Hello Jayapal, Setup details is that only 1 PC, with 1 network interface. eth1.
I add br0 to eth1, and br0:0 to eth1. br0 work as KVM tag for mgmt. add eth1.1200 as the public VLan, 1200 is public vlan tag, add eth1.1300 as the guest Vlan, 1300 is the guest vlan tag. add cloudVirBr1200 to eth1.1200, KVM tag for* public* is cloudVirBr1200 add cloudVirBr1300 to eth1.1300, KVM tag for private is cloudVirBr1300 Here is the IP ranges. http://pastebin.com/uZBpx0Lr Here is how the NIC and bridges configuration on the Computer. http://pastebin.com/86jRex72 Here is the result from the v-router. http://pastebin.com/dcDUuyP7 Thank you very much. On Mon, Jun 10, 2013 at 4:58 PM, Jayapal Reddy Uradi < jayapalreddy.ur...@citrix.com> wrote: > Hi, > > In advanced zone you can use openVswitch. > Please share setup details like hypervisor, public ip range. > > Did you deploy vm with default network offering ? > > Please share your below commands output on router via pastebin.com > Iptables -L -nv > Iptables -t nat -L -nv > Iptables -t mangle -L -nv > > Ifconfig > > Lets figure out is there any problem in cloudstack configuration. > > Thanks, > Jayapal > > -----Original Message----- > > From: wq meng [mailto:wqm...@gmail.com] > > Sent: Sunday, 9 June 2013 1:43 AM > > To: users@cloudstack.apache.org > > Subject: Re: allow outbound access by default on virtual routers > > > > Hello Jayapal, > > > > Seems the problem exist in CS4.1.0 too. > > > > And I have tried the same NAT rule, not work. > > iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth2 -j SNAT --to > > xxx.105.191.147 > > > > > > Should use OpenvSwich? Is the OpenvSwitch is recommend? > > > > > > Thanks > > > > > > On Sun, Jun 2, 2013 at 5:01 AM, wq meng <wqm...@gmail.com> wrote: > > > > > Hello Jayapal, > > > > > > I add a iptables rule > > > > > > iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth2 -j SNAT --to > > > xxx.105.191.147 > > > > > > And it seems works now. I can ping Google inside the Guest VM. > > > > > > > > > Just a few questions, Why in my VR-VM, it have eth3, eth4? Where > > > are they come from, in the interface file, there is not configuration > > > for eth3 and eth4 at all. > > > > > > Sometimes, I reboot the VR-VM, the eth4 is disappear, only left eth3, > > > but as you can know, it still not work, As eth3 is not a NIC at all. > > > > > > Then maybe the VR-VM have some buggy scripts when the VR-VM start , > > > and which mis-configuration the NICs and also the NAT rules for > VRouter? > > > > > > > > > As the CS4.1 will be release soon on Monday, I am not sure, if it > > > need spend more time to look deep. > > > > > > Thank you very much. > > > > > > > > > On Sat, Jun 1, 2013 at 6:38 PM, wq meng <wqm...@gmail.com> wrote: > > > > > >> Hello, > > >> > > >> Sorry for the delay, > > >> > > >> Here is the NAT table. Please check. > > >> The xxx.105.191.147 IP is the public IP for the VRouter-VM. > > >> > > >> root@r-6-VM:~# iptables -t nat -L -nv Chain PREROUTING (policy ACCEPT > > >> 258 packets, 13822 bytes) > > >> pkts bytes target prot opt in out source > > >> destination > > >> > > >> Chain POSTROUTING (policy ACCEPT 4 packets, 532 bytes) > > >> pkts bytes target prot opt in out source > > >> destination > > >> 0 0 SNAT all -- * eth3 0.0.0.0/0 > > >> 0.0.0.0/0 to:xxx.105.191.147 > > >> 0 0 SNAT all -- * eth4 0.0.0.0/0 > > >> 0.0.0.0/0 to:xxx.105.191.147 > > >> > > >> Chain OUTPUT (policy ACCEPT 3 packets, 448 bytes) > > >> pkts bytes target prot opt in out source > > >> destination > > >> > > >> root@r-6-VM:~# > > >> > > >> > > >> Thanks a lot. > > >> > > >> > > >> On Mon, May 27, 2013 at 1:09 PM, Jayapal Reddy Uradi < > > >> jayapalreddy.ur...@citrix.com> wrote: > > >> > > >>> From the packet captures on eth2, the vm IP seems to be not NATed. > > >>> 13:39:41.991966 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id > > >>> 56879, seq 126, length 64 > > >>> > > >>> Can you also share iptables -t nat -L -nv output. > > >>> > > >>> Thanks, > > >>> Jayapal > > >>> > > >>> > -----Original Message----- > > >>> > From: wq meng [mailto:wqm...@gmail.com] > > >>> > Sent: Friday, 24 May 2013 7:13 PM > > >>> > To: users@cloudstack.apache.org > > >>> > Subject: Re: allow outbound access by default on virtual routers > > >>> > > > >>> > Hello Jayapal > > >>> > > > >>> > > > >>> > > > >>> > > > >>> > I ping google.com on the Guest VM, > > >>> > > > >>> > Here is the dump data from the router - VM. > > >>> > > > >>> > Please review. > > >>> > > > >>> > And the 2.