neutron

Creating a VM to act as a router

Asked by Doug

Hello,

I recently setup a virtual machine to act as a router. The problem is the vm is not routing traffic correctly. This is essentially what my setup is, refer to the output below.

(VM IM PINGING FROM) (Private subnet X)
|
(OPEN VPN TUNNEL)
|
(VMs below is in Private subnet Y on a completely different cloud)
(VM ACTING AS ROUTER)(INT-X)--(INT-Y)(OVS)--------(VM IM TRYING TO PING)

When I run a packet capture on INT-X on the router VM. I see echo requests going out.
When I run a packet capture on INT-Y on the OVS. I no longer see the echo requests........

Is there some sort of libvirt rule that needs to be changed in order for a virtual machine to act as a router?

Question information

Language:
English Edit question
Status:
Solved
For:
neutron Edit question
Assignee:
No assignee Edit question
Solved by:
Aaron Rosen
Solved:
Last query:
Last reply:
Revision history for this message
yong sheng gong (gongysh) said : 		#1

so your router VM has a IP on INT-X which is the gateway of VM IM pinging from, right?
and router VM has another IP on INT-Y which connects other VMs your are ping to.
have u enabled the 'forward' by 'sysctl -w net.ipv4.ip_forward=1'?

Revision history for this message
Doug (dsmith4546) said : 		#2

Yes I have enabled IP forwarding. I have an OpenVPN tunnel between two vms in two different clouds. Each of those VMs are doing routing for their local subnet they are connected to. I have the appropriate routes in place on all virtual machines. I want to ping from a VM on one cloud to a VM on another cloud. I want to go over the OpenVPN tunnel. I am doing this as you said above by using those OpenVPN vms as the gateway. I see the traffic going over the tunnel. I see the traffic hitting the far side VM. The strange thing is I see the echo reply coming back. But it STOPS at the VM that is the gateway for my VM I'm pinging from. When I run a capture on the actual ethernet interface for that VM that is running OpenVPN, and is doing the routing, I see echo replies.....but they are never routed back to the VM who sent out the echo requests. I ran a capture on the tap interface and am seeing echo replies, but when I run a capture the q interface on ovs I don't see the echo replies..... Normally I was going to say there must be some kind of quantum rule for IP spoofing or something, but that doesn't make any sense because the traffic gets all the way to the far side VM over the tunnel. And when it gets routed at the other side of the tunnel the source address is an address that is different then the IP address assigned to the interface. This probably isn't an OpenStack issue.

Revision history for this message
Doug (dsmith4546) said : 		#3

I am 99% sure this is has to do with OpenStack not allowing IP spoofing. Is there a way to turn off IP spoofing in Grizzly?

Revision history for this message
Best Aaron Rosen (arosen) said : 		#4

Doug, yup that is what is blocking you. I think if you set firewall driver in ovs_quantum_plugin.ini to the Noop one that should do it. The nvp plugin has an extension port_security_enabled which is used to disable these spoofing rules. This would be pretty easy to add to the OVS plugin if you are interested in implementing it.

Revision history for this message
Doug (dsmith4546) said : 		#5

Thanks Aaron Rosen, that solved my question.

Revision history for this message
Doug (dsmith4546) said : 		#6

I think I need to start digging into the quantum code more. I will ask some other folks I work with to see if they are interested in adding that functionality.