Thank you for visiting the Rackspace Community
The Community is currently in read-only mode. All content is available, but the ability to post new content or topics is not available at this time.

Please contact your support team if you have a question or need assistance for any Rackspace products, services, or articles.

Using instance with two NICs to route traffic between two subnets fails on private cloud.

This question is answered.

The goal is route traffic from one subnet to another using a computer in the middle with two NIC's. I have successfully created the scenario on both my own computer with VirtualBox and on the cloud with Rackspace's trail cloud. The images I am using for our private cloud and virtualbox are identical and rackspace had the same version of os, just not identical.

When trying the same setup our private cloud, the middle instance is able to ping machines on both subnets. The machines on separate sunsets are able to ping the NIC on the same subnet for the middle instance, but fail when trying to ping the NIC on the other subnet. Running TCP dump on the machines, I can see that the NIC on the different subnet receives the pings and sends a response. But that response never makes it back and I can't find out where it is going. None of the NICs show any dropped packets and I have turned off all the Filtering and Firewalls that i know of that could be messing with the pings.

Verified Answer
  • I'm leaning towards this having to do with Neutron and Open vSwitch. I wouldn't call it an issue or misconfiguration because what you are trying to do is always handled by a Neutron Router and not an OpenStack Instance. There is probably some lower level configuration happening on the Neutron Router that has not yet been applied to the OpenStack Instance you are trying to use a router.

    The Rackspace Public Cloud uses Neutron but it does not use Open vSwitch as a backend.

  • An instance can be configured to act as a router between two subnets, but the following would need to be observed:


    - ipv4 forwarding would need to be be enabled in the router instance

    - iptables rules would need to be created for the router instance that allow for addresses/subnets other than the one owned by the instance to be forwarded. This means that the 'allowed-address-pairs' extention would be utilized to define multiple source addresses/subnets. This can be invoked using the Neutron port-update command for the router instance's ports. One update would allow net2's subnet on the net1 interface, and vice-versa. Neutron will update the iptables on the respective compute node.

    If router R is a Neutron router, then something else is wrong.

    If I'm off-base here please let me know and we can go into further detail as to what you're trying to accomplish.

    James D.
    Network Engineer
    Rackspace Private Cloud

All Replies
  • When you say "our private cloud", do you mean Rackspace Private Cloud powered by OpenStack? If yes, what version are you running?

  • Rackspace Private Cloud running Openstack with nova --version = 2.15.0

  • When you say "middle instance" do you mean a physical machine?  

    (edit: scratch my last suggestion)

  • That's the version of OpenStack Nova Python Client, not the version of Rackspace Private Cloud. When you install Rackspace Private Cloud, you have to checkout a particular git branch/tag. Do you remember what branch/tag you checked out? That branch/tag will tell me what version of RPC you are working with.

    Also, have you enabled IPv4 Forwarding on the "middle machine"? It can be enabled with the following commands:

    echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
    
    sysctl -w net.ipv4.ip_forward=1
  • Try 'knife cookbook list' on the controller.  The RPC version number should be able to be found this way.

    Please provide the full output, and we will parse through it.

  • no, all are instances inside of openstack on the same network but different subnets 

    so 

    vm1 nic=10.40.42.12

    vm2 nic1=10.40.42.11

             nic2 = 10.40.43.11

    vm3 nic= 10.40.43.12

  • Don't remember off the top of my head but will edit this commet when I find it. Yes ip forwarding is on.

  • WARNING: No knife configuration file found
    ERROR: ArgumentError: Cannot sign the request without a client name, check that :node_name is assigned

    I know I am on Havana....edit(4.2.2)

  • Thanks.

    Some questions.

    First, what sort of networks are the OpenStack Instances attached to? Are they connected to Neutron Tenant Networks (or in other words, software defined networks)? If they are, then why not use a Neutron Router instead of this "middle machine"?.

    Second, why are you using another OpenStack Instance as a router?

  • Yes they are neutron networks. This is research work and the scenario calls for instance to route through instances not routers, so thats how it has to be set up.

  • What steps did you do on your computer and VirtualBox that successfully worked but are not working within RPC?

  • I did the exact same thing in all three.

    enable ip_forward

    stop iptables service (CENTOS)

    route vm1 through vm2  ......route add -net 10.40.43.0 netmask 255.255.255.0 gw 10.40.42.11

    route vm3 through vm2  ......route add -net 10.40.42.0 netmask 255.255.255.0 gw 10.40.43.11

  • Troy,

    I was able to replicate your issue. I have not figured out why packets are not being forwarded properly.

    When you did the same setup on your laptop with VirtualBox, where you just using regular virtual machines, or where you using DevStack or some other OpenStack related thing?

    Also, you said this same setup worked on the "Rackspace's trail cloud". Can you clarify what that is? Do you mean the Rackspace Public Cloud?

  • Regular Virtual box. Yes I mean Rackspace Public Cloud.

    Interesting that you were able to replicate it. I had hoping  it was just a misconfiguration on my end but with you replicating the issue that becomes less likely. If it worked on the public cloud then maybe it uses a different implementation then what we are using?

    thanks for help

  • I'm leaning towards this having to do with Neutron and Open vSwitch. I wouldn't call it an issue or misconfiguration because what you are trying to do is always handled by a Neutron Router and not an OpenStack Instance. There is probably some lower level configuration happening on the Neutron Router that has not yet been applied to the OpenStack Instance you are trying to use a router.

    The Rackspace Public Cloud uses Neutron but it does not use Open vSwitch as a backend.