You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Francesco Maria Magnini <fm...@gmail.com> on 2013/12/19 19:03:57 UTC
[Advanced Zone] Isolated Source NAT issue (NAT not working)
Hi guys,
I cannot ping internet from VMs.
Pinging from Virtual Router is ok.
In addition, SSVM are reachable from outside (storage/proxy ssvm) through
addresses configured in public network range, Virtual router is not
reachable (but can ping internet).
Any idea?
--
“I videogiochi non influenzano i bambini.
Voglio dire, se pac-man avesse influenzato la nostra generazione,
staremmo tutti saltando in sale scure,
masticando pillole magiche e ascoltando musica elettronica
ripetitiva...”
(Kristian Wilson, Nintendo Inc, 1989)
Re: [Advanced Zone] Isolated Source NAT issue (NAT not working)
Posted by Francesco Maria Magnini <fm...@gmail.com>.
Geoff,
since my VM has only one NIC in the 10.1.1.0/24 subnet, in order to try the
Static NAT feature to I need to acquire a new secondary IP for that NIC?
On Fri, Dec 20, 2013 at 10:54 AM, Geoff Higginbottom <
geoff.higginbottom@shapeblue.com> wrote:
> You could create a network offering with only DNS, DHCP & UserData
> services and also the Specify VLAN option enabled, then use this to create
> a guest network with public IPs. You would need to ensure the chosen IP
> Range and VLAN Zmaps through to a physical router.
>
> Alternatively you could try the Static NAT feature. This maps a public IP
> to a single guest VM. You just need to acquire an additional IP first.
>
> Regards
>
> Geoff Higginbottom
> CTO / Cloud Architect
>
> D: +44 20 3603 0542<tel:+442036030542> | S: +44 20 3603 0540<tel:
> +442036030540>| M: +447968161581<tel:+447968161581>
>
> geoff.higginbottom@shapeblue.com<ma...@shapeblue.com>
> |www.shapeblue.com<htp://www.shapeblue.com/> | Twitter:@shapeblue<
> https://twitter.com/#!/shapeblue>
>
> ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N
> 4HS<x-apple-data-detectors://5>
>
>
> On 20 Dec 2013, at 09:28, "Francesco Maria Magnini" <fmm1982@gmail.com
> <ma...@gmail.com>> wrote:
>
> Thanks for the clarification, it makes sense.
> So far I have instances attached to the 10.1.1.0/24 guest network, and I
> have Internet connection through the Virtual Router source-NAT feature.
> But now, I would like to take one public IP and configure it directly on
> one instance.
> Do I need a different range from the one assigned right now to the SSVM? Or
> can I use for simplicity the same public network subnet declared during
> advanced zone creation?
>
>
> On Fri, Dec 20, 2013 at 10:16 AM, Geoff Higginbottom <
> geoff.higginbottom@shapeblue.com<ma...@shapeblue.com>>
> wrote:
>
> The VR is configured to not respond to pings, probably a anti DDOS measure.
>
> If you restart the VR it will respond to pings whilst it is booting, but
> then the security policies kick in and the responses stop.
>
> Regards
>
> Geoff Higginbottom
> CTO / Cloud Architect
>
>
> D: +44 20 3603 0542<tel:+442036030542> | S: +44 20 3603 0540<tel:
> +442036030540> | M: +447968161581<tel:+447968161581>
>
> geoff.higginbottom@shapeblue.com<mailto:geoff.higginbottom@shapeblue.com
> ><ma...@shapeblue.com>
> | www.shapeblue.com<http://www.shapeblue.com><htp://www.shapeblue.com/>
>
> ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N
> 4HS<x-apple-data-detectors://37>
>
>
>
> On 20 Dec 2013, at 08:46, "Francesco Maria Magnini" <fmm1982@gmail.com
> <ma...@gmail.com>
> <ma...@gmail.com>> wrote:
>
> Where should I add a firewall rule, manually using iptables inside the
> Virtual Router?
> Consider that I have no firewall in my network layout preventing ICMP to
> reach the Virtual Router.
>
>
> On Fri, Dec 20, 2013 at 1:57 AM, Andrei Mikhailovsky <andrei@arhont.com
> <ma...@arhont.com>
> <ma...@arhont.com>>wrote:
>
>
>
> Francesco,
>
> I believe you need to add a firewall rule to allow ingress ICMP traffic.
