Open Stack

Hi there,
I'm running Grizzly on Ubuntu 12.04 in this topology: 
http://docs.openstack.org/trunk/openstack-network/admin/content/connectivity.html
and using the per-tenant routers with private networks.

I just found out that my VMs (except just one) can't access internet if 
I associate them a floating ip.
As soon as I disassociate the floating ip, the VM can ping 8.8.8.8

Did anyone experienced this?

Here is the iptables-save of the virtual router (configured thanks to 
the l3 agent):
(the VMs floating IPs are 192.168.202.X. The even wierdest thing is that 
only the VM using the 192.168.202.4 floating ip can access the internet).
thanks for your help...


root at rajesh:~# ip netns exec 
qrouter-e75c9ae7-c814-42c3-bd9e-9002c025aa95 iptables-save
# Generated by iptables-save v1.4.12 on Tue Apr 30 01:52:01 2013
*mangle
:PREROUTING ACCEPT [103801:72619178]
:INPUT ACCEPT [29779:8190400]
:FORWARD ACCEPT [73997:64361803]
:OUTPUT ACCEPT [3336:330688]
:POSTROUTING ACCEPT [77333:64692491]
COMMIT
# Completed on Tue Apr 30 01:52:01 2013
# Generated by iptables-save v1.4.12 on Tue Apr 30 01:52:01 2013
*nat
:PREROUTING ACCEPT [1:84]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:quantum-l3-agent-OUTPUT - [0:0]
:quantum-l3-agent-POSTROUTING - [0:0]
:quantum-l3-agent-PREROUTING - [0:0]
:quantum-l3-agent-float-snat - [0:0]
:quantum-l3-agent-snat - [0:0]
:quantum-postrouting-bottom - [0:0]
-A PREROUTING -j quantum-l3-agent-PREROUTING
-A OUTPUT -j quantum-l3-agent-OUTPUT
-A POSTROUTING -j quantum-l3-agent-POSTROUTING
-A POSTROUTING -j quantum-postrouting-bottom
-A quantum-l3-agent-OUTPUT -d 192.168.202.4/32 -j DNAT --to-destination 
10.0.0.4
-A quantum-l3-agent-OUTPUT -d 192.168.202.3/32 -j DNAT --to-destination 
10.0.0.2
-A quantum-l3-agent-OUTPUT -d 192.168.202.6/32 -j DNAT --to-destination 
10.0.0.5
-A quantum-l3-agent-POSTROUTING ! -i qg-53c422b7-8a ! -o qg-53c422b7-8a 
-m conntrack ! --ctstate DNAT -j ACCEPT
-A quantum-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp 
--dport 80 -j REDIRECT --to-ports 9697
-A quantum-l3-agent-PREROUTING -d 192.168.202.4/32 -j DNAT 
--to-destination 10.0.0.4
-A quantum-l3-agent-PREROUTING -d 192.168.202.3/32 -j DNAT 
--to-destination 10.0.0.2
-A quantum-l3-agent-PREROUTING -d 192.168.202.6/32 -j DNAT 
--to-destination 10.0.0.5
-A quantum-l3-agent-float-snat -s 10.0.0.4/32 -j SNAT --to-source 
192.168.202.4
-A quantum-l3-agent-float-snat -s 10.0.0.2/32 -j SNAT --to-source 
192.168.202.3
-A quantum-l3-agent-float-snat -s 10.0.0.5/32 -j SNAT --to-source 
192.168.202.6
-A quantum-l3-agent-snat -j quantum-l3-agent-float-snat
-A quantum-l3-agent-snat -s 10.0.0.0/24 -j SNAT --to-source 192.168.202.2
-A quantum-postrouting-bottom -j quantum-l3-agent-snat
COMMIT
# Completed on Tue Apr 30 01:52:01 2013
# Generated by iptables-save v1.4.12 on Tue Apr 30 01:52:01 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [23:2028]
:OUTPUT ACCEPT [0:0]
:quantum-filter-top - [0:0]
:quantum-l3-agent-FORWARD - [0:0]
:quantum-l3-agent-INPUT - [0:0]
:quantum-l3-agent-OUTPUT - [0:0]
:quantum-l3-agent-local - [0:0]
-A INPUT -j quantum-l3-agent-INPUT
-A FORWARD -j quantum-filter-top
-A FORWARD -j quantum-l3-agent-FORWARD
-A OUTPUT -j quantum-filter-top
-A OUTPUT -j quantum-l3-agent-OUTPUT
-A quantum-filter-top -j quantum-l3-agent-local
-A quantum-l3-agent-INPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9697 -j 
ACCEPT
COMMIT
# Completed on Tue Apr 30 01:52:01 2013


michaël

-- 
Michaël Van de Borne
R&D Engineer, SOA team, CETIC
Phone: +32 (0)71 49 07 45 Mobile: +32 (0)472 69 57 16, Skype: mikemowgli
www.cetic.be, rue des Frères Wright, 29/3, B-6041 Charleroi

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130430/cbc3fd0f/attachment.html>