Hi Vish et al. I still can't make head nor tail of it. ICMP works in both directions fine, but when I try to ssh out from the VM (even with the dmz_cidr flags) the SYN gets through un-snatted ok, then my desktop SYN-ACKs back, but the virt never gets to see it. Instead, the snat layer sends a RST.
I don't want any NAT at all. I just want the virts bridged on to the VLAN. Is there a way to do that? Kind regards -- joe. On 9 November 2012 19:56, Vishvananda Ishaya <vishvana...@gmail.com> wrote: > What is the ip address of your workstation? You may be running into > something similar to this issue: > > > http://lists.openstack.org/pipermail/openstack-dev/2012-September/001212.html > > I suspect either: > > a) Traffic not getting snatted when it should. This is usually due to > overlapping ranges between your internal network and fixed_range > > this would be fixed by limiting fixed_range in your config file to just > the instances range: (fixed_range=10.0.41.0/24 ?) > > or > > b) Traffic getting snatted when it shouldn't. This is usually because your > workstation ip is on an ip that is internally routable but not routable > from the external network of the compute host, so it can't get back to the > snatted ip > > this is fixed by stopping snatting to the workstation by setting dmz_cidr > to a value that includes your workstation network: (dmz_cidr=10.0.0.0/24?) > > Vish > > On Nov 9, 2012, at 9:14 AM, Joe Warren-Meeks <joe.warren.me...@gmail.com> > wrote: > > Hi all, > > I've managed to get Openstack pretty much up and running as I wanted it. I > do have, however, a rather strange networking issue. > > I created the network with > nova-manage network create --fixed_range_v4=10.0.41.0/24 --num_networks=1 > --bridge=br41 --bridge_interface=eth0 --label=development > --gateway=10.0.41.1 --dns1=10.0.0.2 --vlan=41 --project_id=XXXXXXX > > And i can boot instances fine. I've configured the default security group > to allow port 22, 80 and ICMP -1 in and I can ping from my work station to > the virtual instance ok: > > joe@kaneda:~$ ping 10.0.41.3 > PING 10.0.41.3 (10.0.41.3) 56(84) bytes of data. > 64 bytes from 10.0.41.3: icmp_req=1 ttl=63 time=1.18 ms > > And i can ping from the virt back too: > ubuntu@test:~$ ping 10.0.0.240 > PING 10.0.0.240 (10.0.0.240) 56(84) bytes of data. > 64 bytes from 10.0.0.240: icmp_req=1 ttl=64 time=0.713 ms > > > I can SSH out from the virt to a host in the outside world fine: > ubuntu@test:~$ ssh joe@XXXXX > joe@XXXXXX password: > -bash: fortune: command not found > joe@dixon:~ $ > > BUT I can't ssh from the virt to my workstation, nor from my workstation > to the Virt. Neither does http work. > > What I am seeing in Tcpdump is a lot of incorrect cksums. This happens > with all Tcp connections. > > 17:12:38.539784 IP (tos 0x0, ttl 64, id 53611, offset 0, flags [DF], proto > TCP (6), length 60) > 10.0.0.240.56791 > 10.0.41.3.22: Flags [S], cksum 0x3e21 (incorrect -> > 0x6de2), seq 2650163743, win 14600, options [mss 1460,sackOK,TS val > 28089204 ecr 0,nop,wscale 6], length 0 > > > 17:12:38.585279 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP > (6), length 60) > 10.0.41.3.22 > 10.0.0.240.56791: Flags [S.], cksum 0x3e21 (incorrect > -> 0xe5c5), seq 1530502549, ack 3098447117, win 14480, options [mss > 1460,sackOK,TS val 340493 ecr 28089204,nop,wscale 3], length 0 > > Anyone come across this before? > > -- joe. > > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : openstack@lists.launchpad.net > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp > > >
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp