Any one can help ??? On Thu, Sep 27, 2012 at 7:09 PM, Hieu Le <[email protected]> wrote:
> Hi (again), > > I have applied the patch for hairpin Nat with vrvm but here come another > problems, CS always said "Fail to enable static NAT" each time I Nat public > IP for VM. > > I also tried to upgrade to 3.0.4 and the problem hadn't gone away. > > In VRVM, the hairpin Nat rule were also disappeared. > > Please help! !! > > Sent from my HTC© > On Sep 25, 2012 3:48 PM, "Jayapal Reddy Uradi" < > [email protected]> wrote: > >> >> There is no hair pin NAT related rule in the NAT table. >> Hairpin NAT issue is fixed in 3.0.3. >> >> http://bugs.cloudstack.org/browse/CS-13500 >> >> Thanks, >> Jayapal >> >> -----Original Message----- >> From: Hieu Le [mailto:[email protected]] >> Sent: Tuesday, September 25, 2012 12:24 PM >> To: [email protected] >> Subject: Re: Problem with VM private IP >> >> Here is VR iptables rules: >> >> root@r-17-VRDLAB:~# iptables -nL -v --line-numbers -t filter Chain INPUT >> (policy DROP 124 packets, 9432 bytes) >> num pkts bytes target prot opt in out source >> destination >> 1 0 0 ACCEPT all -- * * 0.0.0.0/0 >> 224.0.0.18 >> 2 0 0 ACCEPT all -- * * 0.0.0.0/0 >> 225.0.0.50 >> 3 38 3648 ACCEPT all -- eth0 * 0.0.0.0/0 >> 0.0.0.0/0 state RELATED,ESTABLISHED >> 4 11168 1852K ACCEPT all -- eth1 * 0.0.0.0/0 >> 0.0.0.0/0 state RELATED,ESTABLISHED >> 5 5 526 ACCEPT all -- eth2 * 0.0.0.0/0 >> 0.0.0.0/0 state RELATED,ESTABLISHED >> 6 102 8520 ACCEPT icmp -- * * 0.0.0.0/0 >> 0.0.0.0/0 >> 7 5 293 ACCEPT all -- lo * 0.0.0.0/0 >> 0.0.0.0/0 >> 8 29 9614 ACCEPT udp -- eth0 * 0.0.0.0/0 >> 0.0.0.0/0 udp dpt:67 >> 9 23 1787 ACCEPT udp -- eth0 * 0.0.0.0/0 >> 0.0.0.0/0 udp dpt:53 >> 10 629 37740 ACCEPT tcp -- eth1 * 0.0.0.0/0 >> 0.0.0.0/0 state NEW tcp dpt:3922 >> 11 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 >> 0.0.0.0/0 state NEW tcp dpt:8080 >> 12 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 >> 0.0.0.0/0 state NEW tcp dpt:80 >> >> Chain FORWARD (policy DROP 0 packets, 0 bytes) >> num pkts bytes target prot opt in out source >> destination >> 1 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 >> 0.0.0.0/0 state RELATED,ESTABLISHED >> 2 1 60 ACCEPT all -- eth2 eth0 0.0.0.0/0 >> 10.1.1.118 state NEW >> 3 3 164 ACCEPT all -- eth2 eth0 0.0.0.0/0 >> 10.1.1.132 state NEW >> 4 21 9986 ACCEPT all -- eth2 eth0 0.0.0.0/0 >> 0.0.0.0/0 state RELATED,ESTABLISHED >> 5 29 1600 ACCEPT all -- eth0 eth2 0.0.0.0/0 >> 0.0.0.0/0 >> >> Chain OUTPUT (policy ACCEPT 280 packets, 48879 bytes) >> num pkts bytes target prot opt in out source >> destination >> >> >> root@r-17-VRDLAB:~# iptables -nL -v --line-numbers -t nat Chain >> PREROUTING (policy ACCEPT 143 packets, 10644 bytes) >> num pkts bytes target prot opt in out source >> destination >> 1 1 60 DNAT all -- eth2 * 0.0.0.0/0 >> 192.168.3.120 to:10.1.1.118 >> 2 3 164 DNAT all -- eth2 * 0.0.0.0/0 >> 192.168.3.115 to:10.1.1.132 >> >> Chain POSTROUTING (policy ACCEPT 4 packets, 224 bytes) >> num pkts bytes target prot opt in out source >> destination >> 1 2 96 SNAT all -- * eth2 10.1.1.132 >> 0.0.0.0/0 to:192.168.3.115 >> 2 4 192 SNAT all -- * eth2 10.1.1.118 >> 0.0.0.0/0 to:192.168.3.120 >> 3 2 138 SNAT all -- * eth2 0.0.0.0/0 >> 0.0.0.0/0 to:192.168.3.116 >> >> Chain OUTPUT (policy ACCEPT 2 packets, 138 bytes) >> num pkts bytes target prot opt in out source >> destination >> >> >> root@r-17-VRDLAB:~# iptables -nL -v --line-numbers -t mangle Chain >> PREROUTING (policy ACCEPT 543 packets, 44292 bytes) >> num pkts bytes target prot opt in out source >> destination >> 1 552 346K VPN_192.168.3.116 all -- * * 0.0.0.0/0 >> 192.168.3.116 >> 2 13 5167 FIREWALL_192.168.3.120 all -- * * >> 0.0.0.0/0 192.168.3.120 >> 3 22 5571 FIREWALL_192.168.3.115 