[Openstack] Help with ipv6 route configuration and problem to traverse virtual router.
Jorge Luiz Correa
correajl at gmail.com
Tue Aug 30 13:54:50 UTC 2016
Hi! I need some help to understand and configure my network node to provide
network access using a dual stack configuration. I've a scenario with one
controller, one network node and a lot of compute nodes. The version is
Mitaka on Ubuntu 16.04 LTS, Kernel 4.4.0-36.
The IPv4 is working fine. Instances can get IPv4 inside tenant networks, I
can configure floating IPs, access external hosts etc.
The IPv6 has some features working, but I still didn't got the traffic pass
between internal and the external networks.
I'm using prefix delegation with dibbler as described here:
http://docs.openstack.org/mitaka/networking-guide/config-ipv6.html
I can create IPv6 tenant subnets, they can get a prefix from dibbler and
instances on this subnets can configure IPv6 normally.
I've a default security group with rules passing any IPv4 and IPv6 traffic
and any ICMP.
The problem is that the packages from and to instances don't pass through
virtual router. The virtual router has one external interface named qg-
(connected to br-int -> br-ex) and one internal interface named qr-
connected to tenant network (br-int -> int-br-vlan). When testing
connectivity I can see packages (with tcpdump) on my external
router/firewall and on qg- interface. For example, when I try to ping my
external router/firewall from an instance, echo requests pass to the
external network (through the virtual router) but echo reply die on virtual
router (last seen on qg-).
## echo request:
Instance A
|
|
v
br-int
|
|
v
qr- interface
VIRTUAL ROUTER
qg- interface
|
|
v
br-int
|
|
v
br-ex
|
|
v
Router/Firewall (I can see here with tcpdump)
## echo reply:
Instance A
x
x
x
qr- interface (I CAN'T SEE HERE, LOST)
VIRTUAL ROUTER
qg- interface (I can see here with tcpdump)
^
|
|
br-int (ovs bridge, can't do tcpdump, but ok)
^
|
|
br-ex (I can see here with tcpdump)
^
|
|
Router/Firewall
Question 1) Where can I start to debug this problem?
I'm thinking that can be something with ipv6 packet forwarding
(configurable with sysctl). Using 'ip6tables -v' I can't see droppings.
Chain neutron-openvswi-sg-fallback (0 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all * * ::/0
::/0 /* Default drop rule for unmatched traffic. */
Another thing I would like to understand is about how I should configure my
router/firewall to send IPv6 packets to Openstack network node. For
example, if I have the network 2001:DB8::/52 to use on Openstack. Each
project will get a 2001:DB8::/64 range from prefix delegation. When one
project get its prefix, the virtual router knows how to send traffic to
external world because my router/firewall sends RA. But, on my
router/firewall I need to configure a route to 2001:DB8::/52. To do this, I
need to inform one next-hop. I'm using de LLA (fe80::...) of br-ex as
next-hop. So, all traffic destinated to any network inside 2001:DB8::/52
will be send to br-ex (that is on network node). This configuration seems
to work because packets arrive on virtual router as described above.
Question 2) Is this the right way?
Thanks for any help!
- JLC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160830/e5e632ef/attachment.html>
More information about the Openstack
mailing list