Hi (again), I have applied the patch for hairpin Nat with vrvm but here come another problems, CS always said "Fail to enable static NAT" each time I Nat public IP for VM.
I also tried to upgrade to 3.0.4 and the problem hadn't gone away. In VRVM, the hairpin Nat rule were also disappeared. Please help! !! Sent from my HTC© On Sep 25, 2012 3:48 PM, "Jayapal Reddy Uradi" < jayapalreddy.ur...@citrix.com> wrote: > > There is no hair pin NAT related rule in the NAT table. > Hairpin NAT issue is fixed in 3.0.3. > > http://bugs.cloudstack.org/browse/CS-13500 > > Thanks, > Jayapal > > -----Original Message----- > From: Hieu Le [mailto:hieul...@gmail.com] > Sent: Tuesday, September 25, 2012 12:24 PM > To: cloudstack-dev@incubator.apache.org > Subject: Re: Problem with VM private IP > > Here is VR iptables rules: > > root@r-17-VRDLAB:~# iptables -nL -v --line-numbers -t filter Chain INPUT > (policy DROP 124 packets, 9432 bytes) > num pkts bytes target prot opt in out source > destination > 1 0 0 ACCEPT all -- * * 0.0.0.0/0 > 224.0.0.18 > 2 0 0 ACCEPT all -- * * 0.0.0.0/0 > 225.0.0.50 > 3 38 3648 ACCEPT all -- eth0 * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > 4 11168 1852K ACCEPT all -- eth1 * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > 5 5 526 ACCEPT all -- eth2 * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > 6 102 8520 ACCEPT icmp -- * * 0.0.0.0/0 > 0.0.0.0/0 > 7 5 293 ACCEPT all -- lo * 0.0.0.0/0 > 0.0.0.0/0 > 8 29 9614 ACCEPT udp -- eth0 * 0.0.0.0/0 > 0.0.0.0/0 udp dpt:67 > 9 23 1787 ACCEPT udp -- eth0 * 0.0.0.0/0 > 0.0.0.0/0 udp dpt:53 > 10 629 37740 ACCEPT tcp -- eth1 * 0.0.0.0/0 > 0.0.0.0/0 state NEW tcp dpt:3922 > 11 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 > 0.0.0.0/0 state NEW tcp dpt:8080 > 12 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 > 0.0.0.0/0 state NEW tcp dpt:80 > > Chain FORWARD (policy DROP 0 packets, 0 bytes) > num pkts bytes target prot opt in out source > destination > 1 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > 2 1 60 ACCEPT all -- eth2 eth0 0.0.0.0/0 > 10.1.1.118 state NEW > 3 3 164 ACCEPT all -- eth2 eth0 0.0.0.0/0 > 10.1.1.132 state NEW > 4 21 9986 ACCEPT all -- eth2 eth0 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > 5 29 1600 ACCEPT all -- eth0 eth2 0.0.0.0/0 > 0.0.0.0/0 > > Chain OUTPUT (policy ACCEPT 280 packets, 48879 bytes) > num pkts bytes target prot opt in out source > destination > > > root@r-17-VRDLAB:~# iptables -nL -v --line-numbers -t nat Chain > PREROUTING (policy ACCEPT 143 packets, 10644 bytes) > num pkts bytes target prot opt in out source > destination > 1 1 60 DNAT all -- eth2 * 0.0.0.0/0 > 192.168.3.120 to:10.1.1.118 > 2 3 164 DNAT all -- eth2 * 0.0.0.0/0 > 192.168.3.115 to:10.1.1.132 > > Chain POSTROUTING (policy ACCEPT 4 packets, 224 bytes) > num pkts bytes target prot opt in out source > destination > 1 2 96 SNAT all -- * eth2 10.1.1.132 > 0.0.0.0/0 to:192.168.3.115 > 2 4 192 SNAT all -- * eth2 10.1.1.118 > 0.0.0.0/0 to:192.168.3.120 > 3 2 138 SNAT all -- * eth2 0.0.0.0/0 > 0.0.0.0/0 to:192.168.3.116 > > Chain OUTPUT (policy ACCEPT 2 packets, 138 bytes) > num pkts bytes target prot opt in out source > destination > > > root@r-17-VRDLAB:~# iptables -nL -v --line-numbers -t mangle Chain > PREROUTING (policy ACCEPT 543 packets, 44292 bytes) > num pkts bytes target prot opt in out source > destination > 1 552 346K VPN_192.168.3.116 all -- * * 0.0.0.0/0 > 192.168.3.116 > 2 13 5167 FIREWALL_192.168.3.120 all -- * * > 0.0.0.0/0 192.168.3.120 > 3 22 5571 FIREWALL_192.168.3.115 all -- * * > 0.0.0.0/0 