neutron

can't ping router's ip

Asked by junlun fan

I install quantum and use gre tunnel and l3-agent.
i create a router, set the router's gateway and add an interface to a subnet.
Finally ,router 's gateway is 172.20.9.66, interface ip is 192.168.120.254.

root@openstack-1:/opt# ip netns exec qdhcp-c92a088d-329d-495e-95f6-c621a8f3b6c4 ping 192.168.120.254
PING 192.168.120.254 (192.168.120.254) 56(84) bytes of data.
64 bytes from 192.168.120.254: icmp_req=1 ttl=64 time=0.434 ms
64 bytes from 192.168.120.254: icmp_req=2 ttl=64 time=0.073 ms
64 bytes from 192.168.120.254: icmp_req=3 ttl=64 time=0.077 ms
64 bytes from 192.168.120.254: icmp_req=4 ttl=64 time=0.084 ms

root@openstack-1:/opt# ip netns exec qrouter-94482e47-10b1-46e2-acdb-b1949fc972e2 ping 172.20.9.66
PING 172.20.9.66 (172.20.9.66) 56(84) bytes of data.
64 bytes from 172.20.9.66: icmp_req=1 ttl=64 time=0.058 ms
64 bytes from 172.20.9.66: icmp_req=2 ttl=64 time=0.049 ms

however, i can't ping the router's gateway not using "ip netns "

root@openstack-1:/opt# ping 172.20.9.66
PING 172.20.9.66 (172.20.9.66) 56(84) bytes of data.
^C
--- 172.20.9.66 ping statistics ---
29 packets transmitted, 0 received, 100% packet loss, time 28004ms

After that i create floating ip 172.20.9.67 and associate with a vm 192.168.120.2
root@openstack-1:/opt# quantum floatingip-list
+--------------------------------------+------------------+---------------------+--------------------------------------+
| id | fixed_ip_address | floating_ip_address | port_id |
+--------------------------------------+------------------+---------------------+--------------------------------------+
| 221554d5-cd29-4531-817c-0bbe1b3d0acb | 192.168.120.2 | 172.20.9.67 | dd1202a7-725b-44b7-8985-58c18c7c5074 |
+--------------------------------------+------------------+---------------------+--------------------------------------+

root@openstack-1:/opt# ip netns exec qrouter-94482e47-10b1-46e2-acdb-b1949fc972e2 ping 172.20.9.67
PING 172.20.9.67 (172.20.9.67) 56(84) bytes of data.
64 bytes from 172.20.9.67: icmp_req=1 ttl=64 time=82.2 ms
64 bytes from 172.20.9.67: icmp_req=2 ttl=64 time=0.843 ms
64 bytes from 172.20.9.67: icmp_req=3 ttl=64 time=0.791 ms

yet i still can't ping 172.20.9.67 without using ip netns:
root@openstack-1:/opt# ping 172.20.9.67
PING 172.20.9.67 (172.20.9.67) 56(84) bytes of data.
^C
--- 172.20.9.67 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4031ms

I don't know the cause of the problem as i know little about ip netns. Any one get the answer?

Question information

Language:
English Edit question
Status:
Solved
For:
neutron Edit question
Assignee:
No assignee Edit question
Solved by:
yong sheng gong
Solved:
Last query:
Last reply:
Revision history for this message
Weiwen Chen (wei-wen-chen) said : 		#1

This is right behavior. You can ping router's IP if not using namespace if you configured that for L3 agent at first place. With name space in place, router IP is only visible in the name space. Otherwise, how overlapping IP can work?