> Once allowed you should be able to ping it.
>
> Andrei
>
> ----- Original Message -----
>
> From: "Francesco Maria Magnini" <fmm1982@gmail.com<mailto:
> fmm1982@gmail.com><mailto:
> fmm1982@gmail.com<ma...@gmail.com>>>
> To: users@cloudstack.apache.org<mailto:users@cloudstack.apache.org
> ><ma...@cloudstack.apache.org>
> Sent: Thursday, 19 December, 2013 11:23:37 PM
> Subject: Re: [Advanced Zone] Isolated Source NAT issue (NAT not working)
>
> Hi Geoff,
>
> I've added a "permit all" egress rule (source 0.0.0.0/0 ALL) and now guest
> VMs can connect to Internet.
> Is it normal that the Virtual Router is still not reachable through the
> public network?
> I cannot ping its public IP address (other 2 public SSVM are pingables).
>
> Regards
>
>
> On Thu, Dec 19, 2013 at 7:12 PM, Geoff Higginbottom <
> geoff.higginbottom@shapeblue.com<mailto:geoff.higginbottom@shapeblue.com
> ><ma...@shapeblue.com>>
> wrote:
>
> Francesco,
>
> Have you enabled egress rules to allow outbound traffic for guest VMs
>
> If you are trying to ping the public IP of the VR it will not respond due
> to security settings, however the SSVM and CPVM do respond.
>
> Regards
>
> Geoff Higginbottom
> CTO / Cloud Architect
>
> D: +44 20 3603 0542<tel:+442036030542> | S: +44 20 3603 0540<tel:
> +442036030540>| M: +447968161581<tel:+447968161581>
>
> geoff.higginbottom@shapeblue.com<mailto:geoff.higginbottom@shapeblue.com
> ><mailto:geoff.higginbottom@shapeblue.com
> <mailto:geoff.higginbottom@shapeblue.com
>
> |www.shapeblue.com<http://www.shapeblue.com><http://www.shapeblue.com
> ><htp://www.shapeblue.com/> |
> Twitter:@shapeblue<
> https://twitter.com/#!/shapeblue>
>
> ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N
> 4HS<x-apple-data-detectors://5>
>
>
> On 19 Dec 2013, at 18:04, "Francesco Maria Magnini" <fmm1982@gmail.com
> <ma...@gmail.com>
> <ma...@gmail.com>
> <ma...@gmail.com>> wrote:
>
> Hi guys,
>
> I cannot ping internet from VMs.
> Pinging from Virtual Router is ok.
>
> In addition, SSVM are reachable from outside (storage/proxy ssvm) through
> addresses configured in public network range, Virtual router is not
> reachable (but can ping internet).
>
> Any idea?
>
>
> --
> "I videogiochi non influenzano i bambini.
> Voglio dire, se pac-man avesse influenzato la nostra generazione,
> staremmo tutti saltando in sale scure,
> masticando pillole magiche e ascoltando musica elettronica
> ripetitiva..."
>
> (Kristian Wilson, Nintendo Inc, 1989)
> This email and any attachments to it may be confidential and are intended
> solely for the use of the individual to whom it is addressed. Any views
> or
> opinions expressed are solely those of the author and do not necessarily
> represent those of Shape Blue Ltd or related companies. If you are not
> the
> intended recipient of this email, you must neither take any action based
> upon its contents, nor copy or show it to anyone. Please contact the
> sender
> if you believe you have received this email in error. Shape Blue Ltd is a
> company incorporated in England & Wales. ShapeBlue Services India LLP is
> a
> company incorporated in India and is operated under license from Shape
> Blue
> Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in
> Brasil
> and is operated under license from Shape Blue Ltd. ShapeBlue is a
> registered trademark.
>
>
>
>
> --
> "I videogiochi non influenzano i bambini.
> Voglio dire, se pac-man avesse influenzato la nostra generazione,
> staremmo tutti saltando in sale scure,
> masticando pillole magiche e ascoltando musica elettronica
> ripetitiva..."
>
> (Kristian Wilson, Nintendo Inc, 1989)
>
>
>
>
> --
> "I videogiochi non influenzano i bambini.
