Public bug reported: First of all, I'm not really sure if this is a bug, or some sort of configuration error on our side.. But I'm having issues with the port forwarding in neutron.
Openstack ussuri, running on Bionic neutron-l3-agent 2:16.2.0-0ubuntu1~cloud0 openvswitch-switch 2.13.1-0ubuntu0.20.04.1~cloud0 My scenario: - Create two networks (net1 and net2), and attach a router to each of them - Create two VMs in net1, one in net2 - Attach a "plain" FIP to VM-1 and VM-3 - Create a FIP for the port forwarding, and create a port forwarding rule pointing to VM-2 (i.e map FIP:80 to VM-2:8000) - Login to VM-2 and start listening to tcp 8000 with "python3 -m http.server 8000" What I expect: curl http://FIP:80 should give a response from VM-2:8000 from both VM-1, VM-3 and externally What happens: The port forwarding only works for VM-1. In other words, only between VMs in the same neutron network. -- I've done some debugging with tcpdump on my network nodes within the netns of the qrouter. When I try to connect from either VM-3 or externally, I observe the packets arriving on the qrouter's external interface and they get dropped "somewhere". I've failed to understand/discover where and/or by what. In the dumps, we have the following IP addresses. All FIPs are in 10.212.136.0/21: VM-1 (net1): 192.168.0.92 (FIP: 10.212.143.126) VM-2 (net1): 192.168.0.35 (No FIP, but port forwarding rule on 10.212.141.76 80->8000) VM-3 (net2): 192.168.111.213 (FIP: 10.212.138.184) Router of net1: 192.168.0.1 / 10.212.140.143 Iptables for the qrouter that hosts the FIP with port forwarding: http://paste.openstack.org/show/805020/ tcpdump on the qrouter interal interface when doing "curl http://FIP" from VM-1 (this works, but is of course rather useless): http://paste.openstack.org/show/805021/ tcpdump on the qrouter external interface when doing "curl http://FIP" from VM-3 (this is identical for connections from machines outside of our openstack environment - and no packets appear on the internal interface): http://paste.openstack.org/show/805022/ ** Affects: neutron Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1927691 Title: Port forwading does only work between VMs in the same neutron network Status in neutron: New Bug description: First of all, I'm not really sure if this is a bug, or some sort of configuration error on our side.. But I'm having issues with the port forwarding in neutron. Openstack ussuri, running on Bionic neutron-l3-agent 2:16.2.0-0ubuntu1~cloud0 openvswitch-switch 2.13.1-0ubuntu0.20.04.1~cloud0 My scenario: - Create two networks (net1 and net2), and attach a router to each of them - Create two VMs in net1, one in net2 - Attach a "plain" FIP to VM-1 and VM-3 - Create a FIP for the port forwarding, and create a port forwarding rule pointing to VM-2 (i.e map FIP:80 to VM-2:8000) - Login to VM-2 and start listening to tcp 8000 with "python3 -m http.server 8000" What I expect: curl http://FIP:80 should give a response from VM-2:8000 from both VM-1, VM-3 and externally What happens: The port forwarding only works for VM-1. In other words, only between VMs in the same neutron network. -- I've done some debugging with tcpdump on my network nodes within the netns of the qrouter. When I try to connect from either VM-3 or externally, I observe the packets arriving on the qrouter's external interface and they get dropped "somewhere". I've failed to understand/discover where and/or by what. In the dumps, we have the following IP addresses. All FIPs are in 10.212.136.0/21: VM-1 (net1): 192.168.0.92 (FIP: 10.212.143.126) VM-2 (net1): 192.168.0.35 (No FIP, but port forwarding rule on 10.212.141.76 80->8000) VM-3 (net2): 192.168.111.213 (FIP: 10.212.138.184) Router of net1: 192.168.0.1 / 10.212.140.143 Iptables for the qrouter that hosts the FIP with port forwarding: http://paste.openstack.org/show/805020/ tcpdump on the qrouter interal interface when doing "curl http://FIP" from VM-1 (this works, but is of course rather useless): http://paste.openstack.org/show/805021/ tcpdump on the qrouter external interface when doing "curl http://FIP" from VM-3 (this is identical for connections from machines outside of our openstack environment - and no packets appear on the internal interface): http://paste.openstack.org/show/805022/ To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1927691/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp