On Thu, 2020-11-19 at 17:31 +0000, Stephen Medina wrote:

Which official guides did you use to deploy? assuming its the install guide this woudl result in a linux bridge deployment.

in both the linuxbridge and ml2/ovs cases floting ips are implemented using ip tables mascarade dnat rules that is likely why the souce ip is beign rewritten. https://www.rdoproject.org/networking/networking-in-too-much-detail/#network... covers this. that said it rather old so ignore the quantum names it still work the samemore or less unless you are uing ovn in which case its similar but done with openflow. the imporant line is -A quantum-l3-agent-PREROUTING -d 172.24.4.228/32 -j DNAT --to-destination 10.1.0.2 that maps the 172.24.4.228/32 floating ip to 10.1.0.2 fixed ip although i tought that maintained the orginal source ip. the -A quantum-l3-agent-float-snat -s 10.1.0.2/32 -j SNAT --to-source 172.24.4.228 rule is what maps the reply packet form the private fixed ip to the public floating ip. so unless there is a bug when you tcp dump in the guest teh source ip of the recieved packets should be the ip or the orginal server e.g. your laptop. but the dest ip should be the private fixed ip e.g. 10.1.0.2 in this case. if you tcp dump on you laptop the souce ip of the reply should be the floating ip. and the dest ip should be your laptops.

-Stephen

________________________________ From: Cristina Mayo <admin@gsic.uva.es> Sent: Thursday, November 19, 2020 6:01 AM To: openstack-discuss@lists.openstack.org <openstack-discuss@lists.openstack.org> Subject: [neutron] Floating ips instances not appear in tcpdump

Hello,

I have a multinode Openstack cloud installed on Ubuntu machines following the official guides, without extra settings. I have realised that all the income traffic on my instances with floating ips have the same source ip (controller's node ip address). Could anyone help to understand this behaviour? I would like source ip address remains because I am interested in filter traffic, and it's currently impossible. It seems that my controller node is changing the original ip to the packets.

Thanks in advance, Regards

I'm using installation guides with the self service network option (that includes ML2 plugin and linux bridge agent): https://docs.openstack.org/neutron/train/install/install-ubuntu.html ( https://link.getmailspring.com/link/1B1F2725-083F-4138-B760-1865E91E9D24@getmailspring.com/0?redirect=https%3A%2F%2Fdocs.openstack.org%2Fneutron%2Ftrain%2Finstall%2Finstall-ubuntu.html&recipient=c21vb25leUByZWRoYXQuY29t ) What I mean is, for example, if I have an apache server running on an instance with a public ip address (floating ip). When I access to that apache server from whatever external network and I capture the traffic on the instance, all packages come from the same IP.

On Fri, 2020-11-20 at 11:41 +0100, Cristina Mayo wrote: that is not how neutron shoudl work by defualt. it sould like you have set up a nat on the external interface. how did you connect the external interface to the the outside world. normally you would create a neutron external network and attach and attach your tenats router to that network. you would then configre the subnet of that external network on your infracture routere assigning your phyical router the gateway ip adress of the network. basically did you nat the traffic to the host https://www.rdoproject.org/networking/networking-in-too-much-detail/#network... e.g. something like this ip addr add 172.24.4.225/28 dev br-ex # iptables -A FORWARD -d 172.24.4.224/28 -j ACCEPT # iptables -A FORWARD -s 172.24.4.224/28 -j ACCEPT # iptables -t nat -I POSTROUTING 1 -s 172.24.4.224/28 -j MASQUERADE or did you add the interface to the birdge like this ovs-vsctl add-port br-ex eth2 that how you would do it for ovs but for linux bridge its similar. https://docs.openstack.org/install-guide/launch-instance-networks-provider.h... descibes how to configre proder network with linux brdige my best guess is that you have assinged the external netwrok gateway ip to the openstack contoler with ip 172.24.4.100 and that is nating the traffic.

