How can I configure neutron to allow routing between private networks in the same tenant? When I connect two private subnets with a router, I can't ping instances across the router.
The router isn't enough. You also need to specify a security group rule allowing incoming ICMP packets to the VMs.
It sounds like you need to set the host routes for each network or set the default gateway to be the router that connects the 2 networks.
Related
We are using a setup of Openstack-Train through a Packstack installation and Openvswitch as the backend of neutron.
We have created an external network (10.5.0.0/22), which is an internal network of our org. and an private network (10.3.0.0/22) linked via a router.
Our org. network is connected with a Pfsense firewall which has been given permission to connect the network 10.5.0.0/22 to 10.3.0.0/22 of openstack and vice versa.
In the security group of openstack, we have added the egress and ingress rule to allow traffic between the two networks.
However, we are unable to ping or SSH any VMs that are built on the private network (10.3.0.0/22) from our org. network (10.5.0.0/22).
VMs on the private network have internet connectivity and can ping google and ssh into our org. machines that are on the 10.5.0.0/22 ip range.
The only way to SSH into private network VMs seem to via a floating IP.
Is there a way to directly SSH into the private network VMs without using the floating IP?
Or is this part of openstack design?
Thank you
Do you have any physical network hardware like Switches that are configured to only allow a specific VLAN or subnet traffic?
Can you also share how your subnet is configured "openstack subnet show"
Security does isolate traffic outside a subnet so floating IP is alternative way in, but it's possible to have multiple ports on a vm with different subnets and access.
An instance created in the OpenStack can not access the internet. I have created an instance from the ubuntu cloud image.
In the security groups, I allowed all the ports for ingress and egress request of ICMP, TCP and UDP. I can ssh the instance and ping the floating IP of the instance and all the other instances on the private network but I can not ping any other IP address outside the network. In the network topology, the router is connecting the public and private network but the instance can not access the internet and i can not ping 8.8.8.8.
Does anyone know how to resolve this issue?
check you ml2 and linuxbridge or ovs agent. this is because of miss-configuration. presumably type-driver and mechanism-driver mismatch, or provider network is not set correctly.
please post your config here, so we can find the problem.
Thanks for your answer. I was able to resolve this issue by allowing ICMP ingress requests because of port 22 in the security groups.
I have configured a vpc to communicate with an on-prem private network as outlined here I am able to ping servers in my on-prem network through the virtual gateway. I have two private subnets and my route table associated with each of those subnets is configured as below:
10.255.254.0/23 local
0.0.0.0/0 vgw-xxxxxxx
My expectation is that all of my traffic, internet or otherwise is being communicated over the vgw to the cgw and then be subject to our on-premise firewall policies. In fact the article linked above specifically says that is the case:
The instances in the VPN-only subnet can't reach the Internet directly; any Internet-bound traffic must first traverse the virtual private gateway to your network, where the traffic is then subject to your firewall and corporate security policies.
When running a server on one of the private subnets the output from traceroute looks like this:
My traceroute to www.google.com looks like this:
as you can see from above traffic to www.google.com is just dying on the first hop.
I know that this can be achieved by adding a NAT to the public subnet, but I would prefer that all traffic flow through the on prem network instead.
What piece am I missing to make this work?
Currently, I'm successfully running a mosquitto broker, subscribing to topics and publishing messages with clients in a local network.
How can I communicate with another local network which is located at a different IP address?
Should I set up 2 mosquitto brokers, one for each local network?
The PC in the other local network needs to be accessible from Internet, so if it is behind a firewall, you need to set a port forwarding rule inside your router. The rule needs to forward the traffic from the public IP address to the internal LAN private IP address of your broker.
Remember that MQTT uses ports 1883 and 8883 (for SSL).
Because mqtt use tcp connections, there is also a safe way to do this as follows:
A private broker A behind a firewall.
B private broker B behind another firewall.
C cloud broker C on the internet.
Setup the bridge A to C in both directions. This must be configured on A. The safe tcp link to the internet will be created by A.
Setup the bridge B to C in both directions. This must be configured on B. The safe tcp link to the internet will be created by B.
This will create a much safer bridge and can be done even if you do not have control over the router or firewall.
This all depends on how your system needs to work, but you could use multiple brokers (one in each network) then create what is known as a bridge between the brokers.
This has the benefit that the each network can continue to work independently of the others should there be a network outage.
Bridges also allow you to control which messages are shared between sites. Details of how to create a bridge are in the mosquitto.conf man page:
http://mosquitto.org/man/mosquitto-conf-5.html
But as Paolo says, you will need to set up port forwarding for port 1883/8883 on your router to expose the the brokers to the internet.
Here are the steps to allow public connections to MQTT server within private space (home)
allow port forwarding on your router
public port 1883 should be forwarded to private port 1883
IP Address to forward requests on this port should be of the IP address of MQTT server/PC in your home/private network
Update Mosquitto configuration to allow public listeners
add line listener 1883 0.0.0.0 under #listener port-number [ip address/host name]
This will allow requests from any source on 1883 port to be handled by your MQTT
Restart MQTT
I could successfully open up my MQTT server to public/internet traffic by following above steps after many trial and errors with many different configuration changes.
I'm trying to SSH into a known good instance inside a new AWS VPN
Set up so far
Elastic IP connected to VPC instance inside public subnet
IGW associated with subnet with CIDR 0.0.0.0/0
Security Groups set up
Does anyone have any debug tips? Does the configuration matter?
Mostly want to know how to debug and isolate issues like this
Check your security group make sure your allowing the SSH port and also the CIDR for the inbound traffic to bind to that port.