> Voglio dire, se pac-man avesse influenzato la nostra generazione,
> staremmo tutti saltando in sale scure,
> masticando pillole magiche e ascoltando musica elettronica
> ripetitiva..."
>
> (Kristian Wilson, Nintendo Inc, 1989)
> This email and any attachments to it may be confidential and are intended
> solely for the use of the individual to whom it is addressed. Any views or
> opinions expressed are solely those of the author and do not necessarily
> represent those of Shape Blue Ltd or related companies. If you are not the
> intended recipient of this email, you must neither take any action based
> upon its contents, nor copy or show it to anyone. Please contact the sender
> if you believe you have received this email in error. Shape Blue Ltd is a
> company incorporated in England & Wales. ShapeBlue Services India LLP is a
> company incorporated in India and is operated under license from Shape Blue
> Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil
> and is operated under license from Shape Blue Ltd. ShapeBlue is a
> registered trademark.
>
>
>
>
> --
> "I videogiochi non influenzano i bambini.
> Voglio dire, se pac-man avesse influenzato la nostra generazione,
> staremmo tutti saltando in sale scure,
> masticando pillole magiche e ascoltando musica elettronica
> ripetitiva..."
>
> (Kristian Wilson, Nintendo Inc, 1989)
> This email and any attachments to it may be confidential and are intended
> solely for the use of the individual to whom it is addressed. Any views or
> opinions expressed are solely those of the author and do not necessarily
> represent those of Shape Blue Ltd or related companies. If you are not the
> intended recipient of this email, you must neither take any action based
> upon its contents, nor copy or show it to anyone. Please contact the sender
> if you believe you have received this email in error. Shape Blue Ltd is a
> company incorporated in England & Wales. ShapeBlue Services India LLP is a
> company incorporated in India and is operated under license from Shape Blue
> Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil
> and is operated under license from Shape Blue Ltd. ShapeBlue is a
> registered trademark.
>
--
“I videogiochi non influenzano i bambini.
Voglio dire, se pac-man avesse influenzato la nostra generazione,
staremmo tutti saltando in sale scure,
masticando pillole magiche e ascoltando musica elettronica
ripetitiva...”
(Kristian Wilson, Nintendo Inc, 1989)
Re: [Advanced Zone] Isolated Source NAT issue (NAT not working)
Posted by Geoff Higginbottom <ge...@shapeblue.com>.
You could create a network offering with only DNS, DHCP & UserData services and also the Specify VLAN option enabled, then use this to create a guest network with public IPs. You would need to ensure the chosen IP Range and VLAN Zmaps through to a physical router.
Alternatively you could try the Static NAT feature. This maps a public IP to a single guest VM. You just need to acquire an additional IP first.
Regards
Geoff Higginbottom
CTO / Cloud Architect
D: +44 20 3603 0542<tel:+442036030542> | S: +44 20 3603 0540<tel:+442036030540>| M: +447968161581<tel:+447968161581>
geoff.higginbottom@shapeblue.com<ma...@shapeblue.com> |www.shapeblue.com<htp://www.shapeblue.com/> | Twitter:@shapeblue<https://twitter.com/#!/shapeblue>
ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS<x-apple-data-detectors://5>
On 20 Dec 2013, at 09:28, "Francesco Maria Magnini" <fm...@gmail.com>> wrote:
Thanks for the clarification, it makes sense.
So far I have instances attached to the 10.1.1.0/24 guest network, and I
have Internet connection through the Virtual Router source-NAT feature.
But now, I would like to take one public IP and configure it directly on
one instance.
Do I need a different range from the one assigned right now to the SSVM? Or
can I use for simplicity the same public network subnet declared during
advanced zone creation?
On Fri, Dec 20, 2013 at 10:16 AM, Geoff Higginbottom <
geoff.higginbottom@shapeblue.com<ma...@shapeblue.com>> wrote:
The VR is configured to not respond to pings, probably a anti DDOS measure.
If you restart the VR it will respond to pings whilst it is booting, but
then the security policies kick in and the responses stop.
Regards
Geoff Higginbottom
CTO / Cloud Architect
D: +44 20 3603 0542<tel:+442036030542> | S: +44 20 3603 0540<tel:
+442036030540> | M: +447968161581<tel:+447968161581>
geoff.higginbottom@shapeblue.com<ma...@shapeblue.com>
| www.shapeblue.com<http://www.shapeblue.com><htp://www.shapeblue.com/>
ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N
4HS<x-apple-data-detectors://37>
On 20 Dec 2013, at 08:46, "Francesco Maria Magnini" <fm...@gmail.com>
<ma...@gmail.com>> wrote:
Where should I add a firewall rule, manually using iptables inside the
Virtual Router?
Consider that I have no firewall in my network layout preventing ICMP to
reach the Virtual Router.
On Fri, Dec 20, 2013 at 1:57 AM, Andrei Mikhailovsky <an...@arhont.com>
<ma...@arhont.com>>wrote:
Francesco,
I believe you need to add a firewall rule to allow ingress ICMP traffic.
Once allowed you should be able to ping it.
Andrei
----- Original Message -----
From: "Francesco Maria Magnini" <fm...@gmail.com><mailto:
fmm1982@gmail.com<ma...@gmail.com>>>
To: users@cloudstack.apache.org<ma...@cloudstack.apache.org>
Sent: Thursday, 19 December, 2013 11:23:37 PM
Subject: Re: [Advanced Zone] Isolated Source NAT issue (NAT not working)
Hi Geoff,
I've added a "permit all" egress rule (source 0.0.0.0/0 ALL) and now guest
VMs can connect to Internet.
Is it normal that the Virtual Router is still not reachable through the
public network?
I cannot ping its public IP address (other 2 public SSVM are pingables).
Regards
On Thu, Dec 19, 2013 at 7:12 PM, Geoff Higginbottom <
geoff.higginbottom@shapeblue.com<ma...@shapeblue.com>>
wrote:
Francesco,
Have you enabled egress rules to allow outbound traffic for guest VMs
If you are trying to ping the public IP of the VR it will not respond due
to security settings, however the SSVM and CPVM do respond.
Regards
Geoff Higginbottom
CTO / Cloud Architect
D: +44 20 3603 0542<tel:+442036030542> | S: +44 20 3603 0540<tel:
+442036030540>| M: +447968161581<tel:+447968161581>
geoff.higginbottom@shapeblue.com<ma...@shapeblue.com><mailto:geoff.higginbottom@shapeblue.com
<mailto:geoff.higginbottom@shapeblue.com
|www.shapeblue.com<http://www.shapeblue.com><http://www.shapeblue.com><htp://www.shapeblue.com/> |
Twitter:@shapeblue<
https://twitter.com/#!/shapeblue>
ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N
4HS<x-apple-data-detectors://5>
On 19 Dec 2013, at 18:04, "Francesco Maria Magnini" <fm...@gmail.com>
<ma...@gmail.com>
<ma...@gmail.com>> wrote:
Hi guys,
I cannot ping internet from VMs.
Pinging from Virtual Router is ok.
In addition, SSVM are reachable from outside (storage/proxy ssvm) through
addresses configured in public network range, Virtual router is not
reachable (but can ping internet).
Any idea?
--
"I videogiochi non influenzano i bambini.
Voglio dire, se pac-man avesse influenzato la nostra generazione,
staremmo tutti saltando in sale scure,
masticando pillole magiche e ascoltando musica elettronica
ripetitiva..."
(Kristian Wilson, Nintendo Inc, 1989)
This email and any attachments to it may be confidential and are intended
solely for the use of the individual to whom it is addressed. Any views
or
opinions expressed are solely those of the author and do not necessarily
represent those of Shape Blue Ltd or related companies. If you are not
the
intended recipient of this email, you must neither take any action based
upon its contents, nor copy or show it to anyone. Please contact the
sender
if you believe you have received this email in error. Shape Blue Ltd is a
company incorporated in England & Wales. ShapeBlue Services India LLP is
a
company incorporated in India and is operated under license from Shape
Blue
Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in
Brasil
and is operated under license from Shape Blue Ltd. ShapeBlue is a
registered trademark.
--
"I videogiochi non influenzano i bambini.
Voglio dire, se pac-man avesse influenzato la nostra generazione,
staremmo tutti saltando in sale scure,
masticando pillole magiche e ascoltando musica elettronica
ripetitiva..."
