<div dir="ltr">Hi James,<div><br></div><div>1. Yes</div><div>2. Internal instance can ping router internal gateway.</div><div>3. Were can check it?</div><div>4. Yes</div><div>5. Can't ping to outside</div><div><br></div><div>Thanks</div></div><div class="gmail_extra"><br><div class="gmail_quote">2015-06-06 8:25 GMT+08:00 James Denton <span dir="ltr"><<a href="mailto:james.denton@rackspace.com" target="_blank">james.denton@rackspace.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">



<div dir="auto">
<div>Hi Wilson,</div>
<div><br>
</div>
<div>Can you clarify a couple of things here?</div>
<div><br>
</div>
<div>- Does each tenant have their own router in front of their respective instance?</div>
<div><br>
</div>
<div>- have you confirmed connectivity to the admin instance from the router namespace? </div>
<div><br>
</div>
<div>- can you verify the dnat/snat entries for the admin instance exist in iptables in the router namespace?</div>
<div><br>
</div>
<div>- have you verified the instance got its fixed up from dhcp?</div>
<div><br>
</div>
<div>- have you tried consoling to the instance and verifying outbound connectivity?</div>
<div><br>
</div>
<div>If you can, start with some simple connectivity verifications with the namespaces and work your way out from there. Also, your screenshots didn't come through, so if you can post the Cli output somewhere that would be helpful.</div>
<div><br>
</div>
<div>James</div>
<div><br>
Sent from my iPhone</div><div><div class="h5">
<div><br>
On Jun 4, 2015, at 10:18 PM, Wilson Kwok <<a href="mailto:leiw324@gmail.com" target="_blank">leiw324@gmail.com</a>> wrote:<br>
<br>
</div>
<blockquote type="cite">
<div>
<p dir="ltr">Any one can help?</p>
<div class="gmail_quote">於 2015/5/29 上午10:39,"Wilson Kwok" <<a href="mailto:leiw324@gmail.com" target="_blank">leiw324@gmail.com</a>> 寫道:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<p dir="ltr">Ok</p>
<div class="gmail_quote">於 2015/5/28 下午6:24,"Remo Mattei" <<a href="mailto:Remo@italy1.com" target="_blank">Remo@italy1.com</a>> 寫道:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="auto">
<div>Nope. <br>
<br>
Inviato da iPhone</div>
<div><br>
Il giorno 28/mag/2015, alle ore 02:04, Wilson Kwok <<a href="mailto:leiw324@gmail.com" target="_blank">leiw324@gmail.com</a>> ha scritto:<br>
<br>
</div>
<blockquote type="cite">
<div>
<p dir="ltr">Hello all,</p>
<p dir="ltr">Have some see my attached screenshots?</p>
<p dir="ltr">Thanks</p>
<div class="gmail_quote">於 2015/5/27 上午11:14,"Wilson Kwok" <<a href="mailto:leiw324@gmail.com" target="_blank">leiw324@gmail.com</a>> 寫道:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Hello all,
<div><br>
</div>
<div>Please see attached Zip screenshots, you will know what is my problem.</div>
<div><br>
</div>
<div>Thanks for your help!</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2015-05-27 1:15 GMT+08:00 Remo Mattei <span dir="ltr"><<a href="mailto:remo@italy1.com" target="_blank">remo@italy1.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">Just a quick note, each tenant has it’s own default security group rules. So I would double check and make sure your admin does have those rules set. If it works with Demo it has to work with admin.<span><font color="#888888">
<div><br>
</div>
</font></span>
<div><span><font color="#888888">Remo </font></span>
<div>
<div><br>
<div>
<blockquote type="cite">
<div>On May 26, 2015, at 09:03, Wilson Kwok <<a href="mailto:leiw324@gmail.com" target="_blank">leiw324@gmail.com</a>> wrote:</div>
<br>
<div>
<div style="font-family:Helvetica;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
Hi Yair,</div>
<div style="font-family:Helvetica;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
 </div>
<div style="font-family:Helvetica;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
I just tried something:</div>
<div style="font-family:Helvetica;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
 </div>
<div style="font-family:Helvetica;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
1. I created Peter account and added into Demo project, I can access Peter's VM from external network PC via floating IP.</div>
<div style="font-family:Helvetica;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
2. Admin account router account floating IP is 172.28.0.163, I can ping it, but I can't access Admin's VM floating IP 172.128.0.164 from external network PC (Securty Group allow ICMP and SSH)</div>
<div style="font-family:Helvetica;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
3. Demo account with no problem.</div>
<div style="font-family:Helvetica;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
 </div>
<div style="font-family:Helvetica;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
I created public network with keystone admin, please see below result with neutron net-show public:</div>
<div style="font-family:Helvetica;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
 </div>
<div style="font-family:Helvetica;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
[root@localhost ~(keystone_admin)]# neutron net-show public<br>
+---------------------------+--------------------------------------+<br>
| Field                     | Value                                |<br>
+---------------------------+--------------------------------------+<br>
| admin_state_up            | True                                 |<br>
| id                        | 6145669e-4688-40a6-b878-aaa2f9cb26c6 |<br>
| mtu                       | 0                                    |<br>
| name                      | public                               |<br>
| provider:network_type     | vxlan                                |<br>
| provider:physical_network |                                      |<br>
| provider:segmentation_id  | 10                                   |<br>
| router:external           | True                                 |<br>
| shared                    | True                                 |<br>
| status                    | ACTIVE                               |<br>
| subnets                   | 65c1896c-0bc6-4b00-b89b-57f2677b3219 |<br>
| tenant_id                 | e67ef147ee074f83bdab0da903f0cdd3     |<br>
+---------------------------+--------------------------------------+<br>
</div>
<div style="font-family:Helvetica;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
and keystone tenant-list command:</div>
<div style="font-family:Helvetica;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
 </div>
<div style="font-family:Helvetica;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
[root@localhost ~(keystone_admin)]# keystone tenant-list<br>
/usr/lib/python2.7/site-packages/keystoneclient/shell.py:65: DeprecationWarning: The keystone CLI is deprecated in favor of python-openstackclient. For a Python library, continue using python-keystoneclient.<br>
  'python-keystoneclient.', DeprecationWarning)<br>
+----------------------------------+----------+---------+<br>
|                id                |   name   | enabled |<br>
+----------------------------------+----------+---------+<br>
| e67ef147ee074f83bdab0da903f0cdd3 |  admin   |   True  |<br>
| 24f9a6c52a1d471a8e7dc0f8fde32ced |   demo   |   True  |<br>
| 64c18def585e45e39b5e4ec161e18633 | services |   True  |<br>
| 80f0de3f19bf4c699938b54288d1ede8 |   test   |   True  |<br>
+----------------------------------+----------+---------+<br>
</div>
<div style="font-family:Helvetica;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
Thanks for your help!</div>
<div style="font-family:Helvetica;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<br>
 </div>
<div class="gmail_quote" style="font-family:Helvetica;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
2015-05-26 18:32 GMT+08:00 Yair Fried<span> </span><span dir="ltr"><<a href="mailto:yfried@redhat.com" target="_blank">yfried@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
Hi,<br>
From<span> </span><a href="https://bugzilla.redhat.com/show_bug.cgi?id=1163726#c3" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=1163726#c3</a><br>
<br>
<snip><br>
By marking a network as "external" you are actually sharing it among all other tenants to be used as default GW and a source for floating IPs.<br>
<br>
Marking a network as "shared" is allowing other tenants to connect VMs (and not router GWs) directly to the network.<br>
<br>
Marking an external network as "shared" would allow VMs of all tenants to connect to a network as well as pull floating ips from it (via router GW). While this is possible in Neutron, it is also redundant, as with the case above - There isn't much sense in
 pulling a floating IP from a network that you can connect to directly.<br>
</snip><br>
<br>
please provide the relevant output from:<br>
$ neutron net-show <external net><br>
$ keystone tenant-list<br>
<br>
Without this output it seems like the network was created by non-admin tenant/user which shouldn't allow its floating IPs to be consumed by other tenants. I've never tried to do that, so I'm not sure if this is a legitimate operation and if so, how such network
 should behave.<br>
<br>
The ideal flow is:<br>
1. Admin creates an external network (usually called "public") in its own tenant.<br>
2. Users (in their own tenants) create private networks and VMs attached to them.<br>
3. Users create routers connecting their private networks ( router-interface-add") to the external ("public") network ("router-gateway-set").<br>
*** At this point, VMs should be able to access the outside world via NAT.<br>
4. Now users can allocate floating IPs to their VMs (only those VMs that are connected to the external network via routers).<br>
<br>
Please let me know if this is unclear<br>
Regards<br>
<span>Yair</span></blockquote>
</div>
</div>
</blockquote>
</div>
<br>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
</div>
!DSPAM:1,5566da3a317321526615646! </div>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
</div>
</div>
</blockquote>
</div></div><blockquote type="cite">
<div><span>_______________________________________________</span><span class=""><br>
<span>Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a></span><br>
<span>Post to     : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a></span><br>
<span>Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a></span><br>
</span></div>
</blockquote>
</div>

</blockquote></div><br></div>