<div dir="ltr">Goodmorning guys,<div>I tried as you said by I have serious problems to connect to Instances.</div><div><br></div><div>I tried to do this:</div><div>- give each compute node a fixed ip on network <a href="http://10.42.1.0/24">10.42.1.0/24</a> on port eth0;<br></div><div>- give each compute node a fixed ip on network <a href="http://10.42.2.0/24">10.42.2.0/24</a> on port eth1 (through the br-ex)</div><div><br></div><div>I put everything on eth1 with vxlan, this is my configuration:</div><div><div> CONFIG_NOVA_COMPUTE_PRIVIF=eth1</div><div> CONFIG_NOVA_NETWORK_PUBIF=eth1</div><div> CONFIG_NOVA_NETWORK_PRIVIF=eth1</div><div> CONFIG_NOVA_NETWORK_FIXEDRANGE=<a href="http://10.0.2.0/24">10.0.2.0/24</a></div><div> CONFIG_NOVA_NETWORK_FLOATRANGE=<a href="http://10.42.42.0/24">10.42.42.0/24</a></div><div> CONFIG_NEUTRON_L3_EXT_BRIDGE=br-ex</div><div> CONFIG_NEUTRON_ML2_TYPE_DRIVERS=vxlan</div><div> CONFIG_NEUTRON_ML2_TENANT_NETWORK_TYPES=vxlan</div><div> CONFIG_NEUTRON_ML2_VNI_RANGES=10:100</div><div> CONFIG_NEUTRON_LB_INTERFACE_MAPPINGS=</div><div> CONFIG_NEUTRON_OVS_BRIDGE_MAPPINGS=</div><div> CONFIG_NEUTRON_OVS_BRIDGE_IFACES=</div><div> CONFIG_NEUTRON_OVS_TUNNEL_IF=eth1</div></div><div><br></div><div>So I launched this network configuration:</div><div><div>neutron net-create private</div><div>neutron subnet-create private <a href="http://10.42.2.0/24">10.42.2.0/24</a> --name private-subnet</div></div><div><div>neutron net-create public --router:external=True</div><div>neutron subnet-create public <a href="http://10.42.42.0/24">10.42.42.0/24</a> --name public-subnet --enable_dhcp=False --allocation-pool=start=10.42.42.100,end=10.42.42.200 --gateway=10.42.42.1</div></div><div><div>neutron router-create public-router</div><div>neutron router-gateway-set public-router public</div><div>neutron router-interface-add public-router private-subnet</div></div><div><div>neutron security-group-rule-create --protocol icmp default</div><div>neutron security-group-rule-create --protocol tcp --port-range-min 22 --port-range-max 22 default</div></div><div><br></div><div>The dashboard says that the gateway of router is on 10.42.42.100 and the port is down.</div><div><br></div><div>Please help me! :(</div></div><div class="gmail_extra"><br><div class="gmail_quote">2015-02-22 9:03 GMT+01:00 Dan Sneddon <span dir="ltr"><<a href="mailto:dsneddon@redhat.com" target="_blank">dsneddon@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">-----BEGIN PGP SIGNED MESSAGE-----<br> Hash: SHA1<br> <br> </span><span class="">On 02/21/2015 01:27 PM, Pasquale Salza wrote:<br> > I have a question. If I want to add any public network, do I need<br> > to statically assign every compute node to the same network on one<br> > of the interfaces? I mean, in order to access to VMs which have the<br> > floating IP on that network.<br> ><br> > For example, having the VMs on <a href="http://172.16.58.0/24" target="_blank">172.16.58.0/24</a><br> </span>> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>> external network and compute nodes with<br> <span class="">> interfaces assigned with different networks.<br> ><br> > Il 21/feb/2015 21:34 "Dan Sneddon" <<a href="mailto:dsneddon@redhat.com">dsneddon@redhat.com</a><br> </span><span class="">> <mailto:<a href="mailto:dsneddon@redhat.com">dsneddon@redhat.com</a>>> ha scritto:<br> ><br> > On 02/21/2015 12:14 AM, Pasquale Salza wrote:<br> >> Thank you! Yes you were right, I meant to chose 6 VMs and give<br> >> them 6 IPs. I forgot the router IP.<br> ><br> >> Is there any problem in not giving direct internet access to<br> >> machines, but using IP forwarding on controller?<br> ><br> >> Il 21/feb/2015 01:35 "Dan Sneddon" <<a href="mailto:dsneddon@redhat.com">dsneddon@redhat.com</a><br> > <mailto:<a href="mailto:dsneddon@redhat.com">dsneddon@redhat.com</a>><br> </span>>> <mailto:<a href="mailto:dsneddon@redhat.com">dsneddon@redhat.com</a> <mailto:<a href="mailto:dsneddon@redhat.com">dsneddon@redhat.com</a>>>> ha<br> <div><div class="h5">>> scritto:<br> ><br> >> On 02/20/2015 03:29 PM, Pasquale Salza wrote:<br> >>> Whops! I figured out just few seconds after I sent the mail!<br> >>> Ok, tomorrow I'll try with it. :) I'd like to share how I want<br> >>> to organise my network in order to get some advices.