Open Stack

On 08/30/2016 09:54 AM, Jorge Luiz Correa wrote:
> Hi! I need some help to understand and configure my network node to provide
> network access using a dual stack configuration. I've a scenario with one
> controller, one network node and a lot of compute nodes. The version is Mitaka
> on Ubuntu 16.04 LTS, Kernel 4.4.0-36.

Hi,

Thanks for giving so much information, comments below.

> The IPv4 is working fine. Instances can get IPv4 inside tenant networks, I can
> configure floating IPs, access external hosts etc.
>
> The IPv6 has some features working, but I still didn't got the traffic pass
> between  internal and the external networks.
>
> I'm using prefix delegation with dibbler as described here:
>
> http://docs.openstack.org/mitaka/networking-guide/config-ipv6.html
>
> I can create IPv6 tenant subnets, they can get a prefix from dibbler and
> instances on this subnets can configure IPv6 normally.
>
> I've a default security group with rules passing any IPv4 and IPv6 traffic and
> any ICMP.
>
> The problem is that the packages from and to instances don't pass through
> virtual router. The virtual router has one external interface named qg-
> (connected to br-int -> br-ex) and one internal interface named qr- connected to
> tenant network (br-int -> int-br-vlan). When testing connectivity I can see
> packages (with tcpdump) on my external router/firewall and on qg- interface. For
> example, when I try to ping my external router/firewall from an instance, echo
> requests pass to the external network (through the virtual router) but echo
> reply die on virtual router (last seen on qg-).
>
> ## echo request:
>
> Instance A
> |
> |
> v
> br-int
> |
> |
> v
> qr- interface
>     VIRTUAL ROUTER
> qg- interface
> |
> |
> v
> br-int
> |
> |
> v
> br-ex
> |
> |
> v
> Router/Firewall (I can see here with tcpdump)
>
>
> ## echo reply:
>
> Instance A
> x
> x
> x
> qr- interface (I CAN'T SEE HERE, LOST)
>     VIRTUAL ROUTER
> qg- interface (I can see here with tcpdump)
> ^
> |
> |
> br-int (ovs bridge, can't do tcpdump, but ok)
> ^
> |
> |
> br-ex (I can see here with tcpdump)
> ^
> |
> |
> Router/Firewall
>
> Question 1) Where can I start to debug this problem?
>
> I'm thinking that can be something with ipv6 packet forwarding (configurable
> with sysctl). Using 'ip6tables -v' I can't see droppings.
>
> Chain neutron-openvswi-sg-fallback (0 references)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 DROP       all      *      *       ::/0
> ::/0                 /* Default drop rule for unmatched traffic. */

Can you verify there is a default IPv6 route in the qrouter namespace? 
Something like 'ip -6 r' should show it.  In general, seeing what is configured 
in that namespace and seeing if you can ping things from there is a good start.

> Another thing I would like to understand is about how I should configure my
> router/firewall to send IPv6 packets to Openstack network node. For example, if
> I have the network 2001:DB8::/52 to use on Openstack. Each project will get a
> 2001:DB8::/64 range from prefix delegation. When one project get its prefix, the
> virtual router knows how to send traffic to external world because my
> router/firewall sends RA. But, on my router/firewall I need to configure a route
> to 2001:DB8::/52. To do this, I need to inform one next-hop. I'm using de LLA
> (fe80::...) of br-ex as next-hop. So, all traffic destinated to any network
> inside 2001:DB8::/52 will be send to br-ex (that is on network node). This
> configuration seems to work because packets arrive on virtual router as
> described above.
>
> Question 2) Is this the right way?

That external router is giving you the prefix via PD, right?  I would have 
thought it would have added a route for your /64 when it did that.

-Brian