<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
        {font-family:SimSun;
        panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
        {font-family:SimSun;
        panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:Consolas;
        panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
        {font-family:"Trebuchet MS";
        panose-1:2 11 6 3 2 2 2 2 2 4;}
@font-face
        {font-family:"\@SimSun";
        panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
code
        {mso-style-priority:99;
        font-family:"Courier New";}
pre
        {mso-style-priority:99;
        mso-style-link:"HTML Preformatted Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:10.0pt;
        font-family:"Courier New";}
span.HTMLPreformattedChar
        {mso-style-name:"HTML Preformatted Char";
        mso-style-priority:99;
        mso-style-link:"HTML Preformatted";
        font-family:"Consolas","serif";}
span.EmailStyle20
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri","sans-serif";}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
/* List Definitions */
@list l0
        {mso-list-id:988828764;
        mso-list-template-ids:984674494;}
ol
        {margin-bottom:0in;}
ul
        {margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks so much for the info. The command ‘iptables -t filter -I FORWARD -i qbr+ -o qbr+ -j ACCEPT’ helped. However, it’s temporary. After I issued this command, I was able to ping from vm1 to vm2. After about 10 mins, I could not ping again.  How to make this rule permanent?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I’m using Ubuntu LTS 12.04.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>YuLing<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> ppyy@juyide.com [mailto:ppyy@juyide.com] <b>On Behalf Of </b>??<br><b>Sent:</b> Saturday, June 15, 2013 2:21 AM<br><b>To:</b> C, Yuling<br><b>Cc:</b> openstack@lists.launchpad.net<br><b>Subject:</b> Re: [Openstack] [openstack] how to configure quantum so that two private network can ping each other?<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>which OS do you use?<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>if you use RDO on RHEL, please refer to:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><a href="https://access.redhat.com/site/documentation/en-US/Red_Hat_OpenStack/3/html/Release_Notes/ch03.html">https://access.redhat.com/site/documentation//en-US/Red_Hat_OpenStack/3/html/Release_Notes/ch03.html</a><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><div style='margin-bottom:.05in'><p class=MsoNormal style='line-height:13.5pt;vertical-align:baseline'><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:#333333'>When the </span><code><b><span style='font-size:10.0pt;color:#333333;border:none windowtext 1.0pt;padding:0in'>openvswitch</span></b></code><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:#333333'> quantum plugin is used, and Nova is configured with<o:p></o:p></span></p></div><pre style='line-height:13.5pt;background:whitesmoke;vertical-align:baseline;white-space:pre-wrap;word-wrap:break-word;border-top-left-radius:11px;border-top-right-radius:11px;border-bottom-right-radius:11px;border-bottom-left-radius:11px'><span style='font-size:11.0pt;color:black'><o:p> </o:p></span></pre><pre style='line-height:13.5pt;background:whitesmoke;vertical-align:baseline'><span style='font-size:11.0pt;color:black'><o:p> </o:p></span></pre><pre style='line-height:13.5pt;background:whitesmoke;vertical-align:baseline'><span style='font-size:11.0pt;color:black'>libvirt_vif_driver = nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver<o:p></o:p></span></pre><div style='margin-bottom:.05in'><p class=MsoNormal style='line-height:13.5pt;vertical-align:baseline'><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:#333333'>the necessary forwarding rules are not created automatically and the Red Hat Enterprise Linux firewall blocks forwarding of network traffic. Hence traffic between VMs located on different compute nodes is blocked.<o:p></o:p></span></p></div><div style='margin-bottom:.05in'><p class=MsoNormal style='line-height:13.5pt;vertical-align:baseline'><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:#333333'>Workarounds to avoid blocking traffic between VMs located on different compute nodes:<o:p></o:p></span></p></div><div><div style='margin-bottom:.05in'><p class=MsoNormal style='margin-left:0in;text-indent:-.25in;line-height:13.5pt;mso-list:l0 level1 lfo1;vertical-align:baseline'><![if !supportLists]><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:#333333'><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'>    </span></span></span><![endif]><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:#333333'>If using nova security groups, add the following </span><code><b><span style='font-size:10.0pt;color:#333333;border:none windowtext 1.0pt;padding:0in'>iptables</span></b></code><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:#333333'> rule on each compute node:<o:p></o:p></span></p><pre style='margin-left:0in;text-indent:-.25in;line-height:13.5pt;mso-list:l0 level1 lfo1;background:whitesmoke;vertical-align:baseline'><![if !supportLists]><span style='font-size:9.0pt;color:black'><span style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'>  </span></span></span><![endif]><span style='font-size:9.0pt;color:black'><o:p> </o:p></span></pre><pre style='margin-left:0in;text-indent:-.25in;line-height:13.5pt;mso-list:l0 level1 lfo1;background:whitesmoke;vertical-align:baseline'><![if !supportLists]><span style='font-size:9.0pt;color:black'><span style='mso-list:Ignore'>3.