192.168.3.115 > 4 118 5980 FIREWALL_192.168.3.116 all -- * * > 0.0.0.0/0 192.168.3.116 > 5 11705 1887K CONNMARK all -- * * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED CONNMARK restore > 6 1 60 MARK all -- eth2 * 0.0.0.0/0 > 192.168.3.120 state NEW MARK set 0x2 > 7 1 60 CONNMARK all -- eth2 * 0.0.0.0/0 > 192.168.3.120 state NEW CONNMARK save > 8 124 10012 MARK all -- eth0 * 10.1.1.118 > 0.0.0.0/0 state NEW MARK set 0x2 > 9 124 10012 CONNMARK all -- eth0 * 10.1.1.118 > 0.0.0.0/0 state NEW CONNMARK save > 10 3 164 MARK all -- eth2 * 0.0.0.0/0 > 192.168.3.115 state NEW MARK set 0x2 > 11 3 164 CONNMARK all -- eth2 * 0.0.0.0/0 > 192.168.3.115 state NEW CONNMARK save > 12 17 1445 MARK all -- eth0 * 10.1.1.132 > 0.0.0.0/0 state NEW MARK set 0x2 > 13 17 1445 CONNMARK all -- eth0 * 10.1.1.132 > 0.0.0.0/0 state NEW CONNMARK save > > Chain INPUT (policy ACCEPT 514 packets, 42811 bytes) > num pkts bytes target prot opt in out source > destination > > Chain FORWARD (policy ACCEPT 54 packets, 11810 bytes) > num pkts bytes target prot opt in out source > destination > > Chain OUTPUT (policy ACCEPT 231 packets, 42784 bytes) > num pkts bytes target prot opt in out source > destination > > Chain POSTROUTING (policy ACCEPT 285 packets, 54594 bytes) > num pkts bytes target prot opt in out source > destination > 1 27 9270 CHECKSUM udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpt:68 CHECKSUM fill > > Chain FIREWALL_192.168.3.115 (1 references) > num pkts bytes target prot opt in out source > destination > 1 15 5203 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > 2 0 0 RETURN udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpts:1:65535 > 3 5 248 RETURN tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpts:1:65535 > 4 2 120 RETURN icmp -- * * 0.0.0.0/0 > 0.0.0.0/0 icmp type 255 > 5 0 0 DROP all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > Chain FIREWALL_192.168.3.116 (1 references) > num pkts bytes target prot opt in out source > destination > 1 0 0 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > 2 118 5980 DROP all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > Chain FIREWALL_192.168.3.120 (1 references) > num pkts bytes target prot opt in out source > destination > 1 8 4903 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > 2 2 120 RETURN icmp -- * * 0.0.0.0/0 > 0.0.0.0/0 icmp type 255 > 3 3 144 RETURN tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpts:1:65535 > 4 0 0 RETURN udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpts:1:65535 > 5 0 0 DROP all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > Chain VPN_192.168.3.116 (1 references) > num pkts bytes target prot opt in out source > destination > 1 434 340K ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > 2 118 5980 RETURN all -- * * 0.0.0.0/0 > 0.0.0.0/0 > root@r-17-VRDLAB:~# > > > On Tue, Sep 25, 2012 at 12:37 PM, Jayapal Reddy Uradi < > jayapalreddy.ur...@citrix.com> wrote: > > > Debug the traffic flow ... whether the traffic sent to VR guest > > network interface then public interface . > > Please share the VR iptables rules. > > > > Thanks, > > Jayapal > > > > -----Original Message----- > > From: Hieu Le [mailto:hieul...@gmail.com] > > Sent: Tuesday, September 25, 2012 8:42 AM > > To: cloudstack-dev@incubator.apache.org > > Subject: Re: Problem with VM private IP > > > > Yep, I have read the admin guide and setup firewall rule + enable > > static NAT for all tested VM and still facing this problem. > > > > On Tue, Sep 25, 2012 at 10:01 AM, Ahmad Emneina > > <ahmad.emne...