Hi Marc,
I'm not sure if this is adding to your issues, but the section of your network
config where you send traffic for 172.16.0.0/16 to 172.16.8.1
doesn't look right to my eye, as traffic for your local subnet 172.16.8.0/24
would also get sent to that gateway.
address 172.16.8.7
netmask 255.255.255.0
network 172.16.8.0
broadcast 172.16.8.255
up route add -net 172.16.0.0 netmask 255.255.0.0 gw 172.16.8.1
Regards
Paul Angus
Cloud Architect
S: +44 20 3603 0540 | M: +447711418784 | T: CloudyAngus
[email protected]
-----Original Message-----
From: Marc Leeman [mailto:[email protected]]
Sent: 16 October 2014 08:25
To: [email protected]
Subject: Fwd: firewall problems and proxy problems
I think my mail did not get through, I can't find it in the archives; I've
probably sent it too fast after subscribing
I've started out with cloudstack a couple days ago and I've hit a bit of a
brick wall.
The installation is running on a system that has two network interfaces, a
public one and private one (connecting to a local network).
auto eth0
iface eth0 inet manual
auto eth1
iface eth1 inet static
address 10.158.231.29
netmask 255.255.255.0
network 10.158.231.0
broadcast 10.158.231.255
gateway 10.158.231.1
auto cloudbr0
iface cloudbr0 inet static
address 172.16.8.7
netmask 255.255.255.0
network 172.16.8.0
broadcast 172.16.8.255
up route add -net 172.16.0.0 netmask 255.255.0.0 gw 172.16.8.1
bridge_ports eth0
bridge_fd 5
bridge_stp off
bridge_maxwait 1
The idea is to connect all the guests to the 172.16 network because access to
multicasting devices is needed.
The systems are running on Debian wheezy, and got the system up after fixing
the /etc/legal problem (echo Ubuntu) and after finding out in the logs that
there is a package dependency problem on the cloudstack-manager package for 4.3
The biggest problem seems to be that host is running in a corporate network and
cloudstack is auto configuring some things by downloading over http.
This does not work since a corporate proxy is required.
I downloaded the system images manually; but now it seems I need to do the same
in the secondary storage vm.
The vm is running and I can get the login prompt with virsh (kvm), however
there is no password I can find.
The trick with the connection to the local-link address does not work because I
fear I have a networking/firewall issue. It does not matter if I disable the
firewall or not, I cannot access the 169.254.x.x network.
pinging the device returns
ping 169.254.3.236
PING 169.254.3.236 (169.254.3.236) 56(84) bytes of data.
From 169.254.0.1 icmp_seq=1 Destination Host Unreachable From 169.254.0.1
icmp_seq=2 Destination Host Unreachable From 169.254.0.1 icmp_seq=3 Destination
Host Unreachable
The firewall configuration is firehol
cat /etc/firehol/firehol.conf
version 5
# Accept all client traffic on any interface
FIREHOL_LOG_MODE="ULOG"
server_cloudstackweb_ports="tcp/8080"
client_cloudstackweb_ports="default"
server_buildbot_ports="tcp/8010"
client_buildbot_ports="default"
server_git_ports="tcp/9418"
client_git_ports="default"
labo_ips="172.16.0.0/16 169.254.0.0/16"
server_cloudstack_ports="tcp/1798"
client_cloudstack_ports="default"
server_libvirt_ports="tcp/16509"
client_libvirt_ports="default"
server_vnc_ports="tcp/5900:6100"
client_vnc_ports="default"
server_libvirtlive_ports="tcp/49152:49216"
client_libvirtlive_ports="default"
# local bridge address
interface cloudbr0 LAN src "${labo_ips}"
server all accept
client all accept
interface eth1 WAN src not "${labo_ips}"
protection strong
policy reject
server ssh accept
server cloudstack accept
server cloudstackweb accept
server libvirt accept
server vnc accept
server libvirtlive accept
server buildbot accept
client all accept
# zeroconf bridge address
interface cloud0 LLBR0
client all accept
server all accept
router LAN2WAN inface cloudbr0 outface eth1
masquerade
route all accept
I got a bit further by adding the interface cloud0 to the definition, but still
no joy.
I need to access the vm to run some script with a http_proxy environment
variable...
I am currently starting to run out of ideas; installing cloudstack was fine;
but I entered hell afterwards; ...
/sbin/ifconfig
cloud0 Link encap:Ethernet HWaddr fe:00:a9:fe:01:f8
inet addr:169.254.0.1 Bcast:169.254.255.255 Mask:255.255.0.0
inet6 addr: fe80::4061:7aff:fe05:f240/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:4278 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:193752 (189.2 KiB)
cloudbr0 Link encap:Ethernet HWaddr 9c:8e:99:26:6d:e4
inet addr:172.16.8.7 Bcast:172.16.8.255 Mask:255.255.255.0
inet6 addr: fe80::9e8e:99ff:fe26:6de4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:123565 errors:0 dropped:0 overruns:0 frame:0
TX packets:58009 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:42680449 (40.7 MiB) TX bytes:236280976 (225.3 MiB)
eth0 Link encap:Ethernet HWaddr 9c:8e:99:26:6d:e4
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:930187 errors:0 dropped:871 overruns:0 frame:0
TX packets:699239 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:314733647 (300.1 MiB) TX bytes:565773302 (539.5 MiB)
eth1 Link encap:Ethernet HWaddr 9c:8e:99:26:6d:e6
inet addr:10.158.231.29 Bcast:150.158.231.255 Mask:255.255.255.0
inet6 addr: fe80::9e8e:99ff:fe26:6de6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:676481 errors:0 dropped:0 overruns:0 frame:0
TX packets:471296 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:681352598 (649.7 MiB) TX bytes:121936012 (116.2 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:8578260 errors:0 dropped:0 overruns:0 frame:0
TX packets:8578260 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4369297693 (4.0 GiB) TX bytes:4369297693 (4.0 GiB)
vnet0 Link encap:Ethernet HWaddr fe:00:a9:fe:01:f8
inet6 addr: fe80::fc00:a9ff:fefe:1f8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:281 errors:0 dropped:3656 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 B) TX bytes:14269 (13.9 KiB)
vnet1 Link encap:Ethernet HWaddr fe:30:ac:00:00:03
inet6 addr: fe80::fc30:acff:fe00:3/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:284 errors:0 dropped:47331 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 B) TX bytes:23713 (23.1 KiB)
vnet2 Link encap:Ethernet HWaddr fe:c8:d4:00:00:08
inet6 addr: fe80::fcc8:d4ff:fe00:8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:284 errors:0 dropped:47331 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 B) TX bytes:23713 (23.1 KiB)
vnet3 Link encap:Ethernet HWaddr fe:00:a9:fe:03:ec
inet6 addr: fe80::fc00:a9ff:fefe:3ec/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:256 errors:0 dropped:3175 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 B) TX bytes:25346 (24.7 KiB)
vnet4 Link encap:Ethernet HWaddr fe:32:ac:00:00:04
inet6 addr: fe80::fc32:acff:fe00:4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:256 errors:0 dropped:9386 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 B) TX bytes:20313 (19.8 KiB)
vnet5 Link encap:Ethernet HWaddr fe:26:52:00:00:18
inet6 addr: fe80::fc26:52ff:fe00:18/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:256 errors:0 dropped:9386 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 B) TX bytes:20313 (19.8 KiB)
vnet6 Link encap:Ethernet HWaddr fe:e4:38:00:00:05
inet6 addr: fe80::fce4:38ff:fe00:5/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:256 errors:0 dropped:9386 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 B) TX bytes:20313 (19.8 KiB)
/sbin/route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
0.0.0.0 150.158.231.1 0.0.0.0 UG 0 0 0 eth1
10.158.231.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0
cloud0
172.16.0.0 0.0.0.0 255.255.0.0 U 0 0 0
cloudbr0
172.16.8.0 0.0.0.0 255.255.255.0 U 0 0 0
cloudbr0
UPDATE:
I've managed to get link local working my modifying the routing (disable the fw
atm too).
/sbin/route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
0.0.0.0 10.158.231.1 0.0.0.0 UG 0 0 0 eth1
150.158.231.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0
cloudbr0
172.16.0.0 0.0.0.0 255.255.0.0 U 0 0 0
cloudbr0
172.16.8.0 0.0.0.0 255.255.255.0 U 0 0 0
cloudbr0
However, only to OTHER machines, I still cannot access the Secondary storage VM
by the ll address.
So LL addresses work to other physical machines, not to the VM on the same host
I am connecting from (or from another machine for that matter).
Find out more about ShapeBlue and our range of CloudStack related services
IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure
Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
This email and any attachments to it may be confidential and are intended
solely for the use of the individual to whom it is addressed. Any views or
opinions expressed are solely those of the author and do not necessarily
represent those of Shape Blue Ltd or related companies. If you are not the
intended recipient of this email, you must neither take any action based upon
its contents, nor copy or show it to anyone. Please contact the sender if you
believe you have received this email in error. Shape Blue Ltd is a company
incorporated in England & Wales. ShapeBlue Services India LLP is a company
incorporated in India and is operated under license from Shape Blue Ltd. Shape
Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is
operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company
registered by The Republic of South Africa and is traded under license from
Shape Blue Ltd. ShapeBlue is a registered trademark.