(Kristian Wilson, Nintendo Inc, 1989)
--
"I videogiochi non influenzano i bambini.
Voglio dire, se pac-man avesse influenzato la nostra generazione,
staremmo tutti saltando in sale scure,
masticando pillole magiche e ascoltando musica elettronica
ripetitiva..."
(Kristian Wilson, Nintendo Inc, 1989)
This email and any attachments to it may be confidential and are intended
solely for the use of the individual to whom it is addressed. Any views or
opinions expressed are solely those of the author and do not necessarily
represent those of Shape Blue Ltd or related companies. If you are not the
intended recipient of this email, you must neither take any action based
upon its contents, nor copy or show it to anyone. Please contact the sender
if you believe you have received this email in error. Shape Blue Ltd is a
company incorporated in England & Wales. ShapeBlue Services India LLP is a
company incorporated in India and is operated under license from Shape Blue
Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil
and is operated under license from Shape Blue Ltd. ShapeBlue is a
registered trademark.
--
"I videogiochi non influenzano i bambini.
Voglio dire, se pac-man avesse influenzato la nostra generazione,
staremmo tutti saltando in sale scure,
masticando pillole magiche e ascoltando musica elettronica
ripetitiva..."
(Kristian Wilson, Nintendo Inc, 1989)
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
Re: [Advanced Zone] Isolated Source NAT issue (NAT not working)
Posted by Francesco Maria Magnini <fm...@gmail.com>.
Thanks for the clarification, it makes sense.
So far I have instances attached to the 10.1.1.0/24 guest network, and I
have Internet connection through the Virtual Router source-NAT feature.
But now, I would like to take one public IP and configure it directly on
one instance.
Do I need a different range from the one assigned right now to the SSVM? Or
can I use for simplicity the same public network subnet declared during
advanced zone creation?
On Fri, Dec 20, 2013 at 10:16 AM, Geoff Higginbottom <
geoff.higginbottom@shapeblue.com> wrote:
> The VR is configured to not respond to pings, probably a anti DDOS measure.
>
> If you restart the VR it will respond to pings whilst it is booting, but
> then the security policies kick in and the responses stop.
>
> Regards
>
> Geoff Higginbottom
> CTO / Cloud Architect
>
>
> D: +44 20 3603 0542<tel:+442036030542> | S: +44 20 3603 0540<tel:
> +442036030540> | M: +447968161581<tel:+447968161581>
>
> geoff.higginbottom@shapeblue.com<ma...@shapeblue.com>
> | www.shapeblue.com<htp://www.shapeblue.com/>
>
> ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N
> 4HS<x-apple-data-detectors://37>
>
>
>
> On 20 Dec 2013, at 08:46, "Francesco Maria Magnini" <fmm1982@gmail.com
> <ma...@gmail.com>> wrote:
>
> Where should I add a firewall rule, manually using iptables inside the
> Virtual Router?
> Consider that I have no firewall in my network layout preventing ICMP to
> reach the Virtual Router.
>
>
> On Fri, Dec 20, 2013 at 1:57 AM, Andrei Mikhailovsky <andrei@arhont.com
> <ma...@arhont.com>>wrote:
>
>
>
> Francesco,
>
> I believe you need to add a firewall rule to allow ingress ICMP traffic.
> Once allowed you should be able to ping it.
>
> Andrei
>
> ----- Original Message -----
>
> From: "Francesco Maria Magnini" <fmm1982@gmail.com<mailto:
> fmm1982@gmail.com>>
> To: users@cloudstack.apache.org<ma...@cloudstack.apache.org>
> Sent: Thursday, 19 December, 2013 11:23:37 PM
> Subject: Re: [Advanced Zone] Isolated Source NAT issue (NAT not working)
>
> Hi Geoff,
>
> I've added a "permit all" egress rule (source 0.0.0.0/0 ALL) and now guest
> VMs can connect to Internet.
> Is it normal that the Virtual Router is still not reachable through the
> public network?
> I cannot ping its public IP address (other 2 public SSVM are pingables).
>
> Regards
>
>
> On Thu, Dec 19, 2013 at 7:12 PM, Geoff Higginbottom <
> geoff.higginbottom@shapeblue.com<ma...@shapeblue.com>>
> wrote:
>
> Francesco,
>
> Have you enabled egress rules to allow outbound traffic for guest VMs
>
> If you are trying to ping the public IP of the VR it will not respond due
> to security settings, however the SSVM and CPVM do respond.
