Re: [openstack-dev] [neutron] packet forwarding
Hello Ian, Found some anti-spoofing rules in the ebtables (ebtables -t nat -L) of the compute-host where my router VM is located. These rules are automatically generated by libvirt for each VM and are usually generated from a preset of rules (anti-ip-spoofing.xml). Disabling this rule didn't help as I found later that there are some iptables chains also on the compute host that did some anti-spoofing filtering (iptables -t filter -L). So one need to disable the libvirt anti-ip-spoofing and the iptables anti-spoofing. I disabled the libvirt anti-ip-spoofing by removing the filter from nova-base (virsh nwfilter-edit nova-base) and manually added a rule to iptables. Thanks a lot. Abbass. Randy has it spot on. The antispoofing rules prevent you from doing this in Neutron. Clearly a router transmits traffic that isn't from it, and receives traffic that isn't addressed to it - and the port filtering discards them. You can disable them for the entire cloud by judiciously tweaking the Nova config settings, or if you're using the Nicira plugin you'll find it has extensions for modifying firewall behaviour (they could do with porting around, or even becoming core, but at the moment they're Nicira-specific). -- Ian. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron] packet forwarding
Randy has it spot on. The antispoofing rules prevent you from doing this in Neutron. Clearly a router transmits traffic that isn't from it, and receives traffic that isn't addressed to it - and the port filtering discards them. You can disable them for the entire cloud by judiciously tweaking the Nova config settings, or if you're using the Nicira plugin you'll find it has extensions for modifying firewall behaviour (they could do with porting around, or even becoming core, but at the moment they're Nicira-specific). -- Ian. On 20 December 2013 17:50, Abbass MAROUNI abbass.maro...@virtualscale.frwrote: Hello, Is it true that a traffic from one OpenStack virtual network to another have to pass by an OpenStack router ? (using an OpenVirtual switch as the L2 ). I'm trying ti use a VM as a router between 2 OpenStack virtual networks but for some reason I'm not able. Appreciate any insights, Best regards, Abbass ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [neutron] packet forwarding
Hello, Is it true that a traffic from one OpenStack virtual network to another have to pass by an OpenStack router ? (using an OpenVirtual switch as the L2 ). I'm trying ti use a VM as a router between 2 OpenStack virtual networks but for some reason I'm not able. Appreciate any insights, Best regards, Abbass ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron] packet forwarding
In general, you'd need a router to pass from one VLAN to another, and that is still true in OS. However, for your case where you have a VM running some routing software, it's quite possible (likely) that the iptable rules on the host machine are stopping your VM from forwarding out since the source address of the packet is not that of the guest that it knows about. Randy On Fri, Dec 20, 2013 at 11:50 AM, Abbass MAROUNI abbass.maro...@virtualscale.fr wrote: Hello, Is it true that a traffic from one OpenStack virtual network to another have to pass by an OpenStack router ? (using an OpenVirtual switch as the L2 ). I'm trying ti use a VM as a router between 2 OpenStack virtual networks but for some reason I'm not able. Appreciate any insights, Best regards, Abbass ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron] packet forwarding
There are at least 3 types of solutions I'm aware of: 1) Using VLANs and physical or virtual-machine appliances that route packets between VLANs. Tutorial: http://developer.rackspace.com/blog/neutron-networking-vlan-provider-networks.html 2) Using an L2 overlay and virtual machines that route packets between VLANs. (e.g. OVS + neutron virtual-router) Tutorial: http://developer.rackspace.com/blog/neutron-networking-simple-flat-network.html 3) Using an L3 overlay that implements a distributed router. (e.g. OpenContrail) Unfortunately i don't know of a tutorial that is has nice as the ones above... but you can glean some useful information from: https://github.com/dsetia/devstack/blob/master/contrail/README and http://pedrormarques.wordpress.com/2013/11/14/using-devstack-plus-opencontrail/ Pedro. On Dec 20, 2013, at 8:50 AM, Abbass MAROUNI abbass.maro...@virtualscale.fr wrote: Hello, Is it true that a traffic from one OpenStack virtual network to another have to pass by an OpenStack router ? (using an OpenVirtual switch as the L2 ). I'm trying ti use a VM as a router between 2 OpenStack virtual networks but for some reason I'm not able. Appreciate any insights, Best regards, Abbass ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