Revision history for this message
junlun fan (junlun-fan) said : 		#2

@Weiwen Chen (wei-wen-chen)
 if what you say is true, then the external network can't ping VM's floating ip, that means floating ips make nonsense.
what's more , i have one more question:
root@openstack-1:/opt# ip netns exec qrouter-94482e47-10b1-46e2-acdb-b1949fc972e2 iptables-save
# Generated by iptables-save v1.4.12 on Wed Oct 31 10:15:27 2012
*nat
:PREROUTING ACCEPT [40789:3665651]
:INPUT ACCEPT [111:27461]
:OUTPUT ACCEPT [19:1596]
:POSTROUTING ACCEPT [14:1176]
:quantum-l3-agent-OUTPUT - [0:0]
:quantum-l3-agent-POSTROUTING - [0:0]
:quantum-l3-agent-PREROUTING - [0:0]
:quantum-l3-agent-float-snat - [0:0]
:quantum-l3-agent-snat - [0:0]
:quantum-postrouting-bottom - [0:0]
-A PREROUTING -j quantum-l3-agent-PREROUTING
-A OUTPUT -j quantum-l3-agent-OUTPUT
-A POSTROUTING -j quantum-l3-agent-POSTROUTING
-A POSTROUTING -j quantum-postrouting-bottom
-A quantum-l3-agent-OUTPUT -d 172.20.9.67/32 -j DNAT --to-destination 192.168.120.2
-A quantum-l3-agent-POSTROUTING ! -i qg-248c41e7-29 ! -o qg-248c41e7-29 -m conntrack ! --ctstate DNAT -j ACCEPT
-A quantum-l3-agent-PREROUTING -d 172.20.9.67/32 -j DNAT --to-destination 192.168.120.2
-A quantum-l3-agent-float-snat -s 192.168.120.2/32 -j SNAT --to-source 172.20.9.67
-A quantum-l3-agent-snat -j quantum-l3-agent-float-snat
-A quantum-l3-agent-snat -s 192.168.120.0/24 -j SNAT --to-source 172.20.9.66

the 192.168.120.0/24 SNAT to 172.20.9.66, which means that 192.168.120.0/24 can ping the external network.
however ,in the 192.168.120.0/24 namespace, i got
root@openstack-1:/opt# ip netns exec qdhcp-c92a088d-329d-495e-95f6-c621a8f3b6c4 ping 192.168.120.254
PING 192.168.120.254 (192.168.120.254) 56(84) bytes of data.
64 bytes from 192.168.120.254: icmp_req=1 ttl=64 time=0.346 ms
64 bytes from 192.168.120.254: icmp_req=2 ttl=64 time=0.071 ms
root@openstack-1:/opt# ip netns exec qdhcp-c92a088d-329d-495e-95f6-c621a8f3b6c4 ping 172.20.9.66
connect: Network is unreachable

192.168.120.254 is the gateway of router, i can ping it from 192.168.120.0/24 , but i can't ping the external network. Is this situation right?

Revision history for this message
junlun fan (junlun-fan) said : 		#3

i get that linux bridge can connect the namespace .
Obviously in my problem the bridge br-ex doesn't work. I assign an ip address on br-ex 172.20.9.65 , and add the route
route add -net 172.20.9.64/28 dev br-ex
yet i still can't ping 172.20.9.66 (router gateway ip)from the external network.

Is my quantum configuration wrong or something?
[l3_agent.ini]
interface_driver = quantum.agent.linux.interface.OVSInterfaceDriver
auth_url = http://172.20.9.1:5000/v2.0
admin_tenant_name = service
admin_user = quantum
admin_password = keystone
external_network_bridge = br-ex

Revision history for this message
Best yong sheng gong (gongysh) said : 		#4

for #1, do u have address like 172.20.9.xx on your host without netns?
try to list it with ip addr without ip netns. and make sure your host can route to the router's gateway port ip.

for #3:
root@openstack-1:/opt# ip netns exec qdhcp-c92a088d-329d-495e-95f6-c621a8f3b6c4 ping 172.20.9.66
connect: Network is unreachable
[yong sheng gong]: that is because there is no route to 192.168.120.254 in qdhcp-c92a088d-329d-495e-95f6-c621a8f3b6c4.
but you can ping 172.20.9.66 within VM

192.168.120.254 is the gateway of router, i can ping it from 192.168.120.0/24 , but i can't ping the external network. Is this situation right?
[yong sheng gong] confused, the router's gateway port ip is 172.20.9.66. U should be able to ping the external network within VM.
on qdhcp namespace, we should not be able to do it. qdhcp namespace has just ip for dhcp port, it should only response to dhcp query.