all -- * * >> 0.0.0.0/0 192.168.3.115 >> 4 118 5980 FIREWALL_192.168.3.116 all -- * * >> 0.0.0.0/0 192.168.3.116 >> 5 11705 1887K CONNMARK all -- * * 0.0.0.0/0 >> 0.0.0.0/0 state RELATED,ESTABLISHED CONNMARK restore >> 6 1 60 MARK all -- eth2 * 0.0.0.0/0 >> 192.168.3.120 state NEW MARK set 0x2 >> 7 1 60 CONNMARK all -- eth2 * 0.0.0.0/0 >> 192.168.3.120 state NEW CONNMARK save >> 8 124 10012 MARK all -- eth0 * 10.1.1.118 >> 0.0.0.0/0 state NEW MARK set 0x2 >> 9 124 10012 CONNMARK all -- eth0 * 10.1.1.118 >> 0.0.0.0/0 state NEW CONNMARK save >> 10 3 164 MARK all -- eth2 * 0.0.0.0/0 >> 192.168.3.115 state NEW MARK set 0x2 >> 11 3 164 CONNMARK all -- eth2 * 0.0.0.0/0 >> 192.168.3.115 state NEW CONNMARK save >> 12 17 1445 MARK all -- eth0 * 10.1.1.132 >> 0.0.0.0/0 state NEW MARK set 0x2 >> 13 17 1445 CONNMARK all -- eth0 * 10.1.1.132 >> 0.0.0.0/0 state NEW CONNMARK save >> >> Chain INPUT (policy ACCEPT 514 packets, 42811 bytes) >> num pkts bytes target prot opt in out source >> destination >> >> Chain FORWARD (policy ACCEPT 54 packets, 11810 bytes) >> num pkts bytes target prot opt in out source >> destination >> >> Chain OUTPUT (policy ACCEPT 231 packets, 42784 bytes) >> num pkts bytes target prot opt in out source >> destination >> >> Chain POSTROUTING (policy ACCEPT 285 packets, 54594 bytes) >> num pkts bytes target prot opt in out source >> destination >> 1 27 9270 CHECKSUM udp -- * * 0.0.0.0/0 >> 0.0.0.0/0 udp dpt:68 CHECKSUM fill >> >> Chain FIREWALL_192.168.3.115 (1 references) >> num pkts bytes target prot opt in out source >> destination >> 1 15 5203 ACCEPT all -- * * 0.0.0.0/0 >> 0.0.0.0/0 state RELATED,ESTABLISHED >> 2 0 0 RETURN udp -- * * 0.0.0.0/0 >> 0.0.0.0/0 udp dpts:1:65535 >> 3 5 248 RETURN tcp -- * * 0.0.0.0/0 >> 0.0.0.0/0 tcp dpts:1:65535 >> 4 2 120 RETURN icmp -- * * 0.0.0.0/0 >> 0.0.0.0/0 icmp type 255 >> 5 0 0 DROP all -- * * 0.0.0.0/0 >> 0.0.0.0/0 >> >> Chain FIREWALL_192.168.3.116 (1 references) >> num pkts bytes target prot opt in out source >> destination >> 1 0 0 ACCEPT all -- * * 0.0.0.0/0 >> 0.0.0.0/0 state RELATED,ESTABLISHED >> 2 118 5980 DROP all -- * * 0.0.0.0/0 >> 0.0.0.0/0 >> >> Chain FIREWALL_192.168.3.120 (1 references) >> num pkts bytes target prot opt in out source >> destination >> 1 8 4903 ACCEPT all -- * * 0.0.0.0/0 >> 0.0.0.0/0 state RELATED,ESTABLISHED >> 2 2 120 RETURN icmp -- * * 0.0.0.0/0 >> 0.0.0.0/0 icmp type 255 >> 3 3 144 RETURN tcp -- * * 0.0.0.0/0 >> 0.0.0.0/0 tcp dpts:1:65535 >> 4 0 0 RETURN udp -- * * 0.0.0.0/0 >> 0.0.0.0/0 udp dpts:1:65535 >> 5 0 0 DROP all -- * * 0.0.0.0/0 >> 0.0.0.0/0 >> >> Chain VPN_192.168.3.116 (1 references) >> num pkts bytes target prot opt in out source >> destination >> 1 434 340K ACCEPT all -- * * 0.0.0.0/0 >> 0.0.0.0/0 state RELATED,ESTABLISHED >> 2 118 5980 RETURN all -- * * 0.0.0.0/0 >> 0.0.0.0/0 >> root@r-17-VRDLAB:~# >> >> >> On Tue, Sep 25, 2012 at 12:37 PM, Jayapal Reddy Uradi < >> [email protected]> wrote: >> >> > Debug the traffic flow ... whether the traffic sent to VR guest >> > network interface then public interface . >> > Please share the VR iptables rules. >> > >> > Thanks, >> > Jayapal >> > >> > -----Original Message----- >> > From: Hieu Le [mailto:[email protected]] >> > Sent: Tuesday, September 25, 2012 8:42 AM >> > To: [email protected] >> > Subject: Re: Problem with VM private IP >> > >> > Yep, I have read the admin guide and setup firewall rule + enable >> > static NAT for all tested VM and still facing this problem. >> > >> > On Tue, Sep 25, 2012 at 10:01 AM, Ahmad Emneina >> > <[email protected] >> > >wrote: >> > >> > > Have you looked at the Administration Guide[1]? See page 75 and see >> > > if that solves your connectivity issue. You still need to poke the >> > > hole in the