>
> Regards
>
> Geoff Higginbottom
> CTO / Cloud Architect
>
> D: +44 20 3603 0542<tel:+442036030542> | S: +44 20 3603 0540<tel:
> +442036030540>| M: +447968161581<tel:+447968161581>
>
> geoff.higginbottom@shapeblue.com<mailto:geoff.higginbottom@shapeblue.com
> ><mailto:geoff.higginbottom@shapeblue.com
>
> |www.shapeblue.com<http://www.shapeblue.com><htp://www.shapeblue.com/> |
> Twitter:@shapeblue<
> https://twitter.com/#!/shapeblue>
>
> ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N
> 4HS<x-apple-data-detectors://5>
>
>
> On 19 Dec 2013, at 18:04, "Francesco Maria Magnini" <fmm1982@gmail.com
> <ma...@gmail.com>
> <ma...@gmail.com>> wrote:
>
> Hi guys,
>
> I cannot ping internet from VMs.
> Pinging from Virtual Router is ok.
>
> In addition, SSVM are reachable from outside (storage/proxy ssvm) through
> addresses configured in public network range, Virtual router is not
> reachable (but can ping internet).
>
> Any idea?
>
>
> --
> "I videogiochi non influenzano i bambini.
> Voglio dire, se pac-man avesse influenzato la nostra generazione,
> staremmo tutti saltando in sale scure,
> masticando pillole magiche e ascoltando musica elettronica
> ripetitiva..."
>
> (Kristian Wilson, Nintendo Inc, 1989)
> This email and any attachments to it may be confidential and are intended
> solely for the use of the individual to whom it is addressed. Any views
> or
> opinions expressed are solely those of the author and do not necessarily
> represent those of Shape Blue Ltd or related companies. If you are not
> the
> intended recipient of this email, you must neither take any action based
> upon its contents, nor copy or show it to anyone. Please contact the
> sender
> if you believe you have received this email in error. Shape Blue Ltd is a
> company incorporated in England & Wales. ShapeBlue Services India LLP is
> a
> company incorporated in India and is operated under license from Shape
> Blue
> Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in
> Brasil
> and is operated under license from Shape Blue Ltd. ShapeBlue is a
> registered trademark.
>
>
>
>
> --
> "I videogiochi non influenzano i bambini.
> Voglio dire, se pac-man avesse influenzato la nostra generazione,
> staremmo tutti saltando in sale scure,
> masticando pillole magiche e ascoltando musica elettronica
> ripetitiva..."
>
> (Kristian Wilson, Nintendo Inc, 1989)
>
>
>
>
> --
> "I videogiochi non influenzano i bambini.
> Voglio dire, se pac-man avesse influenzato la nostra generazione,
> staremmo tutti saltando in sale scure,
> masticando pillole magiche e ascoltando musica elettronica
> ripetitiva..."
>
> (Kristian Wilson, Nintendo Inc, 1989)
> This email and any attachments to it may be confidential and are intended
> solely for the use of the individual to whom it is addressed. Any views or
> opinions expressed are solely those of the author and do not necessarily
> represent those of Shape Blue Ltd or related companies. If you are not the
> intended recipient of this email, you must neither take any action based
> upon its contents, nor copy or show it to anyone. Please contact the sender
> if you believe you have received this email in error. Shape Blue Ltd is a
> company incorporated in England & Wales. ShapeBlue Services India LLP is a
> company incorporated in India and is operated under license from Shape Blue
> Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil
> and is operated under license from Shape Blue Ltd. ShapeBlue is a
> registered trademark.
>
--
“I videogiochi non influenzano i bambini.
Voglio dire, se pac-man avesse influenzato la nostra generazione,
staremmo tutti saltando in sale scure,
masticando pillole magiche e ascoltando musica elettronica
ripetitiva...”
(Kristian Wilson, Nintendo Inc, 1989)
Re: [Advanced Zone] Isolated Source NAT issue (NAT not working)
Posted by Geoff Higginbottom <ge...@shapeblue.com>.
The VR is configured to not respond to pings, probably a anti DDOS measure.
If you restart the VR it will respond to pings whilst it is booting, but then the security policies kick in and the responses stop.
Regards
Geoff Higginbottom
CTO / Cloud Architect
D: +44 20 3603 0542<tel:+442036030542> | S: +44 20 3603 0540<tel:+442036030540> | M: +447968161581<tel:+447968161581>
geoff.higginbottom@shapeblue.com<ma...@shapeblue.com> | www.shapeblue.com<htp://www.shapeblue.com/>
ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS<x-apple-data-detectors://37>
On 20 Dec 2013, at 08:46, "Francesco Maria Magnini" <fm...@gmail.com>> wrote:
Where should I add a firewall rule, manually using iptables inside the
Virtual Router?
Consider that I have no firewall in my network layout preventing ICMP to
reach the Virtual Router.
On Fri, Dec 20, 2013 at 1:57 AM, Andrei Mikhailovsky <an...@arhont.com>>wrote:
Francesco,
I believe you need to add a firewall rule to allow ingress ICMP traffic.
Once allowed you should be able to ping it.
Andrei
----- Original Message -----
From: "Francesco Maria Magnini" <fm...@gmail.com>>
To: users@cloudstack.apache.org<ma...@cloudstack.apache.org>
Sent: Thursday, 19 December, 2013 11:23:37 PM
Subject: Re: [Advanced Zone] Isolated Source NAT issue (NAT not working)
Hi Geoff,
I've added a "permit all" egress rule (source 0.0.0.0/0 ALL) and now guest
VMs can connect to Internet.
Is it normal that the Virtual Router is still not reachable through the
public network?
I cannot ping its public IP address (other 2 public SSVM are pingables).
Regards
On Thu, Dec 19, 2013 at 7:12 PM, Geoff Higginbottom <
geoff.higginbottom@shapeblue.com<ma...@shapeblue.com>> wrote:
Francesco,
Have you enabled egress rules to allow outbound traffic for guest VMs
If you are trying to ping the public IP of the VR it will not respond due
to security settings, however the SSVM and CPVM do respond.
Regards
Geoff Higginbottom
CTO / Cloud Architect
D: +44 20 3603 0542<tel:+442036030542> | S: +44 20 3603 0540<tel:
+442036030540>| M: +447968161581<tel:+447968161581>
geoff.higginbottom@shapeblue.com<ma...@shapeblue.com><mailto:geoff.higginbottom@shapeblue.com
|www.shapeblue.com<http://www.shapeblue.com><htp://www.shapeblue.com/> | Twitter:@shapeblue<
https://twitter.com/#!/shapeblue>
ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N
4HS<x-apple-data-detectors://5>
On 19 Dec 2013, at 18:04, "Francesco Maria Magnini" <fm...@gmail.com>
<ma...@gmail.com>> wrote:
Hi guys,
I cannot ping internet from VMs.
Pinging from Virtual Router is ok.
In addition, SSVM are reachable from outside (storage/proxy ssvm) through
addresses configured in public network range, Virtual router is not
reachable (but can ping internet).
Any idea?
--
"I videogiochi non influenzano i bambini.
Voglio dire, se pac-man avesse influenzato la nostra generazione,
staremmo tutti saltando in sale scure,
masticando pillole magiche e ascoltando musica elettronica
ripetitiva..."
(Kristian Wilson, Nintendo Inc, 1989)
This email and any attachments to it may be confidential and are intended
solely for the use of the individual to whom it is addressed. Any views
or
opinions expressed are solely those of the author and do not necessarily
represent those of Shape Blue Ltd or related companies. If you are not
the
intended recipient of this email, you must neither take any action based
upon its contents, nor copy or show it to anyone. Please contact the
sender
if you believe you have received this email in error. Shape Blue Ltd is a
company incorporated in England & Wales. ShapeBlue Services India LLP is
a
company incorporated in India and is operated under license from Shape
Blue
Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in
Brasil
and is operated under license from Shape Blue Ltd. ShapeBlue is a
registered trademark.
--
"I videogiochi non influenzano i bambini.
Voglio dire, se pac-man avesse influenzato la nostra generazione,
staremmo tutti saltando in sale scure,
masticando pillole magiche e ascoltando musica elettronica
ripetitiva..."