*.2 is public IP, which I replace to the real ip. > > >>> > > > >>> > > > >>> > Thank you very much. > > >>> > > > >>> > > > >>> > > > >>> > > > >>> > root@r-7-VM:~# > > >>> > root@r-7-VM:~# tcpdump -i eth0 -nq > > >>> > tcpdump: verbose output suppressed, use -v or -vv for full > > >>> > protocol > > >>> decode > > >>> > listening on eth0, link-type EN10MB (Ethernet), capture size 65535 > > >>> bytes > > >>> > 13:38:52.979198 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 77, length 64 > > >>> > 13:38:53.979203 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 78, length 64 > > >>> > 13:38:54.979205 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 79, length 64 > > >>> > 13:38:55.978182 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 80, length 64 > > >>> > 13:38:56.979188 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 81, length 64 > > >>> > 13:38:57.979299 ARP, Request who-has 10.1.1.1 tell 10.1.1.4, > > >>> > length 28 > > >>> > 13:38:57.979307 ARP, Reply 10.1.1.1 is-at 02:00:00:b1:00:05, > > >>> > length 28 > > >>> > 13:38:57.979315 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 82, length 64 > > >>> > 13:38:58.979250 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 83, length 64 > > >>> > 13:38:59.979297 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 84, length 64 > > >>> > 13:39:00.979313 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 85, length 64 > > >>> > 13:39:01.978311 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 86, length 64 > > >>> > 13:39:02.979282 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 87, length 64 > > >>> > 13:39:03.979323 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 88, length 64 > > >>> > 13:39:04.979315 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 89, length 64 > > >>> > 13:39:05.979364 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 90, length 64 > > >>> > 13:39:06.979420 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 91, length 64 > > >>> > 13:39:07.978421 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 92, length 64 > > >>> > 13:39:08.978432 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 93, length 64 > > >>> > 13:39:09.979447 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 94, length 64 > > >>> > 13:39:10.979437 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 95, length 64 > > >>> > 13:39:11.979474 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 96, length 64 > > >>> > 13:39:12.979473 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 97, length 64 > > >>> > 13:39:13.978525 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 98, length 64 > > >>> > 13:39:14.978535 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 99, length 64 > > >>> > 13:39:15.979562 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 100, length 64 > > >>> > 13:39:16.979575 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 101, length 64 > > >>> > 13:39:17.979602 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 102, length 64 > > >>> > 13:39:18.979584 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 103, length 64 > > >>> > 13:39:19.988541 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 104, length 64 > > >>> > 13:39:20.988615 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 105, length 64 > > >>> > 13:39:21.988598 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 106, length 64 > > >>> > 13:39:22.989582 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 107, length 64 > > >>> > 13:39:23.989666 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 108, length 64 > > >>> > 13:39:24.989695 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 109, length 64 > > >>> > 13:39:25.989725 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 110, length 64 ^C > > >>> > 36 packets captured > > >>> > 36 packets received by filter > > >>> > 0 packets dropped by kernel > > >>> > root@r-7-VM:~# tcpdump -i eth2 -nq > > >>> > tcpdump: verbose output suppressed, use -v or -vv for full > > >>> > protocol > > >>> decode > > >>> > listening on eth2, link-type EN10MB (Ethernet), capture size 65535 > > >>> bytes > > >>> > 13:39:38.380208 ARP, Request who-has 2.