On Thu, May 7, 2015 at 7:30 PM, Andrew Bogott <abog...@wikimedia.org> wrote: > On 5/7/15 2:34 AM, Antonio Messina wrote: >> >> On Wed, May 6, 2015 at 10:56 PM, Andrew Bogott <abog...@wikimedia.org> >> wrote: >>> >>> Since time immemorial, I've accepted as a fact of life that routing >>> from >>> a nova instance to another instance via floating ip is impossible. We've >>> coped with this via a hack in dnsmasq, setting an alias to rewrite public >>> IPs to the corresponding internal IP. >> >> Have you checked this serverfault question[0]? The issue is different >> though: VM not being able to contact its own floating iP, but maybe >> it's related. It also contains links to relevant bugs. > > I did see that, although it seems to be a subcase of my issue (implying that > routing is working for people in general, just not from a host to itself.) > > I'm glad to hear that it works for you! I just now tried setting
It works because I patched Folsom, backporting some patch from some newer OpenStack release :) > force_snat_range for my floating IP range but I'm still not getting any > pings. Strangely if I restart nova-network things work for a minute or two, > then return to the status quo. That means that no matter what I change, it > looks like it worked, for a minute :) When you restart nova-network, the firewall rules are cleaned up and then re-created, so there is a sort of "race conditions" during which the firewall rules might allow this type of traffic. But it's a "bug" :) IMHO you should try to understand *why* it doesn't work. In my case, I remember one of the problem was that when VM1 contacts VM2 using the floating IPs, the firewall rules were only performing DNAT but not SNAT, so the packets arrives to VM2 with the source IP of VM1 (the private IP), instead of the floating IP. This implies that VM2 will reply with the *private ip* instead of the floating ip, so that VM1 will drop the packet as unknown/not requested. To fix this, you need an iptables rule like: iptables -t nat -A POSTROUTING -s <fixedip> -m conntrack --ctstate DNAT -j SNAT --to-source <floating-ip> also cfr. https://github.com/openstack/nova/commit/b8c434630d31f49ae0e9686ddfac8f25acf117b1 .a. -- antonio.s.mess...@gmail.com antonio.mess...@uzh.ch +41 (0)44 635 42 22 S3IT: Service and Support for Science IT http://www.s3it.uzh.ch/ University of Zurich Winterthurerstrasse 190 CH-8057 Zurich Switzerland _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
