My openstack version is ussuri.
I configured the function of "Floating IP port forwarding" according to this document: https://docs.openstack.org/neutron/ussuri/admin/config-fip-port-forwardings.html
But I can't see "Configure Floating IP Port Forwarding Rules" on Dashboard under "Floating IPs"
Are there any other configurations of Neutron or horizon that need to be modified?
Someone has turned on the function of "Floating IP Port Forwarding": https://openstackdocs.safeswisscloud.ch/en/howto/ht-port-forward.html
But I don't know how to do that, hoping for help.
Thanks.
Related
I’ve installed openstack all-in-one in Centos 7. But, i have an issue with networking. I created an external network in ‘flat’ form (192.168.242.0/24 with gateway 192.168.242.1), and a private network (10.10.10.0/24 with gateway 10.10.10.1).
my instances can ping the router’s gateway (192.168.242.22), the floating ip (192.168.242.37), and the host (192.168.242.42), but they can’t reach the real external gateway (192.168.242.1) nor internet. The ping's message is: Destination Host Unreachable.
In return my host (192.168.242.42) can ping the tenant network’s gateway (10.10.10.1), the floating ip, and the router’s gateway.
Also i can ssh in both sides, and i've already permited ICMP in both sides.
Could you please help me with this issue? I'm really stuck with that.
Thank you in advance.
I've setup two GCP instances, both with an adapter subnet 10.0.3.0/24 (HOST A: 10.0.3.7, HOST B: 10.0.3.6). Both have DevStack setup on them with the following local.conf :
HOST A: https://pastebin.com/m3sXPaz9
HOST B: https://pastebin.com/311qjqbh
According to the documentation, (https://docs.openstack.org/neutron-vpnaas/latest/contributor/testing-with-devstack.html):
You can use two DevStack nodes connected by a common “public” network to test VPNaaS. The second node can be set up with the same public network as the first node, except it will use a different gateway IP (and hence router IP).
And,
With DevStack running on East and West and connectivity confirmed (make sure you can ping one router/GW from the other), you can perform these VPNaaS CLI commands.
However, after following the above AND the following SO question previously asked(How to expose the Devstack floating ip to the external world?), I can't get HOST B to ping the Floating IP assigned to a DevStack instance(10.0.3.156) in A.
I have made sure that the Security groups both in GCP and DevStack allow all ingress and egress traffic on all ports. br-ex has the GW of 10.0.3.129, which is also not reachable.
An image of the network in HOST A
Alright so the thing I overlooked was that even the VMs had a firewall, and i just had to add a UWF rule to them to allow traffic from devices on that network.
I am trying to map the notion of an openstack port to an IP abstraction. In the openstack documentation I see :
"A port is a connection point for attaching a single device, such as the NIC of a server, to a network. The port also describes the associated network configuration, such as the MAC and IP addresses to be used on that port."
So I assume a port must correspond to an IP interface (which in turn can map to a bridge, an ethernet interface or to one end of a veth link).
Is this a correct assumption? I am trying to figure out what IP abstraction maps to a loadbalancer port and I can't yet find it.
Thanks
Answering my own question (hopefully of help to others):
An openstack port corresponds to an ovs (or linnuxbridge) port that connects you up to a virtual network. A prefix of the port ID is used as a bridge name. You can create a port to a network and add it to a router.
When setup a IP-Alias via gloud command or the interface, it works out of the box. But in the machine itself, i do not see any configuration, ip addr-entries, no firewall rules, no routes that would allow to be the machine pingable - but it's pingable (local and remote)! (for example 10.31.150.70, when you setup a 10.31.150.64/26-subnet, and you primary IP is 10.31.150.1)
On the other hand, the primary IP of the machine is a /32-Netmask. For example:
10.31.150.1/32, Gateway: 10.31.0.1/16. So, how can the machine reach the gateway, 10.31.0.1, when the gateway is out of the range?
When removing the Main-IP via ip addr del, the aliases aren't pingable anymore.