<br> ><br> >>> Let's say I have 7 machines and 7 spare IPs on the network<br> >>> <a href="http://172.16.58.0/24" target="_blank">172.16.58.0/24</a> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> > <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> >> which are also associated to<br> >>> 7 public (internet) IPs.<br> ><br> >>> I'd like to reserve 6 IPs for 6 VMs I could instanciate on<br> >>> OpenStack.<br> ><br> >>> So I planned to do this: the controller node has a static IP<br> >>> on eth0 of the 7 in <a href="http://172.16.58.50/24" target="_blank">172.16.58.50/24</a> <<a href="http://172.16.58.50/24" target="_blank">http://172.16.58.50/24</a>><br> > <<a href="http://172.16.58.50/24" target="_blank">http://172.16.58.50/24</a>><br> >> <<a href="http://172.16.58.50/24" target="_blank">http://172.16.58.50/24</a>> network<br> >>> so as I can access it from outside. I add an alias eth0:0 with<br> >>> which I connect the controller to the Management network of<br> >>> OpenStack, the <a href="http://10.0.1.0/24" target="_blank">10.0.1.0/24</a> <<a href="http://10.0.1.0/24" target="_blank">http://10.0.1.0/24</a>><br> >>> <<a href="http://10.0.1.0/24" target="_blank">http://10.0.1.0/24</a>><br> >> <<a href="http://10.0.1.0/24" target="_blank">http://10.0.1.0/24</a>> network. Also on<br> >>> the controller, I set statically the IP for eth1 with one of<br> >>> float IPs network <a href="http://192.168.0.0/16" target="_blank">192.168.0.0/16</a> <<a href="http://192.168.0.0/16" target="_blank">http://192.168.0.0/16</a>><br> > <<a href="http://192.168.0.0/16" target="_blank">http://192.168.0.0/16</a>><br> >> <<a href="http://192.168.0.0/16" target="_blank">http://192.168.0.0/16</a>> network. With<br> >>> iptables, I add the rule of forwarding everithing on eth0 and<br> >>> eth1, so the other nodes can get Internet access on network<br> >>> <a href="http://10.0.1.0/24" target="_blank">10.0.1.0/24</a> <<a href="http://10.0.1.0/24" target="_blank">http://10.0.1.0/24</a>> <<a href="http://10.0.1.0/24" target="_blank">http://10.0.1.0/24</a>><br> > <<a href="http://10.0.1.0/24" target="_blank">http://10.0.1.0/24</a>>.<br> ><br> >>> On the compute nodes I set eth0 as one of IPs on <a href="http://10.0.1.0/24" target="_blank">10.0.1.0/24</a><br> > <<a href="http://10.0.1.0/24" target="_blank">http://10.0.1.0/24</a>><br> >> <<a href="http://10.0.1.0/24" target="_blank">http://10.0.1.0/24</a>><br> >>> <<a href="http://10.0.1.0/24" target="_blank">http://10.0.1.0/24</a>> management network and eth1 as one on<br> >>> <a href="http://192.168.0.0/16" target="_blank">192.168.0.0/16</a> <<a href="http://192.168.0.0/16" target="_blank">http://192.168.0.0/16</a>> <<a href="http://192.168.0.0/16" target="_blank">http://192.168.0.0/16</a>><br> > <<a href="http://192.168.0.0/16" target="_blank">http://192.168.0.0/16</a>>.<br> ><br> >>> Om each node I put the bridge on eth1.<br> ><br> >>> With RDO I put virtualisation and tunneling only on eth1.<br> ><br> >>> When the installatation has finished, I create a private<br> >>> neutron network <a href="http://10.100.0.0/16" target="_blank">10.100.0.0/16</a> <<a href="http://10.100.0.0/16" target="_blank">http://10.100.0.0/16</a>><br> >>> <<a href="http://10.100.0.0/16" target="_blank">http://10.100.0.0/16</a>><br> >> <<a href="http://10.100.0.0/16" target="_blank">http://10.100.0.0/16</a>> and two public<br> >>> networks of floating IPs. The first is <a href="http://192.168.0.0/24" target="_blank">192.168.0.0/24</a><br> > <<a href="http://192.168.0.0/24" target="_blank">http://192.168.0.0/24</a>><br> >> <<a href="http://192.168.0.0/24" target="_blank">http://192.168.0.0/24</a>><br> >>> <<a href="http://192.168.0.0/24" target="_blank">http://192.168.0.0/24</a>> for any kind of VM. The other is the<br> >>> <a href="http://172.16.58.0/24" target="_blank">172.16.58.0/24</a> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> > <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> >> network, limited to the 6<br> >>> available IPs with which I can put virtual machines on<br> >>> Internet.<br> ><br> >>> Does it make sense or I'm doing some mistakes? Do you have any<br> >>> other idea?<br> ><br> >>> Thank you very much indeed!<br> ><br> >>> Pasquale<br> ><br> >>> On 02/20/2015 02:07 PM, Pasquale Salza wrote:<br> >>>> Hi Rhys, I suppose so, because these are my iptables rules:<br> ><br> >>>> iptables -F iptables -t nat -F iptables -P INPUT ACCEPT<br> >>>> iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT<br> >>>> iptables -A INPUT -d <a href="http://172.16.58.0/24" target="_blank">172.16.58.0/24</a> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> > <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> >>>> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> >> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> >>>> -m<br> >>> state --state<br> >>>> ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -d<br> >>>> <a href="http://172.16.58.0/24" target="_blank">172.16.58.0/24</a> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> >>>> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> >>> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> >>>> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>> -p tcp --dport ssh -j ACCEPT<br> >>>> iptables -A INPUT -d <a href="http://172.16.58.0/24" target="_blank">172.16.58.0/24</a> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> > <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> >> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> >>> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>> -p tcp --dport www<br> >>>> -j ACCEPT iptables -A INPUT -d <a href="http://172.16.58.0/24" target="_blank">172.16.58.0/24</a><br> > <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> >>>> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> >>>> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>> -p tcp --dport pptp -j ACCEPT<br> >>>> iptables -A INPUT -d <a href="http://172.16.58.0/24" target="_blank">172.16.58.0/24</a> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> >> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> >>>> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> >>> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>> -p tcp --sport<br> >>>> domain -j ACCEPT iptables -A INPUT -d <a href="http://172.16.58.0/24" target="_blank">172.16.58.0/24</a><br> > <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> >> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> >>> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> >>>> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>> -p tcp --dport domain -j ACCEPT<br> >>>> iptables -A INPUT -d <a href="http://172.16.58.0/24" target="_blank">172.16.58.0/24</a> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> > <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> >> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> >>> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>> -p udp --sport<br> >>>> domain -j ACCEPT iptables -A INPUT -d <a href="http://172.16.58.0/24" target="_blank">172.16.58.0/24</a><br> > <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> >> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> >>> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> >>>> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>> -p udp --dport domain -j ACCEPT<br> >>>> iptables -A INPUT -d <a href="http://172.16.58.0/24" target="_blank">172.16.58.0/24</a> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> > <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> >> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> >>> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>> -p gre -j ACCEPT<br> >>>> iptables -A INPUT -d <a href="http://172.16.58.0/24" target="_blank">172.16.58.0/24</a> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> > <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> >> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> >>> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>> -p icmp<br> >>>> -j ACCEPT iptables -A INPUT -d <a href="http://172.16.58.0/24" target="_blank">172.16.58.0/24</a><br> > <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> >>>> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> >>>> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>> -j DROP iptables -t nat -A<br> >>>> POSTROUTING -o eth0 -j MASQUERADE service iptables save<br> ><br> >>>> Firstly, do you think I planned the network organisation<br> >>>> well? Do you have other suggestion (best practices) with 2<br> >>>> interfaces?<br> ><br> ><br> >>>> 2015-02-20 18:30 GMT+01:00 Rhys Oxenham <<a href="mailto:roxenham@redhat.com">roxenham@redhat.com</a><br> > <mailto:<a href="mailto:roxenham@redhat.com">roxenham@redhat.com</a>><br> >> <mailto:<a href="mailto:roxenham@redhat.com">roxenham@redhat.com</a> <mailto:<a href="mailto:roxenham@redhat.com">roxenham@redhat.com</a>>><br> >>> <mailto:<a href="mailto:roxenham@redhat.com">roxenham@redhat.com</a> <mailto:<a href="mailto:roxenham@redhat.com">roxenham@redhat.com</a>><br> > <mailto:<a href="mailto:roxenham@redhat.com">roxenham@redhat.com</a> <mailto:<a href="mailto:roxenham@redhat.com">roxenham@redhat.com</a>>>><br> >>>> <mailto:<a href="mailto:roxenham@redhat.com">roxenham@redhat.com</a> <mailto:<a href="mailto:roxenham@redhat.com">roxenham@redhat.com</a>><br> > <mailto:<a href="mailto:roxenham@redhat.com">roxenham@redhat.com</a> <mailto:<a href="mailto:roxenham@redhat.com">roxenham@redhat.com</a>>><br> >> <mailto:<a href="mailto:roxenham@redhat.com">roxenham@redhat.com</a> <mailto:<a href="mailto:roxenham@redhat.com">roxenham@redhat.com</a>><br> > <mailto:<a href="mailto:roxenham@redhat.com">roxenham@redhat.com</a> <mailto:<a href="mailto:roxenham@redhat.com">roxenham@redhat.com</a>>>>>>:<br> ><br> >>>> Hi Pasquale,<br> ><br> >>>> Did you modify your security group rules to allow ICMP<br> >>>> and/or 22:tcp access?<br> ><br> >>>> Many thanks Rhys<br> ><br> >>>>> On 20 Feb 2015, at 17:11, Pasquale Salza<br> >>>>> <<a href="mailto:pasquale.salza@gmail.com">pasquale.salza@gmail.com</a><br> >>>>> <mailto:<a href="mailto:pasquale.salza@gmail.com">pasquale.salza@gmail.com</a>><br> > <mailto:<a href="mailto:pasquale.salza@gmail.com">pasquale.salza@gmail.com</a><br> > <mailto:<a href="mailto:pasquale.salza@gmail.com">pasquale.salza@gmail.com</a>>><br> >> <mailto:<a href="mailto:pasquale.salza@gmail.com">pasquale.salza@gmail.com</a><br> >> <mailto:<a href="mailto:pasquale.salza@gmail.com">pasquale.salza@gmail.com</a>><br> >> <mailto:<a href="mailto:pasquale.salza@gmail.com">pasquale.salza@gmail.com</a><br> >> <mailto:<a href="mailto:pasquale.salza@gmail.com">pasquale.salza@gmail.com</a>>>><br> >>>> <mailto:<a href="mailto:pasquale.salza@gmail.com">pasquale.salza@gmail.com</a><br> >>>> <mailto:<a href="mailto:pasquale.salza@gmail.com">pasquale.salza@gmail.com</a>><br> >>>> <mailto:<a href="mailto:pasquale.salza@gmail.com">pasquale.salza@gmail.com</a><br> >>>> <mailto:<a href="mailto:pasquale.salza@gmail.com">pasquale.salza@gmail.com</a>>><br> >>>> <mailto:<a href="mailto:pasquale.salza@gmail.com">pasquale.salza@gmail.com</a><br> >>>> <mailto:<a href="mailto:pasquale.salza@gmail.com">pasquale.salza@gmail.com</a>><br> >>>> <mailto:<a href="mailto:pasquale.salza@gmail.com">pasquale.salza@gmail.com</a><br> > <mailto:<a href="mailto:pasquale.salza@gmail.com">pasquale.salza@gmail.com</a>>>>>><br> >>> wrote:<br> >>>>><br> >>>>> Hi there, I have a lot of problems with RDO/OpenStack<br> >>>> configuration. Firstly, I need to describe my network<br> >>>> situation.<br> >>>>><br> >>>>> I have 7 machine, each of them with 2 NIC. I would like to<br> >>>>> use one<br> >>>> machine as a controller/network node and the others as<br> >>>> compute nodes.<br> >>>>><br> >>>>> I would like to use the eth0 to connect nodes to internet<br> >>>>> (and get<br> >>>> access by remote sessions) with the network "<a href="http://172.16.58.0/24" target="_blank">172.16.58.0/24</a><br> > <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> >> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> >>> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> >>>> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>>", in which I have just 7 available<br> >>>> IPs, and eth1 as configuration network on the network<br> >>>> <a href="http://10.42.100.0/42" target="_blank">10.42.100.0/42</a> <<a href="http://10.42.100.0/42" target="_blank">http://10.42.100.0/42</a>><br> >> <<a href="http://10.42.100.0/42" target="_blank">http://10.42.100.0/42</a>><br> >>> <<a href="http://10.42.100.0/42" target="_blank">http://10.42.100.0/42</a>><br> >>>> <<a href="http://10.42.100.0/42" target="_blank">http://10.42.100.0/42</a>>.<br> >>>>><br> >>>>> This is my current configuration, for each node (varying<br> >>>>> the IPs<br> >>>> on each machine):<br> >>>>><br> >>>>> eth0: DEVICE=eth0 TYPE=Ethernet ONBOOT=yes<br> >>>>> BOOTPROTO=static IPADDR=172.16.58.50 NETMASK=255.255.255.0<br> >>>>> GATEWAY=172.16.58.254 DNS1=172.16.58.50 DOMAIN=###<br> >>>>> DEFROUTE="yes"<br> >>>>><br> >>>>> eth1: DEVICE=eth1 TYPE=OVSPort DEVICETYPE=ovs<br> >>>>> OVS_BRIDGE=br-ex ONBOOT=yes<br> >>>>><br> >>>>> br-ex: DEVICE=br-ex DEVICETYPE=ovs TYPE=OVSBridge<br> >>>>> BOOTPROTO=static IPADDR=10.42.100.1 NETMASK=255.255.255.0<br> >>>>> ONBOOT=yes<br> >>>>><br> >>>>> I'd like to have instances on <a href="http://10.42.200.0/24" target="_blank">10.42.200.0/24</a><br> > <<a href="http://10.42.200.0/24" target="_blank">http://10.42.200.0/24</a>><br> >>>>> <<a href="http://10.42.200.0/24" target="_blank">http://10.42.200.0/24</a>> <<a href="http://10.42.200.0/24" target="_blank">http://10.42.200.0/24</a>><br> >>>> <<a href="http://10.42.200.0/24" target="_blank">http://10.42.200.0/24</a>> virtual private network and the<br> >>>> remaining IPs of <a href="http://10.42.100.0/24" target="_blank">10.42.100.0/24</a> <<a href="http://10.42.100.0/24" target="_blank">http://10.42.100.0/24</a>><br> > <<a href="http://10.42.100.0/24" target="_blank">http://10.42.100.0/24</a>><br> >> <<a href="http://10.42.100.0/24" target="_blank">http://10.42.100.0/24</a>><br> >>>> <<a href="http://10.42.100.0/24" target="_blank">http://10.42.100.0/24</a>><br> >>> network as floating<br> >>>> IPs.<br> >>>>><br> >>>>> These are the relevant parts of my answers.txt file:<br> >>>>><br> >>>>> CONFIG_CONTROLLER_HOST=10.42.100.1<br> >>>>><br> ><br> ><br> ><br> > CONFIG_COMPUTE_HOSTS=10.42.100.10,10.42.100.11,10.42.100.12,10.42.100.13,10.42.100.14,10.42.100.15<br> ><br> ><br> ><br> ><br> >>>> CONFIG_NETWORK_HOSTS=10.42.100.1<br> >>>>> CONFIG_AMQP_HOST=10.42.100.1<br> >>>>> CONFIG_MARIADB_HOST=10.42.100.1<br> >>>>> CONFIG_NOVA_COMPUTE_PRIVIF=eth1<br> >>>>> CONFIG_NOVA_NETWORK_PUBIF=eth1<br> >>>>> CONFIG_NOVA_NETWORK_PRIVIF=eth1<br> >>>>> CONFIG_NOVA_NETWORK_FIXEDRANGE=<a href="http://10.42.200.0/24" target="_blank">10.42.200.0/24</a><br> > <<a href="http://10.42.200.0/24" target="_blank">http://10.42.200.0/24</a>><br> >> <<a href="http://10.42.200.0/24" target="_blank">http://10.42.200.0/24</a>><br> >>>>> <<a href="http://10.42.200.0/24" target="_blank">http://10.42.200.0/24</a>><br> >>>> <<a href="http://10.42.200.0/24" target="_blank">http://10.42.200.0/24</a>><br> >>>>> CONFIG_NOVA_NETWORK_FLOATRANGE=<a href="http://10.42.100.0/24" target="_blank">10.42.100.0/24</a><br> > <<a href="http://10.42.100.0/24" target="_blank">http://10.42.100.0/24</a>><br> >> <<a href="http://10.42.100.0/24" target="_blank">http://10.42.100.0/24</a>><br> >>>>> <<a href="http://10.42.100.0/24" target="_blank">http://10.42.100.0/24</a>><br> >>>> <<a href="http://10.42.100.0/24" target="_blank">http://10.42.100.0/24</a>><br> >>>>> CONFIG_NEUTRON_L3_EXT_BRIDGE=br-ex<br> >>>>> CONFIG_NEUTRON_ML2_TYPE_DRIVERS=vxlan<br> >>>>> CONFIG_NEUTRON_ML2_TENANT_NETWORK_TYPES=vxlan<br> >>>>> CONFIG_NEUTRON_ML2_VNI_RANGES=10:100<br> >>>>> CONFIG_NEUTRON_LB_INTERFACE_MAPPINGS=<br> >>>>> CONFIG_NEUTRON_OVS_BRIDGE_MAPPINGS=<br> >>>>> CONFIG_NEUTRON_OVS_BRIDGE_IFACES=<br> >>>>> CONFIG_NEUTRON_OVS_TUNNEL_IF=eth1<br> >>>>><br> >>>>> After the installation, I configure the network like this:<br> >>>>><br> >>>>> neutron router-create router neutron net-create private<br> >>>>> neutron subnet-create private <a href="http://10.42.200.0/24" target="_blank">10.42.200.0/24</a><br> > <<a href="http://10.42.200.0/24" target="_blank">http://10.42.200.0/24</a>><br> >>>>> <<a href="http://10.42.200.0/24" target="_blank">http://10.42.200.0/24</a>> <<a href="http://10.42.200.0/24" target="_blank">http://10.42.200.0/24</a>><br> >>>> <<a href="http://10.42.200.0/24" target="_blank">http://10.42.200.0/24</a>> --name private-subnet<br> >>>>> neutron router-interface-add router private-subnet neutron<br> >>>>> net-create public --router:external=True neutron<br> >>>>> subnet-create public <a href="http://10.42.100.0/24" target="_blank">10.42.100.0/24</a><br> >>>>> <<a href="http://10.42.100.0/24" target="_blank">http://10.42.100.0/24</a>><br> > <<a href="http://10.42.100.0/24" target="_blank">http://10.42.100.0/24</a>><br> >> <<a href="http://10.42.100.0/24" target="_blank">http://10.42.100.0/24</a>><br> >>>> <<a href="http://10.42.100.0/24" target="_blank">http://10.42.100.0/24</a>> --name public-subnet<br> >>>> --enable_dhcp=False --allocation-pool<br> >>>> start=10.42.100.100,end=10.42.100.200 --no-gateway<br> >>>>> neutron router-gateway-set router public<br> >>>>><br> >>>>> I'm able to launch instances but I can't get access<br> >>>>> (ping/ssh) to<br> >>>> them.<br> >>>>><br> >>>>> I don't know if I'm doing something wrong starting from<br> >>>>> planning.<br> >>>>><br> >>>>> Please, help me!