*.2.22 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:38.982570 STP 802.1d, Config, Flags [none], bridge-id > > >>> > 8000.00:25:90:a4:98:3e.8004, length 35 > > >>> > 13:39:38.987877 ARP, Request who-has 2.*.2.35 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:38.991937 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 123, length 64 > > >>> > 13:39:39.194709 ARP, Request who-has 2.*.2.22 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:39.599296 ARP, Request who-has 2.*.2.35 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:39.904508 ARP, Request who-has 2.*.2.22 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:39.991931 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 124, length 64 > > >>> > 13:39:40.417287 ARP, Request who-has 2.*.2.35 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:40.730305 ARP, Request who-has 2.*.2.22 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:40.982552 STP 802.1d, Config, Flags [none], bridge-id > > >>> > 8000.00:25:90:a4:98:3e.8004, length 35 > > >>> > 13:39:40.991980 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 125, length 64 > > >>> > 13:39:41.337501 ARP, Request who-has 2.*.2.35 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:41.437224 ARP, Request who-has 2.*.2.22 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:41.991966 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 126, length 64 > > >>> > 13:39:42.903756 ARP, Request who-has 2.*.2.248 tell 2.*.2.1, > > >>> > length 42 > > >>> > 13:39:42.982539 STP 802.1d, Config, Flags [none], bridge-id > > >>> > 8000.00:25:90:a4:98:3e.8004, length 35 > > >>> > 13:39:42.992996 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 127, length 64 > > >>> > 13:39:43.682772 ARP, Request who-has 2.*.2.248 tell 2.*.2.1, > > >>> > length 42 > > >>> > 13:39:43.993009 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 128, length 64 > > >>> > 13:39:44.502714 ARP, Request who-has 2.*.2.248 tell 2.*.2.1, > > >>> > length 42 > > >>> > 13:39:44.509679 ARP, Request who-has 2.*.2.228 tell 2.*.2.1, > > >>> > length 42 > > >>> > 13:39:44.585413 ARP, Request who-has 2.*.2.70 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:44.982554 STP 802.1d, Config, Flags [none], bridge-id > > >>> > 8000.00:25:90:a4:98:3e.8004, length 35 > > >>> > 13:39:44.993017 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 129, length 64 > > >>> > 13:39:45.160097 ARP, Request who-has 2.*.2.53 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:45.215168 ARP, Request who-has 2.*.2.70 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:45.318277 ARP, Request who-has 2.*.2.228 tell 2.*.2.1, > > >>> > length 42 > > >>> > 13:39:45.325738 ARP, Request who-has 2.*.2.34 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:45.421375 ARP, Request who-has 2.*.2.248 tell 2.*.2.1, > > >>> > length 42 > > >>> > 13:39:45.826574 ARP, Request who-has 2.*.2.70 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:45.928821 ARP, Request who-has 2.*.2.228 tell 2.*.2.1, > > >>> > length 42 > > >>> > 13:39:45.930246 ARP, Request who-has 2.*.2.53 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:45.993039 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 130, length 64 > > >>> > 13:39:46.030400 ARP, Request who-has 2.*.2.248 tell 2.*.2.1, > > >>> > length 42 > > >>> > 13:39:46.031609 ARP, Request who-has 2.*.2.34 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:46.349636 ARP, Request who-has 2.*.2.3 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:46.439927 ARP, Request who-has 2.*.2.70 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:46.486265 ARP, Request who-has 2.*.2.32 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:46.541822 ARP, Request who-has 2.*.2.228 tell 2.*.2.1, > > >>> > length 42 > > >>> > 13:39:46.850884 ARP, Request who-has 2.*.2.53 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:46.952230 ARP, Request who-has 2.*.2.34 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:46.982553 STP 802.1d, Config, Flags [none], bridge-id > > >>> > 8000.00:25:90:a4:98:3e.8004, length 35 > > >>> > 13:39:46.993050 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 131, length 64 > > >>> > 13:39:47.051629 ARP, Request who-has 2.*.2.70 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:47.154197 ARP, Request who-has 2.*.2.228 tell 2.