@citrix.com > > >wrote: > > > > > Have you looked at the Administration Guide[1]? See page 75 and see > > > if that solves your connectivity issue. You still need to poke the > > > hole in the firewal and setup a NAT rule from within cloudstack. > > > > > > [1]: > > > http://download.cloud.com/releases/3.0.0/CloudStack3.0AdminGuide.pdf > > > > > > On 9/24/12 7:56 PM, "Hieu Le" <hieul...@gmail.com> wrote: > > > > > > >Hi, > > > > > > > >The telnet packets are not reaching the telnet server VM. > > > > > > > >I'm using CS 3.0.2. > > > > > > > >Thanks for replying ! > > > > > > > >On Mon, Sep 24, 2012 at 5:52 PM, Jayapal Reddy Uradi < > > > >jayapalreddy.ur...@citrix.com> wrote: > > > > > > > >> Using firewall and port forwarding rules only we can access the > > > >>VM services from the public network also from the VMs using the > > > >>Public > > IPs. > > > >> For you telnet from outside network success but from failed from > > > >>VM to VM using public IP. > > > >> Seems hair pin NAT got failed ... > > > >> > > > >> Please capture the packets on the telnet server VM to see whether > > > >> telnet packets are reaching or not ? > > > >> > > > >> Which version of cloudstack Is it ? > > > >> > > > >> Thanks, > > > >> Jayapal > > > >> > > > >> -----Original Message----- > > > >> From: Hieu Le [mailto:hieul...@gmail.com] > > > >> Sent: Monday, September 24, 2012 3:39 PM > > > >> To: cloudstack-dev@incubator.apache.org > > > >> Subject: Problem with VM private IP > > > >> > > > >> Hi everyone, > > > >> > > > >> I have a problem while working with VM private IP. My Cloud > > > >>system run 2 VMs in advance zone with private IP is 10.1.1.20 and > > > >>10.1.1.21 and VM NAT IP is 192.168.50.160 and 192.168.50.165. > > > >>From outside network, I can ping and telnet port 80 to both VMs > > > >>with public IPs. But from VM 10.1.1.21, I can't telnet to other > > > >>VM with its public IP. > > > >> > > > >> For details: > > > >> From VM1: 10.1.1.20 and 192.168.50.160. > > > >> ping 192.168.50.165 and ping 10.1.1.21 success telnet 10.1.1.21 > > > >>80 success telnet 192.168.50.165 80 fail > > > >> > > > >> From VM2: 10.1.1.21 and 192.168.50.165 ping 192.168.50.160 and > > > >> ping > > > >> 10.1.1.20 success telnet 10.1.1.20 success telnet 192.168.50.160 > > > >> 80 fail > > > >> > > > >> And I can't telnet another ports with public IP. > > > >> > > > >> Can you suggest some solutions for me to telnet VM from another > > > >> VM via public IP. > > > >> > > > >> Thank ! > > > >> > > > > > > > > > > > > > > > >-- > > > >..:: Hieu LE ::.. > > > > > > > >Class: Information System - Course 52 School of Information and > > > >Communication Technology Hanoi University of Technology No 1, Dai > > > >Co Viet street - Hai Ba Trung district - Hanoi > > > > > > > >High Performance Computing Center > > > >Cloud Computing Group > > > >Gmail: hieul...@gmail.com > > > > > > > > > > > > > -- > > > Æ > > > > > > > > > > > > > > > > > > -- > > ..:: Hieu LE ::.. > > > > Class: Information System - Course 52 > > School of Information and Communication Technology Hanoi University of > > Technology No 1, Dai Co Viet street - Hai Ba Trung district - Hanoi > > > > High Performance Computing Center > > Cloud Computing Group > > Gmail: hieul...@gmail.com > > > > > > -- > ..:: Hieu LE ::.. > > Class: Information System - Course 52 > School of Information and Communication Technology Hanoi University of > Technology No 1, Dai Co Viet street - Hai Ba Trung district - Hanoi > > High Performance Computing Center > Cloud Computing Group > Gmail: hieul...@gmail.com >