<br> >>>>><br> >>>>> _______________________________________________ Rdo-list<br> >>>>> mailing list <a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a><br> >>>>> <mailto:<a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a>> <mailto:<a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a><br> >>>>> <mailto:<a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a>>><br> >> <mailto:<a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a> <mailto:<a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a>><br> > <mailto:<a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a> <mailto:<a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a>>>><br> >>> <mailto:<a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a> <mailto:<a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a>><br> > <mailto:<a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a> <mailto:<a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a>>><br> >> <mailto:<a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a> <mailto:<a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a>><br> > <mailto:<a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a> <mailto:<a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a>>>>><br> >>>>> <a href="https://www.redhat.com/mailman/listinfo/rdo-list" target="_blank">https://www.redhat.com/mailman/listinfo/rdo-list</a><br> >>>>><br> >>>>> To unsubscribe: <a href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a><br> > <mailto:<a href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a>><br> >> <mailto:<a href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a><br> > <mailto:<a href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a>>><br> >>> <mailto:<a href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a><br> > <mailto:<a href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a>><br> >> <mailto:<a href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a><br> > <mailto:<a href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a>>>><br> >>>> <mailto:<a href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a><br> > <mailto:<a href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a>><br> >> <mailto:<a href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a><br> > <mailto:<a href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a>>><br> >>> <mailto:<a href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a><br> > <mailto:<a href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a>><br> >> <mailto:<a href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a><br> > <mailto:<a href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a>>>>><br> ><br> ><br> ><br> ><br> >>>> -- Pasquale Salza<br> ><br> >>>> e-mail: <a href="mailto:pasquale.salza@gmail.com">pasquale.salza@gmail.com</a><br> >>>> <mailto:<a href="mailto:pasquale.salza@gmail.com">pasquale.salza@gmail.com</a>><br> >>>> <mailto:<a href="mailto:pasquale.salza@gmail.com">pasquale.salza@gmail.com</a><br> >>>> <mailto:<a href="mailto:pasquale.salza@gmail.com">pasquale.salza@gmail.com</a>>><br> >>>> <mailto:<a href="mailto:pasquale.salza@gmail.com">pasquale.salza@gmail.com</a><br> >>>> <mailto:<a href="mailto:pasquale.salza@gmail.com">pasquale.salza@gmail.com</a>><br> >>>> <mailto:<a href="mailto:pasquale.salza@gmail.com">pasquale.salza@gmail.com</a><br> >>>> <mailto:<a href="mailto:pasquale.salza@gmail.com">pasquale.salza@gmail.com</a>>>><br> >>> <mailto:<a href="mailto:pasquale.salza@gmail.com">pasquale.salza@gmail.com</a><br> >>> <mailto:<a href="mailto:pasquale.salza@gmail.com">pasquale.salza@gmail.com</a>><br> >>> <mailto:<a href="mailto:pasquale.salza@gmail.com">pasquale.salza@gmail.com</a><br> >>> <mailto:<a href="mailto:pasquale.salza@gmail.com">pasquale.salza@gmail.com</a>>><br> >>> <mailto:<a href="mailto:pasquale.salza@gmail.com">pasquale.salza@gmail.com</a><br> >>> <mailto:<a href="mailto:pasquale.salza@gmail.com">pasquale.salza@gmail.com</a>><br> >>> <mailto:<a href="mailto:pasquale.salza@gmail.com">pasquale.salza@gmail.com</a><br> >>> <mailto:<a href="mailto:pasquale.salza@gmail.com">pasquale.salza@gmail.com</a>>>>><br> >>>> phone: <a href="tel:%2B39%20393%204415978" value="+393934415978">+39 393 4415978</a> <tel:%2B39%20393%204415978><br> > <tel:%2B39%20393%204415978><br> >> <tel:%2B39%20393%204415978> fax: +39 089<br> >>> 8422939 <tel:%2B39%20089%208422939> skype: pasquale.salza<br> >>>> linkedin: <a href="http://it.linkedin.com/in/psalza/" target="_blank">http://it.linkedin.com/in/psalza/</a><br> ><br> ><br> >>>> _______________________________________________ Rdo-list<br> >>>> mailing list <a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a><br> >>>> <mailto:<a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a>><br> > <mailto:<a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a> <mailto:<a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a>>><br> >> <mailto:<a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a> <mailto:<a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a>><br> > <mailto:<a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a> <mailto:<a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a>>>><br> >>>> <a href="https://www.redhat.com/mailman/listinfo/rdo-list" target="_blank">https://www.redhat.com/mailman/listinfo/rdo-list</a><br> ><br> >>>> To unsubscribe: <a href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a><br> > <mailto:<a href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a>><br> >> <mailto:<a href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a><br> > <mailto:<a href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a>>><br> >>> <mailto:<a href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a><br> > <mailto:<a href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a>><br> >> <mailto:<a href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a><br> > <mailto:<a href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a>>>><br> ><br> ><br> </div></div><span class="">>>> Those look like the iptables rule on the hypervisor. Rhys is<br> >>> talking about the Neutron security group rules. By default,<br> >>> ssh into VMs is not allowed. You need to permit ICMP and SSH in<br> >>> the security rules on the neutron network.<br> ><br> >>> I don't see anything wrong with your network architecture at<br> >>> first glance, but floating IPs can be tricky at first. Start<br> >>> with basic VM-to-VM connectivity and add on from there.<br> ><br> >>> Good luck!<br> ><br> ><br> >>> _______________________________________________ Rdo-list<br> >>> mailing list <a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a> <mailto:<a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a>><br> > <mailto:<a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a> <mailto:<a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a>>><br> </span><span class="">>> <mailto:<a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a> <mailto:<a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a>><br> > <mailto:<a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a> <mailto:<a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a>>>><br> >>> <a href="https://www.redhat.com/mailman/listinfo/rdo-list" target="_blank">https://www.redhat.com/mailman/listinfo/rdo-list</a><br> ><br> >>> To unsubscribe: <a href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a><br> > <mailto:<a href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a>><br> >> <mailto:<a href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a><br> > <mailto:<a href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a>>><br> >>> <mailto:<a href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a><br> > <mailto:<a href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a>><br> >> <mailto:<a href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a><br> > <mailto:<a href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a>>>><br> ><br> </span><div><div class="h5">>> That sounds like it should work, but one of those 6 IP addresses<br> >> will need to be used for the Neutron router (that IP will be<br> >> used for SNAT for VMs that have no floating IP).<br> ><br> >> I'm not sure what you mean when you say "I'd like to reserve 6<br> >> IPs for 6 VMs I could instanciate on OpenStack." You can<br> >> instantiate more than one VM on each compute node, and if you<br> >> have 6 compute nodes then depending on size you could have dozens<br> >> of VMs. Maybe you just mean you could instantiate 6 VMs with<br> >> public IPs? Actually, due to the router IP, you would be limited<br> >> to 5.<br> ><br> >> Make sure you add the floating IP network as an external net.<br> >> Since your router will not be taking the .1 address, you will<br> >> need to create the port by hand with the chosen IP and add it to<br> >> the router.