Check your XenServer /etc/sysctl.conf settings I don't know about Xen 6.0.2 with CSP, but in XenServer 6.1 and XenServer 6.2 they disable iptables over bridge interfaces by default.
# Disable *tables rules for bridge traffic to increase performance net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-arptables = 0 Should be # Disable *tables rules for bridge traffic to increase performance net.bridge.bridge-nf-call-iptables = 1 net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-arptables = 1 You can check whether your traffic is hitting rules by accessing the host console, and tracing traffic through the iptables chains (while performing a ping to/from the VM), e.g. iptables -Z && watch -n .5 iptables -nvL iptables -Z && watch -n .5 iptables -nvL BRIDGE-FIREWALL iptables -Z && watch -n .5 iptables -nvL i-2-8-def Where i-2-8-def is the machine identifier. On 19/09/2013 14:11, "Michael Phillips" <mphilli7...@hotmail.com> wrote: >I'm wondering is it because of the network. Like I mentioned I am using a >flat network for testing in which the mgmt server, hypervisor, and guests >are on the same subnet 192.168.69.0/24. > >Date: Thu, 19 Sep 2013 07:34:35 -0500 >Subject: RE: Security Groups >From: mphilli7...@hotmail.com >To: users@cloudstack.apache.org > > > > > > >Did that already. > > > > > > > >Sent via the Samsung Galaxy SIII, an AT&T 4G LTE smartphone > > > >Sanjeev Neelarapu <sanjeev.neelar...@citrix.com> wrote: > > >By default xen6.0.2 comes with openvswitch. Set it to bridge mode by >using : "xe-switch-network-backend bridge" command on xenserver. > > > >-----Original Message----- > >From: Michael Phillips [mailto:mphilli7...@hotmail.com] > > >Sent: Thursday, September 19, 2013 10:16 AM > >To: users@cloudstack.apache.org > >Subject: RE: Security Groups > > > >Sorry posted the wrong thing...please view this. > >http://pastebin.com/NF28fpq7 > > > >> From: jayapalreddy.ur...@citrix.com > >> To: users@cloudstack.apache.org > >> Subject: Re: Security Groups > >> Date: Thu, 19 Sep 2013 04:40:14 +0000 > >> > >> There are no cloudstack configured iptables rules on your xen host. > >> It seems iptables are stopped on the host ? > >> > >> Please check is CSP installed correctly not he host. > >> Please try to force connect or host once. > >> > >> > >> Thanks, > >> Jayapal > >> > >> > >> > >> On 19-Sep-2013, at 9:50 AM, Michael Phillips <mphilli7...@hotmail.com> > >> wrote: > >> > >> > http://pastebin.com/xf9SBzVY > >> > > >> >> From: jayapalreddy.ur...@citrix.com > >> >> To: users@cloudstack.apache.org > >> >> Subject: Re: Security Groups > >> >> Date: Thu, 19 Sep 2013 03:54:51 +0000 > >> >> > >> >> Hi, > >> >> Can you please share host 'iptables -L -nv' output on pastebin > >> >> > >> >> Thanks, > >> >> Jayapal > >> >> > >> >> On 19-Sep-2013, at 8:04 AM, Michael Phillips > >> >> <mphilli7...@hotmail.com> > >> >> wrote: > >> >> > >> >>> Having troubles getting security groups to function My "test" > >> >>> environment is as follows: > >> >>> Cloudstack 4.1.1 on centos6.4Xen Server 6.0.2, CSP installed, > >> >>> iptables running...not sure if it needs to be but it is by default, >>all xen patches installed.Primary Storage = iscsiSecondary Storage = nfs >>on mgmt serverSystem VM's and router are running as expected.Network = >>flat 192.168.50.0/24 I then create 2 instances(vm's) > based on the centos5.6 template provided and assign them to the >"default" security group. The instances are able to "ping" each other, >and I thought the expected behavior is that they should not be able to, >since the default security group has 0 ingress rules > which should block all inbound traffic. > >> >>> What could I be missing?? > >> >>> > >> >>> > >> >>> > >> >>> > >> >> > >> > > >> > > > > > Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of British Sky Broadcasting Group plc and Sky International AG and are used under licence. British Sky Broadcasting Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of British Sky Broadcasting Group plc (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD.