firewal and setup a NAT rule from within cloudstack. >> > > >> > > [1]: >> > > http://download.cloud.com/releases/3.0.0/CloudStack3.0AdminGuide.pdf >> > > >> > > On 9/24/12 7:56 PM, "Hieu Le" <[email protected]> wrote: >> > > >> > > >Hi, >> > > > >> > > >The telnet packets are not reaching the telnet server VM. >> > > > >> > > >I'm using CS 3.0.2. >> > > > >> > > >Thanks for replying ! >> > > > >> > > >On Mon, Sep 24, 2012 at 5:52 PM, Jayapal Reddy Uradi < >> > > >[email protected]> wrote: >> > > > >> > > >> Using firewall and port forwarding rules only we can access the >> > > >>VM services from the public network also from the VMs using the >> > > >>Public >> > IPs. >> > > >> For you telnet from outside network success but from failed from >> > > >>VM to VM using public IP. >> > > >> Seems hair pin NAT got failed ... >> > > >> >> > > >> Please capture the packets on the telnet server VM to see whether >> > > >> telnet packets are reaching or not ? >> > > >> >> > > >> Which version of cloudstack Is it ? >> > > >> >> > > >> Thanks, >> > > >> Jayapal >> > > >> >> > > >> -----Original Message----- >> > > >> From: Hieu Le [mailto:[email protected]] >> > > >> Sent: Monday, September 24, 2012 3:39 PM >> > > >> To: [email protected] >> > > >> Subject: Problem with VM private IP >> > > >> >> > > >> Hi everyone, >> > > >> >> > > >> I have a problem while working with VM private IP. My Cloud >> > > >>system run 2 VMs in advance zone with private IP is 10.1.1.20 and >> > > >>10.1.1.21 and VM NAT IP is 192.168.50.160 and 192.168.50.165. >> > > >>From outside network, I can ping and telnet port 80 to both VMs >> > > >>with public IPs. But from VM 10.1.1.21, I can't telnet to other >> > > >>VM with its public IP. >> > > >> >> > > >> For details: >> > > >> From VM1: 10.1.1.20 and 192.168.50.160. >> > > >> ping 192.168.50.165 and ping 10.1.1.21 success telnet 10.1.1.21 >> > > >>80 success telnet 192.168.50.165 80 fail >> > > >> >> > > >> From VM2: 10.1.1.21 and 192.168.50.165 ping 192.168.50.160 and >> > > >> ping >> > > >> 10.1.1.20 success telnet 10.1.1.20 success telnet 192.168.50.160 >> > > >> 80 fail >> > > >> >> > > >> And I can't telnet another ports with public IP. >> > > >> >> > > >> Can you suggest some solutions for me to telnet VM from another >> > > >> VM via public IP. >> > > >> >> > > >> Thank ! >> > > >> >> > > > >> > > > >> > > > >> > > >-- >> > > >..:: Hieu LE ::.. >> > > > >> > > >Class: Information System - Course 52 School of Information and >> > > >Communication Technology Hanoi University of Technology No 1, Dai >> > > >Co Viet street - Hai Ba Trung district - Hanoi >> > > > >> > > >High Performance Computing Center >> > > >Cloud Computing Group >> > > >Gmail: [email protected] >> > > > >> > > >> > > >> > > -- >> > > Æ >> > > >> > > >> > > >> > > >> > >> > >> > -- >> > ..:: Hieu LE ::.. >> > >> > Class: Information System - Course 52 >> > School of Information and Communication Technology Hanoi University of >> > Technology No 1, Dai Co Viet street - Hai Ba Trung district - Hanoi >> > >> > High Performance Computing Center >> > Cloud Computing Group >> > Gmail: [email protected] >> > >> >> >> >> -- >> ..:: Hieu LE ::.. >> >> Class: Information System - Course 52 >> School of Information and Communication Technology Hanoi University of >> Technology No 1, Dai Co Viet street - Hai Ba Trung district - Hanoi >> >> High Performance Computing Center >> Cloud Computing Group >> Gmail: [email protected] >> > -- ..:: Hieu LE ::.. Class: Information System - Course 52 School of Information and Communication Technology Hanoi University of Technology No 1, Dai Co Viet street - Hai Ba Trung district - Hanoi High Performance Computing Center Cloud Computing Group Gmail: [email protected]