<br> ><br> >> $ neutron net-create externalnet -- --router:external=True $<br> >> neutron subnet-create externalnet <a href="http://172.16.58.0/24" target="_blank">172.16.58.0/24</a><br> > <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>><br> >> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>> --name external \ --enable_dhcp=False<br> >> --allocation_pool start=172.16.58.x,\ end=172.16.58.x --gateway<br> >> 172.16.58.x (use your network gateway here - change the IP<br> >> addresses in the allocation range to match what is available on<br> >> your network) $ neutron router-create extrouter (name of your<br> >> router) $ neutron port-create externalnet --fixed-ip 172.16.58.x<br> >> (use desired router IP) $ neutron router-interface-add extrouter<br> >> port=$portid (port id from previous command) $ neutron<br> >> router-interface-add extrouter subnet=public (replace public<br> >> with the name of the <a href="http://192.168.0.0/24" target="_blank">192.168.0.0/24</a> <<a href="http://192.168.0.0/24" target="_blank">http://192.168.0.0/24</a>><br> > <<a href="http://192.168.0.0/24" target="_blank">http://192.168.0.0/24</a>> network)<br> ><br> >> Once that is done, you should be able to assign a floating IP to<br> >> any VM that has an interface on the <a href="http://192.168.0.0/24" target="_blank">192.168.0.0/24</a><br> > <<a href="http://192.168.0.0/24" target="_blank">http://192.168.0.0/24</a>><br> >> <<a href="http://192.168.0.0/24" target="_blank">http://192.168.0.0/24</a>> network.<br> ><br> >> P.S. - Several times in your email you mentioned <a href="http://192.168.0.0/16" target="_blank">192.168.0.0/16</a><br> > <<a href="http://192.168.0.0/16" target="_blank">http://192.168.0.0/16</a>><br> >> <<a href="http://192.168.0.0/16" target="_blank">http://192.168.0.0/16</a>>, but that's not a valid network. I<br> >> assume you mean <a href="http://192.168.0.0/24" target="_blank">192.168.0.0/24</a> <<a href="http://192.168.0.0/24" target="_blank">http://192.168.0.0/24</a>><br> > <<a href="http://192.168.0.0/24" target="_blank">http://192.168.0.0/24</a>>.<br> ><br> ><br> ><br> > That depends what you are trying to do. There are plenty of<br> > reasons why it might not work at first. You may need to<br> > troubleshoot.<br> ><br> > One issue that might come up is that you will be doing multiple<br> > levels of NAT. Some protocols won't work with multiple layers of<br> > translation.<br> ><br> > If your goal is to eventually make these VMs reachable from the<br> > Internet, there are a lot of factors in play above the OpenStack<br> > cloud.<br> ><br> ><br> <br> </div></div>No, the external network is only attached to the Neutron controller.<br> The public IP actually lives on the l3agent, which runs the router you<br> created and attached to that network. When traffic goes back and forth<br> from outside, the l3agent does source NAT and swaps the public IP with<br> the VM IP. The controller isn't actually attached to the external network.<br> <br> In general, the only IPs in use on the External network are the IP you<br> assign to the router attached to the External network, the upstream<br> gateway router, and the floating IPs handled by Neutron.<br> <br> If a VM doesn't have a floating IP, the Neutron router will use its<br> own IP address for the NAT. That Internet access is outbound-only.<br> <span class=""><br> - --<br> Dan Sneddon | Principal OpenStack Engineer<br> <a href="mailto:dsneddon@redhat.com">dsneddon@redhat.com</a> | <a href="http://redhat.com/openstack" target="_blank">redhat.com/openstack</a><br> 650.254.4025 | @dxs on twitter<br> -----BEGIN PGP SIGNATURE-----<br> Version: GnuPG v1<br> <br> </span>iQEcBAEBAgAGBQJU6Y1bAAoJEFkV3ypsGNbjTIMH/iajE5q30wfCKcghkWaTu0AW<br> VckXJyPSdtucrewUb+oUriGFx3OPMZU1hnGxCYqDTjsj/iTx3JsSFzCozmKzdXAY<br> hWEO/nNmD4lWljWghjTac13t+6rhM5lJVA3posQoZEPWwyrdh6bmcHwCM93HYZ3H<br> QYaXv7RKasSool6Kq9MxOyRq2+O0DvmVWk8BOKHzy2ZnP1OrRjhotSRIRIh1O3Ti<br> 3PEYZJ+QZOzxAMfWDWcRjNONuGscaIVvPxrU5/i6jH5FK1ymJarIRJmVPO1a58BW<br> cYEcsuz/L6wYhaYthRCY14EkLQ7bsSTT4JMse68s0/u3WgQPyjZOR2NBk6QAAu8=<br> =0N5i<br> -----END PGP SIGNATURE-----<br> </blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr">Pasquale Salza<div><div><br></div><div>e-mail: <a href="mailto:pasquale.salza@gmail.com" target="_blank">pasquale.salza@gmail.com</a></div><div>phone: +39 393 4415978</div><div>fax: +39 089 8422939</div><div>skype: pasquale.salza</div><div>linkedin: <a href="http://it.linkedin.com/in/psalza/" target="_blank">http://it.linkedin.com/in/psalza/</a></div></div></div></div> </div>