*.2.1, > > >>> > length 42 > > >>> > 13:39:47.155893 ARP, Request who-has 2.*.2.3 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:47.258228 ARP, Request who-has 2.*.2.32 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:47.459210 ARP, Request who-has 2.*.2.53 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:47.561218 ARP, Request who-has 2.*.2.34 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:47.970622 ARP, Request who-has 2.*.2.32 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:47.971612 ARP, Request who-has 2.*.2.3 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:47.993074 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 132, length 64 > > >>> > 13:39:48.380271 ARP, Request who-has 2.*.2.34 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:48.381173 ARP, Request who-has 2.*.2.53 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:48.581498 ARP, Request who-has 2.*.2.32 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:48.890259 ARP, Request who-has 2.*.2.3 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:48.982519 STP 802.1d, Config, Flags [none], bridge-id > > >>> > 8000.00:25:90:a4:98:3e.8004, length 35 > > >>> > 13:39:48.994081 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 133, length 64 > > >>> > 13:39:49.290934 ARP, Request who-has 2.*.2.42 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:49.302649 ARP, Request who-has 2.*.2.32 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:49.433752 ARP, Request who-has 2.*.2.116 tell 2.*.2.1, > > >>> > length 42 > > >>> > 13:39:49.812965 ARP, Request who-has 2.*.2.3 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:49.994099 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 134, length 64 > > >>> > 13:39:50.014695 ARP, Request who-has 2.*.2.42 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:50.118276 ARP, Request who-has 2.*.2.116 tell 2.*.2.1, > > >>> > length 42 > > >>> > 13:39:50.933507 ARP, Request who-has 2.*.2.116 tell 2.*.2.1, > > >>> > length 42 > > >>> > 13:39:50.934227 ARP, Request who-has 2.*.2.42 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:50.982526 STP 802.1d, Config, Flags [none], bridge-id > > >>> > 8000.00:25:90:a4:98:3e.8004, length 35 > > >>> > 13:39:50.994092 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 135, length 64 > > >>> > 13:39:51.643878 ARP, Request who-has 2.*.2.42 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:51.848044 ARP, Request who-has 2.*.2.116 tell 2.*.2.1, > > >>> > length 42 > > >>> > 13:39:51.994151 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 136, length 64 > > >>> > 13:39:52.452001 ARP, Request who-has 2.*.2.116 tell 2.*.2.1, > > >>> > length 42 > > >>> > 13:39:52.453417 ARP, Request who-has 2.*.2.42 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:39:52.982496 STP 802.1d, Config, Flags [none], bridge-id > > >>> > 8000.00:25:90:a4:98:3e.8004, length 35 > > >>> > 13:39:52.994150 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 137, length 64 > > >>> > 13:39:53.994171 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 138, length 64 > > >>> > 13:39:54.982573 STP 802.1d, Config, Flags [none], bridge-id > > >>> > 8000.00:25:90:a4:98:3e.8004, length 35 > > >>> > 13:39:54.994188 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 139, length 64 > > >>> > 13:39:55.995186 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 140, length 64 > > >>> > 13:39:56.982561 STP 802.1d, Config, Flags [none], bridge-id > > >>> > 8000.00:25:90:a4:98:3e.8004, length 35 > > >>> > 13:39:56.995215 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 141, length 64 > > >>> > 13:39:57.991661 ARP, Request who-has 2.*.2.1 tell 2.*.2.25, length > > >>> > 28 > > >>> > 13:39:57.992092 ARP, Reply 2.*.2.1 is-at 5c:5e:ab:da:b9:c0, length > > >>> > 42 > > >>> > 13:39:57.995220 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 142, length 64 > > >>> > 13:39:58.982566 STP 802.1d, Config, Flags [none], bridge-id > > >>> > 8000.00:25:90:a4:98:3e.8004, length 35 > > >>> > 13:39:58.995244 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 143, length 64 > > >>> > 13:39:59.995280 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 144, length 64 > > >>> > 13:40:00.417613 ARP, Request who-has 2.