Revision history for this message
junlun fan (junlun-fan) said : 		#5

#1: yes, i have other address like 172.20.9.xx on my host without netns
my host ip is 172.20.9.1
route -n
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 120.88.9.254 0.0.0.0 UG 100 0 0 eth1
10.0.0.0 172.20.0.1 255.0.0.0 UG 0 0 0 eth0
120.88.9.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
172.20.0.0 0.0.0.0 255.255.128.0 U 0 0 0 eth0
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0

according to what you say ,should i add an rule to the route table mannually?

#3
ok,i understant in the qdhcp namespace, we can't ping the external network

Revision history for this message
yong sheng gong (gongysh) said : 		#6

how does your quantum external network connect to external physical network?
to run ovs-vsctl show br-ex and get the result.
Is your host's eth0 connecting the physical network too?
is the 172.20.9.1 host same one as the l3 agent's host?
are u using which one plugin agent, linux one or openvswitch agent or others?

Revision history for this message
junlun fan (junlun-fan) said : 		#7

Thank you yong sheng gong, you solve my answers.
I have three nic card. eth0、eth2 connect to the same physical switch, eth1 connect to another switch
eth0 :172.20.9.1 (external network 1) eth1:120.88.9.254(external network 2) eth2: no ip address(external network 1)

i use openvswitch as my plugin.
    Bridge br-tun
        Port patch-int
            Interface patch-int
                type: patch
                options: {peer=patch-tun}
        Port br-tun
            Interface br-tun
                type: internal
    Bridge br-int
        Port patch-tun
            Interface patch-tun
                type: patch
                options: {peer=patch-int}
        Port br-int
            Interface br-int
                type: internal
        Port "qr-d5fad7c1-46"
            tag: 1
            Interface "qr-d5fad7c1-46"
                type: internal
        Port "tapdd1202a7-72"
            tag: 1
            Interface "tapdd1202a7-72"
        Port "tap2862df9a-c1"
            tag: 1
            Interface "tap2862df9a-c1"
                type: internal
    Bridge br-ex
        Port "eth2"
            Interface "eth1"
        Port br-ex
            Interface br-ex
                type: internal
        Port "qg-444e05b6-10"
            Interface "qg-444e05b6-10"
                type: internal
    ovs_version: "1.4.0+build0"

I manually add two route rules:
route add -net 172.20.9.64/28 gw 172.20.9.65 dev br-ex
####### i don't know why i need to do this for the linux bridge. BUT if i don't do this , i can't ping 172.20.9.64/28 subnet.
####### Do any know why? as i know, i don't need to add route for the linux bridge as it just a bridge connect two areas.

route add -net 192.168.120.0/24 gw 172.20.9.66
#######172.20.9.66 is the router's gateway ip,after that i can ping the 192.168.120.0/24 internal subnet.
root@openstack-1:/opt# ping 192.168.120.2
PING 192.168.120.2 (192.168.120.2) 56(84) bytes of data.
64 bytes from 192.168.120.2: icmp_req=1 ttl=63 time=29.2 ms
64 bytes from 192.168.120.2: icmp_req=2 ttl=63 time=0.394 ms

root@openstack-1:/opt# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 120.88.9.254 0.0.0.0 UG 100 0 0 eth1
10.0.0.0 172.20.0.1 255.0.0.0 UG 0 0 0 eth0
120.88.9.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
172.20.0.0 0.0.0.0 255.255.128.0 U 0 0 0 eth0
172.20.9.64 0.0.0.0 255.255.255.240 U 0 0 0 br-ex #manual add
192.168.120.0 172.20.9.66 255.255.255.0 UG 0 0 0 br-ex #manual add
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0

Revision history for this message
junlun fan (junlun-fan) said : 		#8

Thanks yong sheng gong, that solved my question.

Revision history for this message
Micah spencer (micahspencer) said : 		#9

The possible reason for you can not ping the IP, it might be that your router is not responding to the ICMP echo messages. This is usually done so people can't just ping every address to find lively connections. you can visit https://www.belkinroutersupportnumber.com/belkin-n300-router/ for more information.