The moment I assign a floating IP address I can also get out of that vm to our external net.
On Mon, May 2, 2016 at 10:51 PM, Jagga Soorma <jagg...@gmail.com> wrote: > This is what my default security groups looks like just in case that has > anything to do with why it is not working: > > -- > Direction > Ether Type > IP Protocol > Port Range > Remote IP Prefix > Remote Security Group > Actions > Ingress IPv4 Any Any - default Delete Rule > Egress IPv6 Any Any ::/0 - Delete Rule > Ingress IPv6 Any Any - default Delete Rule > Egress IPv4 Any Any 0.0.0.0/0 - Delete Rule > Ingress IPv4 ICMP Any 0.0.0.0/0 - Delete Rule > Ingress IPv4 TCP 22 0.0.0.0/0 - > > > On Mon, May 2, 2016 at 10:49 PM, Jagga Soorma <jagg...@gmail.com> wrote: > >> Yes, I am able to ping the gateway address from within the snat namespace: >> >> -- >> $ sudo ip netns exec snat-9e849e49-ed36-4280-a53c-47d6f5afbea2 ping >> 10.36.7.253 >> PING 10.36.7.253 (10.36.7.253) 56(84) bytes of data. >> 64 bytes from 10.36.7.253: icmp_seq=1 ttl=255 time=1.42 ms >> 64 bytes from 10.36.7.253: icmp_seq=2 ttl=255 time=0.685 ms >> 64 bytes from 10.36.7.253: icmp_seq=3 ttl=255 time=0.439 ms >> ^C >> --- 10.36.7.253 ping statistics --- >> 3 packets transmitted, 3 received, 0% packet loss, time 2000ms >> rtt min/avg/max/mdev = 0.439/0.850/1.426/0.419 ms >> -- >> >> On Mon, May 2, 2016 at 10:46 PM, Dileep Varma Bairraju < >> varma...@gmail.com> wrote: >> >>> It seems like you have 5 tenants, correlating to 5 snat namespaces. Your >>> 'qg-' interfaces have proper ip configured, within the snat namespaces, >>> verify if you are able to resolve arp for '10.36.7.253'. From within >>> the namespace try pinging gw. >>> >>> -Dileep >>> >>> On Mon, May 2, 2016 at 10:30 PM, Jagga Soorma <jagg...@gmail.com> wrote: >>> >>>> We us a external vm network of 10.36.6.0/23. Looks like I do have >>>> some snat rules but no idea what I should be specifically looking for in >>>> here: >>>> >>>> $ ip netns | grep -i snat >>>> snat-9e849e49-ed36-4280-a53c-47d6f5afbea2 >>>> snat-716dc7bd-9d6b-41da-aa6a-a484398785b1 >>>> snat-bece0591-c55b-4a48-bc2b-77873a3ebce1 >>>> snat-803e06a4-4499-4ce0-bda6-fb158e717b9e >>>> snat-6e4669f9-0b63-4b60-bdf6-94037b4c1e23 >>>> >>>> >>>> $ sudo ip netns exec snat-9e849e49-ed36-4280-a53c-47d6f5afbea2 ip a | >>>> grep "inet" >>>> inet 127.0.0.1/8 scope host lo >>>> inet6 ::1/128 scope host >>>> inet 192.168.5.4/24 brd 192.168.5.255 scope global sg-86abc456-8d >>>> inet6 fe80::f816:3eff:fe23:7166/64 scope link >>>> inet 10.36.6.240/23 brd 10.36.7.255 scope global qg-09e400d1-28 >>>> inet6 fe80::f816:3eff:fe52:dc9a/64 scope link >>>> >>>> >>>> $ sudo ip netns exec snat-bece0591-c55b-4a48-bc2b-77873a3ebce1 ip a | >>>> grep "inet" >>>> inet 127.0.0.1/8 scope host lo >>>> inet6 ::1/128 scope host >>>> inet 192.168.8.4/24 brd 192.168.8.255 scope global sg-ec9b41fe-3b >>>> inet6 fe80::f816:3eff:feb5:a225/64 scope link >>>> inet 10.36.6.79/23 brd 10.36.7.255 scope global qg-b1f38a3f-0b >>>> inet6 fe80::f816:3eff:fe4b:4a1e/64 scope link >>>> >>>> On Mon, May 2, 2016 at 10:09 PM, Remo Mattei <r...@italy1.com> wrote: >>>> >>>>> not sure how you build your public network.. but usually it does not >>>>> do dhcp. So those are details that are needed in order for us to give you >>>>> solutions / options / checking etc based on what you are running, how it >>>>> was configured etc.. >>>>> >>>>> CentOS, Ubuntu, scripting just as an example.. >>>>> >>>>> Remo >>>>> >>>>> On May 2, 2016, at 22:02, Jagga <jagg...@gmail.com> wrote: >>>>> >>>>> That is what I thought but it does not seem to be working this way. >>>>> How would I check our snat namespace and what specifically should I be >>>>> looking for? My apologies but am very new to openstack. >>>>> >>>>> Thanks. >>>>> >>>>> >>>>> On May 2, 2016, at 9:51 PM, Dileep Varma Bairraju <varma...@gmail.com> >>>>> wrote: >>>>> >>>>> Hi Jagga, >>>>> >>>>> I don't think that's the right approach.Floating ip will effectively >>>>> do a 1:1 NAT for a given a vm to reach external resources. But, there >>>>> should be a ip from the external network that gets assigned to SNAT >>>>> namespace on network node, this effectively will let all vm's (without >>>>> floating ip) access external resources. >>>>> >>>>> I'd suggest you check at your snat namespace for possible issues, as >>>>> you seem to have patched the problem for that vm with floating ip's. >>>>> >>>>> > Is that by design or is there something wrong with our >>>>> configuration? >>>>> As per design, you don't need to assign floating ip's for your vm's to >>>>> get out, this should be done by SNAT by default as mentioned earlier, >>>>> where >>>>> all the vm's internal ip space maps one external ip. >>>>> >>>>> Regards, >>>>> Dileep >>>>> >>>>> On Mon, May 2, 2016 at 8:32 PM, Jagga Soorma <jagg...@gmail.com> >>>>> wrote: >>>>> >>>>>> Hi Guys, >>>>>> >>>>>> Need some clarification regarding routing for instances without a >>>>>> floating ip address. Basically we have instances connected to a priv >>>>>> network that is also connected to our external network and our security >>>>>> group allows all egress traffic. However, we can't seem to get to any >>>>>> resource on our external network till a floating ip address is assigned. >>>>>> Once we assign a floating ip address we can get out. Is that by design >>>>>> or >>>>>> is there something wrong with our configuration? >>>>>> >>>>>> Thanks. >>>>>> >>>>>> _______________________________________________ >>>>>> Mailing list: >>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >>>>>> Post to : openstack@lists.openstack.org >>>>>> Unsubscribe : >>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Regards, >>>>> Dileep V Bairraju >>>>> >>>>> !DSPAM:1,572831b2317776163816806! >>>>> _______________________________________________ >>>>> Mailing list: >>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >>>>> Post to : openstack@lists.openstack.org >>>>> Unsubscribe : >>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >>>>> >>>>> >>>>> !DSPAM:1,572831b2317776163816806! >>>>> >>>>> >>>>> >>>> >>> >>> >>> -- >>> Regards, >>> Dileep V Bairraju >>> >> >> >
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
