On 08/30/2016 09:54 AM, Jorge Luiz Correa wrote:
Hi! I need some help to understand and configure my network node to provide network access using a dual stack configuration. I've a scenario with one controller, one network node and a lot of compute nodes. The version is Mitaka on Ubuntu 16.04 LTS, Kernel 4.4.0-36.
Hi, Thanks for giving so much information, comments below.
The IPv4 is working fine. Instances can get IPv4 inside tenant networks, I can configure floating IPs, access external hosts etc. The IPv6 has some features working, but I still didn't got the traffic pass between internal and the external networks. I'm using prefix delegation with dibbler as described here: http://docs.openstack.org/mitaka/networking-guide/config-ipv6.html I can create IPv6 tenant subnets, they can get a prefix from dibbler and instances on this subnets can configure IPv6 normally. I've a default security group with rules passing any IPv4 and IPv6 traffic and any ICMP. The problem is that the packages from and to instances don't pass through virtual router. The virtual router has one external interface named qg- (connected to br-int -> br-ex) and one internal interface named qr- connected to tenant network (br-int -> int-br-vlan). When testing connectivity I can see packages (with tcpdump) on my external router/firewall and on qg- interface. For example, when I try to ping my external router/firewall from an instance, echo requests pass to the external network (through the virtual router) but echo reply die on virtual router (last seen on qg-). ## echo request: Instance A | | v br-int | | v qr- interface VIRTUAL ROUTER qg- interface | | v br-int | | v br-ex | | v Router/Firewall (I can see here with tcpdump) ## echo reply: Instance A x x x qr- interface (I CAN'T SEE HERE, LOST) VIRTUAL ROUTER qg- interface (I can see here with tcpdump) ^ | | br-int (ovs bridge, can't do tcpdump, but ok) ^ | | br-ex (I can see here with tcpdump) ^ | | Router/Firewall Question 1) Where can I start to debug this problem? I'm thinking that can be something with ipv6 packet forwarding (configurable with sysctl). Using 'ip6tables -v' I can't see droppings. Chain neutron-openvswi-sg-fallback (0 references) pkts bytes target prot opt in out source destination 0 0 DROP all * * ::/0 ::/0 /* Default drop rule for unmatched traffic. */
Can you verify there is a default IPv6 route in the qrouter namespace? Something like 'ip -6 r' should show it. In general, seeing what is configured in that namespace and seeing if you can ping things from there is a good start.
Another thing I would like to understand is about how I should configure my router/firewall to send IPv6 packets to Openstack network node. For example, if I have the network 2001:DB8::/52 to use on Openstack. Each project will get a 2001:DB8::/64 range from prefix delegation. When one project get its prefix, the virtual router knows how to send traffic to external world because my router/firewall sends RA. But, on my router/firewall I need to configure a route to 2001:DB8::/52. To do this, I need to inform one next-hop. I'm using de LLA (fe80::...) of br-ex as next-hop. So, all traffic destinated to any network inside 2001:DB8::/52 will be send to br-ex (that is on network node). This configuration seems to work because packets arrive on virtual router as described above. Question 2) Is this the right way?
That external router is giving you the prefix via PD, right? I would have thought it would have added a route for your /64 when it did that.
-Brian _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack