Unable to access Internet from an instance and accessing instance using floating-point IPs from external network

Eugen Block eblock at nde.ag
Fri Dec 2 10:36:02 UTC 2022 

Hi,

if you want people to reply you should keep the mailing list in the  
loop. Also please don't paste pictures but terminal output as plain  
text so it won't get lost.

>> From my controller site:
>> External-internet = 192.168.1.118
>> Internal-network = 10.42.0.189

Seems like you meant it the other way around looking at the other networks.

>> My external network details is shown below

I don't see a segmentation ID for the external network, we create  
provider (external) networks with the same segmentation ID as the  
corresponding VLAN in our environment has. The rest of the information  
on the pictures is not readable to me, please paste the security-group  
rules as text.

>> Apart from all the above information, I will briefly talk about what I
>> have enabled in my global.yml file. I have set the
>> kolla_internal_vip_address to "192168.1.200", kolla_external_vip_address to
>> "10.42.0.200", enable_haproxy to "yes" and other core components of
>> openstack was enabled.

I'm not familiar with kolla so I can't really say what else could be  
missing or not. You could disable the port security for your instance  
to see if that helps, otherwise use tcpdump on control and compute  
node to see where the packets get lost and which vlans are in use. I'm  
not sure if that will resolve it but I believe your external network  
should have a segmentation ID.

Zitat von vincent lee <vincentlee676 at gmail.com>:

> Hi, one last thing I would like to add on is the setting of my openvswitch
> configuration.
> [image: image.png]
> [image: image.png]
>
>
> On Wed, Nov 30, 2022 at 1:39 PM vincent lee <vincentlee676 at gmail.com> wrote:
>
>> Hi Eugen,
>> Sorry for causing any confusion in my previous emails and I will summarize
>> the main issue here. After deploying openstack from a fresh installation, I
>> have not modified the security group when working creating an instance or a
>> container.
>>
>> From my controller site:
>> External-internet = 192.168.1.118
>> Internal-network = 10.42.0.189
>>
>> For my compute host 1:
>> Internal-network = 192.168.1.115
>>
>> For my compute host 2:
>> Internal-network = 192.168.1.108
>>
>> My current issue is that when I created an instance which ran
>> successfully, I was not able to ping that instance from my controller via
>> the external network. Besides, I was also not able to ping the internet
>> (8.8.8.8) inside of the instance.
>>
>> However, I was able to ping to the external network (10.42.0.67) from
>> inside of the newly created instance itself. In other words, the router is
>> communicating correctly. I have attached an image of my network topology as
>> shown below.
>> [image: image.png]
>> Inside of my instance
>> [image: image.png]
>> I have attached an image of my router details as shown below
>> [image: image.png]
>> My external network details is shown below
>> [image: image.png]
>> external network's subnet detail is shown below
>> [image: image.png]
>> My internal network details is shown below
>> [image: image.png]
>> internal network's subnet is shown below
>> [image: image.png]
>> My floating IPs is shown below
>> [image: image.png]
>> My current security group rules is shown below
>> [image: image.png]
>> My system information is shown below
>> [image: image.png]
>> Apart from all the above information, I will briefly talk about what I
>> have enabled in my global.yml file. I have set the
>> kolla_internal_vip_address to "192168.1.200", kolla_external_vip_address to
>> "10.42.0.200", enable_haproxy to "yes" and other core components of
>> openstack was enabled.
>>
>> Best,
>> Vincent
>>
>>
>>
>> On Wed, Nov 30, 2022 at 2:30 AM Eugen Block <eblock at nde.ag> wrote:
>>
>>> So you did modify the default security-group, ports 8000 and 8080 are
>>> not open by default. Anyway, can you please clarify what doesn't work
>>> exactly?
>>> Does the instance have an IP in the public network but the router is
>>> not pingeable (but that is not necessarily an issue) and you can't
>>> access it via which protocols? Does SSH work? Is the access blocked by
>>> a http_proxy?
>>>
>>>
>>> Zitat von vincent lee <vincentlee676 at gmail.com>:
>>>
>>> > To add on to my previous email, I have attached an image of my security
>>> > group as shown below.
>>> >
>>> > Best regards,
>>> > Vincent
>>> >
>>> > On Tue, Nov 22, 2022 at 3:58 AM Eugen Block <eblock at nde.ag> wrote:
>>> >
>>> >> Just one more thing to check, did you edit the security-group rules to
>>> >> allow access to the outside world?
>>> >>
>>> >> Zitat von Adivya Singh <adivya1.singh at gmail.com>:
>>> >>
>>> >> > it should be missing a default route most of the time.
>>> >> > or check IP tables on router namespace the DNAT and SNAT are working
>>> >> > properly
>>> >> >
>>> >> >
>>> >> >
>>> >> > On Tue, Nov 22, 2022 at 9:40 AM Tobias McNulty <
>>> tobias at caktusgroup.com>
>>> >> > wrote:
>>> >> >
>>> >> >> On Mon, Nov 21, 2022 at 7:39 PM vincent lee <
>>> vincentlee676 at gmail.com>
>>> >> >> wrote:
>>> >> >>
>>> >> >>> After reviewing the post you shared, I believe that we have the
>>> correct
>>> >> >>> subnet. Besides, we did not modify anything related to the
>>> cloud-init
>>> >> for
>>> >> >>> openstack.
>>> >> >>>
>>> >> >>
>>> >> >> I didn't either. But I found it's a good test of the network! If
>>> you are
>>> >> >> using an image that doesn't rely on it you might not notice (but I
>>> >> >> would not recommend that).
>>> >> >>
>>> >> >>
>>> >> >>> After launching the instances, we are able to ping between the
>>> >> instances
>>> >> >>> of the same subnet. However, we are not able to receive any
>>> internet
>>> >> >>> connection within those instances. From the instance, we are able
>>> to
>>> >> ping
>>> >> >>> the router IP addresses 10.42.0.56 and 10.0.0.1.
>>> >> >>>
>>> >> >>
>>> >> >> To make sure I understand:
>>> >> >> - 10.42.0.56 is the IP of the router external to OpenStack that
>>> provides
>>> >> >> internet access
>>> >> >> - This router is tested and working for devices outside of OpenStack
>>> >> >> - OpenStack compute instances can ping this router
>>> >> >> - OpenStack compute instances cannot reach the internet
>>> >> >>
>>> >> >> If that is correct, it does not sound like an OpenStack issue
>>> >> necessarily,
>>> >> >> but perhaps a missing default route on your compute instances. I
>>> would
>>> >> >> check that DHCP is enabled on the internal subnet and that it's
>>> >> providing
>>> >> >> everything necessary for an internet connection to the instances.
>>> >> >>
>>> >> >> Tobias
>>> >> >>
>>> >> >>
>>> >> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >
>>> > --
>>> > thanks you.
>>> > vincentleezihong
>>> > 2garnet
>>> > form2
>>>
>>>
>>>
>>>
>>>
>>
>> --
>> thanks you.
>> vincentleezihong
>> 2garnet
>> form2
>>
>>
>
> --
> thanks you.
> vincentleezihong
> 2garnet
> form2

More information about the openstack-discuss mailing list