I supposed that the controller node is retransmitting the packages and putting its ip address on them. I capture some packets with tcpdump in this openstack instance with a public ip (floating_ip), for example: 172.24.4.228/32 ( https://link.getmailspring.com/link/1B1F2725-083F-4138-B760-1865E91E9D24@getmailspring.com/1?redirect=172.24.4.228%2F32&recipient=c21vb25leUByZWRoYXQuY29t ) and I have a controller node with a public IP, for example 172.24.4.100/32, ( https://link.getmailspring.com/link/1B1F2725-083F-4138-B760-1865E91E9D24@getmailspring.com/2?redirect=172.24.4.228%2F32&recipient=c21vb25leUByZWRoYXQuY29t ) the traces of traffic are something like this, but they should have others external sources IPs:

# tcpdump tcp and port 443 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens7, link-type EN10MB (Ethernet), capture size 262144 bytes 13:21:17.272668 IP 172.24.4.100 ( https://link.getmailspring.com/link/1B1F2725-083F-4138-B760-1865E91E9D24@getmailspring.com/3?redirect=172.24.4.228%2F32&recipient=c21vb25leUByZWRoYXQuY29t ): ( https://link.getmailspring.com/link/1B1F2725-083F-4138-B760-1865E91E9D24@getmailspring.com/4?redirect=172.24.4.228%2F32&recipient=c21vb25leUByZWRoYXQuY29t)49718  ( https://link.getmailspring.com/link/1B1F2725-083F-4138-B760-1865E91E9D24@getmailspring.com/5?redirect=hermes.gsic.uva.es.49718&recipient=c21vb25leUByZWRoYXQuY29t ) > 172.24.4.228.https: Flags [S], seq 3072401769, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 911923475 ecr 0,sackOK,eol], length 0 13:21:17.272787 IP 172.24.4.228.https > 172.24.4.100 ( https://link.getmailspring.com/link/1B1F2725-083F-4138-B760-1865E91E9D24@getmailspring.com/6?redirect=172.24.4.228%2F32&recipient=c21vb25leUByZWRoYXQuY29t ): ( https://link.getmailspring.com/link/1B1F2725-083F-4138-B760-1865E91E9D24@getmailspring.com/7?redirect=172.24.4.228%2F32&recipient=c21vb25leUByZWRoYXQuY29t)49718 : ( https://link.getmailspring.com/link/1B1F2725-083F-4138-B760-1865E91E9D24@getmailspring.com/8?redirect=hermes.gsic.uva.es.49718%3A&recipient=c21vb25leUByZWRoYXQuY29t ) Flags [S.], seq 678353364, ack 3072401770, win 64308, options [mss 1410,sackOK,TS val 246556960 ecr 911923475,nop,wscale 7], length 0 13:21:17.273556 IP 172.24.4.10 ( https://link.getmailspring.com/link/1B1F2725-083F-4138-B760-1865E91E9D24@getmailspring.com/9?redirect=172.24.4.228%2F32&recipient=c21vb25leUByZWRoYXQuY29t)0 : ( https://link.getmailspring.com/link/1B1F2725-083F-4138-B760-1865E91E9D24@getmailspring.com/10?redirect=172.24.4.228%2F32&recipient=c21vb25leUByZWRoYXQuY29t)49718  ( https://link.getmailspring.com/link/1B1F2725-083F-4138-B760-1865E91E9D24@getmailspring.com/11?redirect=hermes.gsic.uva.es.49718&recipient=c21vb25leUByZWRoYXQuY29t ) > 172.24.4.228.https: Flags [.], ack 1, win 2053, options [nop,nop,TS val 911923476 ecr 246556960], length 0

So, I can't filter the traffic (in this case http/https) received in the openstack instance because all have the same IP address. The only way that I can see the original ips are capturing packages on the controller node. I don't have a lot experienced and I'd like to understand it. I hope I have explained better than before.