<span style='font:7.0pt "Times New Roman"'>  </span></span></span><![endif]><span style='font-size:9.0pt;color:black'><o:p> </o:p></span></pre><pre style='margin-left:0in;text-indent:-.25in;line-height:13.5pt;mso-list:l0 level1 lfo1;background:whitesmoke;vertical-align:baseline'><![if !supportLists]><span style='font-size:9.0pt;color:black'><span style='mso-list:Ignore'>4.<span style='font:7.0pt "Times New Roman"'>  </span></span></span><![endif]><code><b><span style='font-size:9.0pt;color:black;border:none windowtext 1.0pt;padding:0in'>#</span></b></code><span style='font-size:9.0pt;color:black'>iptables -t filter -I FORWARD -i qbr+ -o qbr+ -j ACCEPT<o:p></o:p></span></pre><pre style='line-height:13.5pt;background:whitesmoke;vertical-align:baseline'><code><b><span style='font-size:9.0pt;color:black;border:none windowtext 1.0pt;padding:0in'>#</span></b></code><span style='font-size:9.0pt;color:black'> <code><b><span style='border:none windowtext 1.0pt;padding:0in'>service iptables save</span></b></code><o:p></o:p></span></pre></div><div style='margin-bottom:.05in'><p class=MsoNormal style='line-height:13.5pt;vertical-align:baseline'><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:#333333'>Either reboot, or restart </span><code><b><span style='font-size:10.0pt;color:#333333;border:none windowtext 1.0pt;padding:0in'>nova-compute</span></b></code><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:#333333'> after adding this rule, since the rules </span><code><b><span style='font-size:10.0pt;color:#333333;border:none windowtext 1.0pt;padding:0in'>nova-compute</span></b></code><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:#333333'> adds at startup must precede this rule.<o:p></o:p></span></p></div><div style='margin-bottom:.05in'><p class=MsoNormal style='margin-left:0in;text-indent:-.25in;line-height:13.5pt;mso-list:l0 level1 lfo1;vertical-align:baseline'><![if !supportLists]><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:#333333'><span style='mso-list:Ignore'>5.<span style='font:7.0pt "Times New Roman"'>    </span></span></span><![endif]><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:#333333'>If not using Nova security groups, an alternative solution is to set:<o:p></o:p></span></p></div><pre style='margin-left:0in;text-indent:-.25in;line-height:13.5pt;mso-list:l0 level1 lfo1;background:whitesmoke;vertical-align:baseline;white-space:pre-wrap;word-wrap:break-word;border-top-left-radius:11px;border-top-right-radius:11px;border-bottom-right-radius:11px;border-bottom-left-radius:11px'><![if !supportLists]><span style='font-size:9.0pt;color:black'><span style='mso-list:Ignore'>6.<span style='font:7.0pt "Times New Roman"'>  </span></span></span><![endif]><span style='font-size:9.0pt;color:black'><o:p> </o:p></span></pre><pre style='margin-left:0in;text-indent:-.25in;line-height:13.5pt;mso-list:l0 level1 lfo1;background:whitesmoke;vertical-align:baseline'><![if !supportLists]><span style='font-size:9.0pt;color:black'><span style='mso-list:Ignore'>7.<span style='font:7.0pt "Times New Roman"'>  </span></span></span><![endif]><span style='font-size:9.0pt;color:black'><o:p> </o:p></span></pre><pre style='line-height:13.5pt;background:whitesmoke;vertical-align:baseline'><span style='font-size:9.0pt;color:black'>libvirt_vif_driver = nova.virt.libvirt.vif.LibvirtOpenVswitchVirtualPortDriver<o:p></o:p></span></pre></div></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p><div><p class=MsoNormal>2013/6/15 <<a href="mailto:Yuling_C@dell.com" target="_blank">Yuling_C@dell.com</a>><o:p></o:p></p><p class=MsoNormal> Hi All,<br><br>From openstack documentation, it seems that if we need to create routers in order to have two private network ping each other. However, I followed the instruction on the website <a href="http://docs.openstack.org/trunk/openstack-network/admin/content/l3_workflow.html" target="_blank">http://docs.openstack.org/trunk/openstack-network/admin/content/l3_workflow.html</a>, but still could not get the ping working through two private networks.<br><br>Here is what I did:<br><br>1. I'm using the Vlan mode for OVS network type.<br>2. I created one network net1 in one subnet.<br>3. I created another network net2 in another subnet.<br>4. I created a router and attached the two subnet interfaces to the router.<br>5. I created two VM instances on net1 and net2 respectively.<br>6. However, I still was not able to ping from vm1 to vm2.<br><br>Any idea?<br><br>Thanks,<br><br>YuLing<br>_______________________________________________<br>Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>Post to     : <a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>More help   : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><o:p></o:p></p></div><p class=MsoNormal><br><br clear=all><o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>-- <o:p></o:p></p><div><p class=MsoNormal>Peng Yong<o:p></o:p></p></div></div></div></div></body></html>