Google runs a networking daemon on your instance. It runs as the google-network-daemon service. This code is open source and viewable at this repo. This repo has a Python module called google_compute_engine which manages IP aliasing among other things. You can browse their code to understand how Google implements this (they use either ip route or ifconfig depending on the platform)
To see the alias route added by Google on a Debian box (where they use ip route underneath for aliasing) run the following command.
ip route ls table local type local dev eth0 scope host proto 66
If you know your Linux commands, you can remove appropriate routes after stopping the daemon, and then assign the alias IP address to your primary interface as the second IP address to see the ifconfig approach in action as well.
When alias IP ranges are configured, GCP automatically installs VPC network routes for primary and alias IP ranges for the subnet of the primary network interface. Alias IP ranges are routable within the GCP virtual network without requiring additional routes. That is the reason why there is no configuration on the VM itself but still it's pingable. You do not have to add a route for every IP alias and you do not have to take route quotas into account.
More information regarding Alias IP on Google Cloud Platform (GCP) can be found in this help center article.
Be aware that Compute Engine networks only support IPv4 unicast traffic and it will show the netmask as /32 on the VM. However, it will still be able to reach the Gateway of the subnet that it belongs to. For example, 10.31.0.0/16 includes hosts ranging from 10.31.0.1 to 10.31.255.254 and the host 10.31.150.1 is within that range.
To further clarify why VM instances are assigned with the /32 mask, it is important to note that /32 is an artificial construct. The instance talks to the software defined network, which creates and manages the "real" subnets. So, it is really a link between the single address and the gateway for the subnet. As long as the link layer is there, communications are established and everything works.
In addition to that, network masks are enforced at the network layer. This helps avoid generation of unnecessary broadcast traffic (which underlying network wouldn't distribute anyway).
Note that removing the primary IP will break the reachability to the metadata server and therefore the IP aliases won't be accessible.
I'm trying to debug a problem I'm having understanding the difference between the NAT network adapter in VirtualBox and the NAT network adapter in VMWare Fusion. So far, I can configure VMWare and achieve my desired result, but I cannot achieve this in VirtualBox. In a VMWare VM, I'm able to use a NAT network adapter to achieve the following:
The guest is assigned it's own unique IP address
The guest has access to the outside Internet
The host can ping the guest and ssh to it
The guest can ping the host and ssh to it
The guest can resolve (internal) domain names just like the Host
I thought I saw that this was possible in VirtualBox, but now I'm thinking it's not possible. Perhaps there is some option that is close to VMWare, in which I manually modify /etc/resolv.conf in the guest to match that of the host? I did find a few questions that seem to indicate I should instead be using Bridged mode in VirtualBox, e.g. this question: Can't ping to VirtualBox instance , in which both answers appear to suggest VirtualBox's NAT adapter doesn't support the functionality I want:
It is quite obvious that when you are using NAT it will be impossible to ping host after NAT. It is how the NAT works... even if you will have real not virtual host the bechaviour will be the same.
and
You need to change networking mode from NAT to bridged, and ping should start working in both directions.
Also, answers to this question seem to back up the above: How to ping ubuntu guest on VirtualBox
Is it true that a NAT adapter in VirtualBox cannot be ping'ed from the Host OS?
I have used virtual box for years and I also have 2-3 years experience in computer networking.
Yes, in virtual box you can't ping the guest that use NAT from the host and this also how NAT works in real life. In real life, if you want to be able to contact a host behind NAT, you have to set a port forwarding rules where the connection to a certain port of the router will be forwarded to a certain machine. This must be done on the router.
To enable port forwarding in virtual box environment, select the Network pane in the virtual machine’s configuration window, expand the Advanced section, and click the Port Forwarding button. Note that this button is only active if you’re using a NAT network type – you only need to forward ports if you’re using a NAT (http://www.howtogeek.com/122641/how-to-forward-ports-to-a-virtual-machine-and-use-it-as-a-server/).