*.2.4 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:40:00.982547 STP 802.1d, Config, Flags [none], bridge-id > > >>> > 8000.00:25:90:a4:98:3e.8004, length 35 > > >>> > 13:40:00.995274 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 145, length 64 > > >>> > 13:40:01.170853 ARP, Request who-has 2.*.2.4 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:40:01.996303 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 146, length 64 > > >>> > 13:40:02.074725 ARP, Request who-has 2.*.2.4 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:40:02.359140 ARP, Request who-has 2.*.2.161 tell 2.*.2.1, > > >>> > length 42 > > >>> > 13:40:02.982500 STP 802.1d, Config, Flags [none], bridge-id > > >>> > 8000.00:25:90:a4:98:3e.8004, length 35 > > >>> > 13:40:02.985123 ARP, Request who-has 2.*.2.4 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:40:02.996303 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 147, length 64 > > >>> > 13:40:03.186378 ARP, Request who-has 2.*.2.161 tell 2.*.2.1, > > >>> > length 42 > > >>> > 13:40:03.417268 ARP, Request who-has 2.*.2.20 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:40:03.699414 ARP, Request who-has 2.*.2.4 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:40:03.996329 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 148, length 64 > > >>> > 13:40:03.998677 ARP, Request who-has 2.*.2.161 tell 2.*.2.1, > > >>> > length 42 > > >>> > 13:40:04.301363 ARP, Request who-has 2.*.2.20 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:40:04.432828 ARP, Request who-has 2.*.2.115 tell 2.*.2.1, > > >>> > length 42 > > >>> > 13:40:04.435467 ARP, Request who-has 2.*.2.23 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:40:04.820262 ARP, Request who-has 2.*.2.161 tell 2.*.2.1, > > >>> > length 42 > > >>> > 13:40:04.920378 ARP, Request who-has 2.*.2.20 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:40:04.982690 STP 802.1d, Config, Flags [none], bridge-id > > >>> > 8000.00:25:90:a4:98:3e.8004, length 35 > > >>> > 13:40:04.996336 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, > > >>> > id > > >>> 56879, > > >>> > seq 149, length 64 > > >>> > 13:40:05.124674 ARP, Request who-has 2.*.2.23 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:40:05.124678 ARP, Request who-has 2.*.2.115 tell 2.*.2.1, > > >>> > length 42 > > >>> > 13:40:05.399662 ARP, Request who-has 2.*.2.12 tell 2.*.2.1, length > > >>> > 42 > > >>> > 13:40:05.429940 ARP, Request who-has 2.*.2.161 tell 2.*.2.1, > > >>> > length 42 > > >>> ^C > > >>> > 115 packets captured > > >>> > 115 packets received by filter > > >>> > 0 packets dropped by kernel > > >>> > root@r-7-VM:~# > > >>> > > > >>> > > > >>> > On Fri, May 24, 2013 at 12:55 PM, Jayapal Reddy Uradi > > >>> > <jayapalreddy.ur...@citrix.com> wrote: > > >>> > > Iptables rules are looking fine. > > >>> > > Can you please do the following. > > >>> > > 1. ping google.com from vm > > >>> > > 2. run the tcpdump command on the router eth0, eth2 and see the > > >>> > packets are reaching to guest interface > > >>> > > tcpdump -i eth0 -nq > > >>> > > tcpdump -i eth2 -nq > > >>> > > > > >>> > > If guest vm icmp packets are not reaching to eth0 and eth2 then > > >>> there is > > >>> > issue in your network setup. > > >>> > > > > >>> > > Thanks, > > >>> > > Jayapal > > >>> > > > > >>> > > > > >>> > >> -----Original Message----- > > >>> > >> From: wq meng [mailto:wqm...@gmail.com] > > >>> > >> Sent: Friday, 24 May 2013 1:27 AM > > >>> > >> To: users@cloudstack.apache.org > > >>> > >> Subject: Re: allow outbound access by default on virtual > > >>> > >> routers > > >>> > >> > > >>> > >> Hello, > > >>> > >> > > >>> > >> Have you tried this and get this to work? > > >>> > >> > > >>> > >> I think I have the same problem just can not get the Guest VM > > >>> > >> to access outbound by the V-router vm. > > >>> > >> > > >>> > >> my guest NIC is eth0, the public NIC is eth2. > > >>> > >> > > >>> > >> Here is the default rules in the Router VM. How to apply the > > >>> > >> rules to get the Guest VM can access outbound? > > >>> > >> > > >>> > >> Could you help me to show how? I have tried many times, just > no > > >>> luck of > > >>> > it. > > >>> > >> > > >>> > >> Thank you very much. > > >>> > >> > > >>> > >> > > >>> > >> root@r-7-VM:~# cat /etc/iptables/rules > > >>> > >> > > >>> > >> > > >>> > >> # Licensed to the Apache Software Foundation (ASF) under one # > > >>> > >> or more