Hi there, i have a problem with my cloudstack/network setup. I hope somebody can help me.
I’m using KVM and on all server is CentOS 6 installed. I have no errors in the logs and all instances are running. Here my current network setup: https://www.dropbox.com/s/nzfiy1ilebugi0k/cloud_network.png?dl=0 <https://www.dropbox.com/s/nzfiy1ilebugi0k/cloud_network.png?dl=0> I have a cloudstack advanced network and my virtual servers like the VR can’t connect to the internet or even ping the gateway. I also can’t ping the VR from the public network. The nodes on which the vms are running are able to ping the public network/internet. I have only one gateway, so i created a nat on the management server. So the VM that want connect to my public network must go through an other subnet first. I think my problem have something to do with my iptables (nat) settings. For a better understanding please see my diagram. Does somebody have an idea? I appreciate every advice. If this can not work, what alternatives do i have to create an advanced network with only 1 gateway? Please find below my iptables settings: IPtables of the management server: # Generated by iptables-save v1.4.7 *nat :PREROUTING ACCEPT [1158:172626] :POSTROUTING ACCEPT [119:8872] :OUTPUT ACCEPT [119:8872] -A POSTROUTING -o eth0 -j MASQUERADE # -A POSTROUTING -s 192.168.1.0.0/24 -o eth0 -j MASQUERADE COMMIT # Completed # Generated by iptables-save v1.4.7 *filter :INPUT ACCEPT [119736:288057978] :FORWARD DROP [0:0] :OUTPUT ACCEPT [145743:303840575] -A INPUT -p tcp -m tcp --dport 9090 -j ACCEPT -A INPUT -p tcp -m tcp --dport 8250 -j ACCEPT -A INPUT -p tcp -m tcp --dport 7080 -j ACCEPT -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT -A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT -A INPUT -s 192.168.1.0/24 -p udp -m state --state NEW -m udp --dport 111 -j ACCEPT -A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT -A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT -A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 32803 -j ACCEPT -A INPUT -s 192.168.1.0/24 -p udp -m state --state NEW -m udp --dport 32769 -j ACCEPT -A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 892 -j ACCEPT -A INPUT -s 192.168.1.0/24 -p udp -m state --state NEW -m udp --dport 892 -j ACCEPT -A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 875 -j ACCEPT -A INPUT -s 192.168.1.0/24 -p udp -m state --state NEW -m udp --dport 875 -j ACCEPT -A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 662 -j ACCEPT -A INPUT -s 192.168.1.0/24 -p udp -m state --state NEW -m udp --dport 662 -j ACCEPT -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth1 -o eth0 -j ACCEPT COMMIT # Completed IPtables of the nodes: # Generated by iptables-save v1.4.7 *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT # Completed on Tue Mar 25 14:45:02 2014 # Generated by iptables-save v1.4.7 *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill COMMIT # Completed # Generated by iptables-save v1.4.7 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -p tcp -m tcp --dport 49152:49216 -j ACCEPT -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5900:6100 -j ACCEPT -A INPUT -p tcp -m tcp --dport 16509 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -s 192.168.1.0/24 -p udp -m state --state NEW -m udp --dport 111 -j ACCEPT -A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT -A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT -A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 32803 -j ACCEPT -A INPUT -s 192.168.1.0/24 -p udp -m state --state NEW -m udp --dport 32769 -j ACCEPT -A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 892 -j ACCEPT -A INPUT -s 192.168.1.0/24 -p udp -m state --state NEW -m udp --dport 892 -j ACCEPT -A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 875 -j ACCEPT -A INPUT -s 192.168.1.0/24 -p udp -m state --state NEW -m udp --dport 875 -j ACCEPT -A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 662 -j ACCEPT -A INPUT -s 192.168.1.0/24 -p udp -m state --state NEW -m udp --dport 662 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable COMMIT # Completed