:16:3e:41:0c:2a brd ff:ff:ff:ff:ff:ff<br> inet6 fe80::fc16:3eff:fe41:c2a/64 scope link<br> valid_lft forever preferred_lft forever</div><div><br><strong>route -n</strong></div><div> </div><div>Kernel IP routing table<br>
Destination Gateway Genmask Flags Metric Ref Use Iface<br>0.0.0.0 69.155.84.129 0.0.0.0 UG 0 0 0 eth0<br>10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 br100<br>
69.155.84.128 0.0.0.0 255.255.255.128 U 0 0 0 eth1<br>192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br100</div><div> </div><div><strong>virtual machine<br>----------------------<br>
</strong></div><div><strong>ip addr list</strong></div><div> </div><div>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN<br> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br> inet <a href="http://127.0.0.1/8" target="_blank">127.0.0.1/8</a> scope host lo<br>
inet6 ::1/128 scope host<br> valid_lft forever preferred_lft forever<br>2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000<br> link/ether fa:16:3e:41:0c:2a brd ff:ff:ff:ff:ff:ff<br>
inet <a href="http://10.0.0.2/24" target="_blank">10.0.0.2/24</a> brd 10.0.0.255 scope global eth0<br> inet6 fe80::f816:3eff:fe41:c2a/64 scope link tentative dadfailed<br> valid_lft forever preferred_lft forever</div>
<div> </div>
<div><strong>route -n</strong></div><div> </div><div>Kernel IP routing table<br>Destination Gateway Genmask Flags Metric Ref Use Iface<br>0.0.0.0 10.0.0.3 0.0.0.0 UG 100 0 0 eth0<br>
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0<br></div><div> </div><div>Best Regards,</div><div> </div><div>Umar<br><br></div><div><div><div class="gmail_quote">On Tue, Jan 8, 2013 at 12:24 AM, Stefano Zanella <span dir="ltr"><<a href="mailto:zanella.stefano@gmail.com" target="_blank">zanella.stefano@gmail.com</a>></span> wrote:<br>
<blockquote style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid" class="gmail_quote"><div dir="ltr"><div>Can you please post the output of "ip addr list", "route -n" and "brctl show" on compute node and virtual machine? More than a firewall issue, it seems a routing issue to me.<br>
</div><div>Thanks,<br></div><div> Stefano<br></div></div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Jan 7, 2013 at 7:38 PM, Umar Draz <span dir="ltr"><<a href="mailto:unix.co@gmail.com" target="_blank">unix.co@gmail.com</a>></span> wrote:<br>
<blockquote style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid" class="gmail_quote"><div>I think My network configuration is ok, </div><div> </div>
<div>I can ping compute's own ip address 192.168.1.133 from virtual machine. But I can't access other local machines. </div>
<div> </div><div>I think its security firewall issue or need some routing table?</div>
<div> </div><div><div>Here is the out put of ping.</div><div> </div><div><a href="mailto:root@ubuntu-cloud" target="_blank">root@ubuntu-cloud</a># ping 192.168.1.133<br>PING 192.168.1.133 (192.168.1.133) 56(84) bytes of data.<br>
64 bytes from <a href="http://192.168.1.133" target="_blank">192.168.1.133</a>: icmp_req=1 ttl=64 time=0.225 ms<br>
64 bytes from <a href="http://192.168.1.133" target="_blank">192.168.1.133</a>: icmp_req=2 ttl=64 time=0.360 ms<br>64 bytes from <a href="http://192.168.1.133" target="_blank">192.168.1.133</a>: icmp_req=3 ttl=64 time=0.271 ms<br>
</div><div><a href="mailto:root@ubuntu-cloud" target="_blank">root@ubuntu-cloud</a># ping 192.168.1.130<br>
PING 192.168.1.130 (192.168.1.130) 56(84) bytes of data.<br>From <a href="http://10.0.0.3" target="_blank">10.0.0.3</a>: icmp_seq=2 Redirect Host(New nexthop: 192.168.1.130)<br><br>10.0.0.3 is the gateway of virtual machine which is the ip of compute's br100</div>
<div> </div><div>Best Regards,</div><div> </div><div>Umar</div><div> </div></div><div><div><div class="gmail_quote">On Mon, Jan 7, 2013 at 11:26 PM, Stefano Zanella <span dir="ltr"><<a href="mailto:zanella.stefano@gmail.com" target="_blank">zanella.stefano@gmail.com</a>></span> wrote:<br>
<blockquote style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid" class="gmail_quote"><div dir="ltr"><div class="gmail_extra">If you want to setup DHCP flat networking, maybe this page (and the chapter that contains it) could help:<br>
<a href="http://docs.openstack.org/essex/openstack-compute/admin/content/libvirt-flat-dhcp-networking.html" target="_blank">http://docs.openstack.org/essex/openstack-compute/admin/content/libvirt-flat-dhcp-networking.html</a><br>
<br></div><div class="gmail_extra">Regards,<br></div><div class="gmail_extra"> Stefano<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jan 7, 2013 at 7:03 PM, Umar Draz <span dir="ltr"><<a href="mailto:unix.co@gmail.com" target="_blank">unix.co@gmail.com</a>></span> wrote:<br>
<blockquote style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid" class="gmail_quote"><div>my_ip=6x.1x.84.132<br>public_interface=eth0<br>flat_network_bridge=br100</div>
</blockquote></div><br></div></div>
</blockquote></div><br><br clear="all"><br></div></div><div><div>-- <br>Umar Draz<br>Network Architect
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Umar Draz<br>Network Architect
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Umar Draz<br>Network Architect
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Umar Draz<br>Network Architect
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Umar Draz<br>Network Architect
</div></div></blockquote></div><br></div>