contributor license agreements. See the NOTICE file # > > >>> > >> distributed with this work for additional information # > > >>> > >> regarding copyright ownership. The ASF licenses this file # to > > >>> > >> you under the Apache License, Version 2.0 (the # "License"); > > >>> > >> you may not use this > > >>> file > > >>> > except in compliance # with the License. > > >>> > >> You may obtain a copy of the License at # > > >>> > >> # http://www.apache.org/licenses/LICENSE-2.0 > > >>> > >> # > > >>> > >> # Unless required by applicable law or agreed to in writing, # > > >>> > >> software distributed under the License is distributed on an # > > >>> > >> "AS > > >>> IS" > > >>> > >> BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY # KIND, > > either > > >>> > express or implied. > > >>> > >> See the License for the # specific language governing > > >>> > >> permissions > > >>> and > > >>> > >> limitations # under the License. > > >>> > >> > > >>> > >> *nat > > >>> > >> :PREROUTING ACCEPT [0:0] > > >>> > >> :POSTROUTING ACCEPT [0:0] > > >>> > >> :OUTPUT ACCEPT [0:0] > > >>> > >> COMMIT > > >>> > >> *filter > > >>> > >> :INPUT DROP [0:0] > > >>> > >> :FORWARD DROP [0:0] > > >>> > >> :OUTPUT ACCEPT [0:0] > > >>> > >> -A INPUT -d 224.0.0.18/32 -j ACCEPT -A INPUT -d 225.0.0.50/32 > > >>> > >> -j ACCEPT -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED > > >>> > >> -j ACCEPT -A INPUT -i > > >>> > >> eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i > > >>> > >> eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p > > >>> > >> icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -p udp > > >>> > >> -m udp --dport 67 -j ACCEPT -A INPUT -i eth0 -p udp -m udp > > >>> > >> --dport 53 -j ACCEPT -A INPUT -i eth1 -p tcp -m state --state > > >>> > >> NEW --dport 3922 -j ACCEPT -A INPUT -i eth0 -p tcp -m state -- > > >>> > >> state NEW --dport 8080 -j ACCEPT -A INPUT -i eth0 -p tcp -m > > >>> > >> state --state NEW --dport 80 -j ACCEPT -A FORWARD -i eth0 -o > > >>> > >> eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD > > >>> > >> -i eth0 -o eth2 -j ACCEPT > > >>> -A > > >>> > >> FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j > > >>> > >> ACCEPT -A FORWARD -i eth0 -o eth0 -m state --state NEW -j > > >>> > >> ACCEPT -A FORWARD -i > > >>> > >> eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT > > >>> > >> COMMIT *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] > > >>> > >> :FORWARD > > >>> > ACCEPT > > >>> > >> [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A > > >>> > >> PREROUTING > > >>> > -m > > >>> > >> state --state ESTABLISHED,RELATED -j CONNMARK -- restore-mark > > >>> > >> -A POSTROUTING -p udp --dport bootpc -j CHECKSUM -- > > >>> > >> checksum-fill > > >>> > COMMIT > > >>> > >> > > >>> > >> > > >>> > >> root@r-7-VM:~# ifconfig > > >>> > >> > > >>> > >> > > >>> > >> On Mon, May 20, 2013 at 5:29 PM, Jayapal Reddy Uradi > > >>> > >> <jayapalreddy.ur...@citrix.com> wrote: > > >>> > >> > > > >>> > >> > Currently we don't have the configurable option. > > >>> > >> > > > >>> > >> > 1. You can add egress rule on network with protocol 'all' to > > >>> > >> > allow all > > >>> > >> outbound traffic once the network is created. > > >>> > >> > > > >>> > >> > 2. If you want to allow traffic by default when ever router > > >>> > >> > is created One work around will be add the below line into > > >>> > >> > the iptables-router file > > >>> > >> after the this line -I FW_OUTBOUND -m state --state > > >>> > RELATED,ESTABLISHED > > >>> > >> -j ACCEPT > > >>> > >> > > > >>> > >> > -A FW_OUTBOUND -j ACCEPT > > >>> > >> > > > >>> > >> > > > >>> > >> > Thanks, > > >>> > >> > Jayapal > > >>> > >> > > > >>> > >> > > > >>> > >> > On 20-May-2013, at 2:18 PM, Len Bellemore > > >>> > >> <len.bellem...@controlcircle.com> wrote: > > >>> > >> > > > >>> > >> >> Hi Guys > > >>> > >> >> > > >>> > >> >> Anyone know if it's possible to change some of the default > > >>> options > > >>> > >> >> on a > > >>> > >> virtual router, so that every time it gets created it has > > >>> particular rules? > > >>> > >> >> > > >>> > >> >> My main issue is that I want to allow outbound access by > > >>> > >> >> default to every > > >>> > >> account. > > >>> > >> >> > > >>> > >> >> Thanks > > >>> > >> >> Len > > >>> > >> >> > > >>> > >> > > > >>> > > >> > > >> > > > >