(Kristian Wilson, Nintendo Inc, 1989)
--
"I videogiochi non influenzano i bambini.
Voglio dire, se pac-man avesse influenzato la nostra generazione,
staremmo tutti saltando in sale scure,
masticando pillole magiche e ascoltando musica elettronica
ripetitiva..."
(Kristian Wilson, Nintendo Inc, 1989)
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
Re: [Advanced Zone] Isolated Source NAT issue (NAT not working)
Posted by Francesco Maria Magnini <fm...@gmail.com>.
Where should I add a firewall rule, manually using iptables inside the
Virtual Router?
Consider that I have no firewall in my network layout preventing ICMP to
reach the Virtual Router.
On Fri, Dec 20, 2013 at 1:57 AM, Andrei Mikhailovsky <an...@arhont.com>wrote:
>
>
> Francesco,
>
> I believe you need to add a firewall rule to allow ingress ICMP traffic.
> Once allowed you should be able to ping it.
>
> Andrei
>
> ----- Original Message -----
>
> From: "Francesco Maria Magnini" <fm...@gmail.com>
> To: users@cloudstack.apache.org
> Sent: Thursday, 19 December, 2013 11:23:37 PM
> Subject: Re: [Advanced Zone] Isolated Source NAT issue (NAT not working)
>
> Hi Geoff,
>
> I've added a "permit all" egress rule (source 0.0.0.0/0 ALL) and now guest
> VMs can connect to Internet.
> Is it normal that the Virtual Router is still not reachable through the
> public network?
> I cannot ping its public IP address (other 2 public SSVM are pingables).
>
> Regards
>
>
> On Thu, Dec 19, 2013 at 7:12 PM, Geoff Higginbottom <
> geoff.higginbottom@shapeblue.com> wrote:
>
> > Francesco,
> >
> > Have you enabled egress rules to allow outbound traffic for guest VMs
> >
> > If you are trying to ping the public IP of the VR it will not respond due
> > to security settings, however the SSVM and CPVM do respond.
> >
> > Regards
> >
> > Geoff Higginbottom
> > CTO / Cloud Architect
> >
> > D: +44 20 3603 0542<tel:+442036030542> | S: +44 20 3603 0540<tel:
> > +442036030540>| M: +447968161581<tel:+447968161581>
> >
> > geoff.higginbottom@shapeblue.com<mailto:geoff.higginbottom@shapeblue.com
> >
> > |www.shapeblue.com<htp://www.shapeblue.com/> | Twitter:@shapeblue<
> > https://twitter.com/#!/shapeblue>
> >
> > ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N
> > 4HS<x-apple-data-detectors://5>
> >
> >
> > On 19 Dec 2013, at 18:04, "Francesco Maria Magnini" <fmm1982@gmail.com
> > <ma...@gmail.com>> wrote:
> >
> > Hi guys,
> >
> > I cannot ping internet from VMs.
> > Pinging from Virtual Router is ok.
> >
> > In addition, SSVM are reachable from outside (storage/proxy ssvm) through
> > addresses configured in public network range, Virtual router is not
> > reachable (but can ping internet).
> >
> > Any idea?
> >
> >
> > --
> > "I videogiochi non influenzano i bambini.
> > Voglio dire, se pac-man avesse influenzato la nostra generazione,
> > staremmo tutti saltando in sale scure,
> > masticando pillole magiche e ascoltando musica elettronica
> > ripetitiva..."
> >
> > (Kristian Wilson, Nintendo Inc, 1989)
> > This email and any attachments to it may be confidential and are intended
> > solely for the use of the individual to whom it is addressed. Any views
> or
> > opinions expressed are solely those of the author and do not necessarily
> > represent those of Shape Blue Ltd or related companies. If you are not
> the
> > intended recipient of this email, you must neither take any action based
> > upon its contents, nor copy or show it to anyone. Please contact the
> sender
> > if you believe you have received this email in error. Shape Blue Ltd is a
> > company incorporated in England & Wales. ShapeBlue Services India LLP is
> a
> > company incorporated in India and is operated under license from Shape
> Blue
> > Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in
> Brasil
> > and is operated under license from Shape Blue Ltd. ShapeBlue is a
> > registered trademark.
> >
>
>
>
> --
> “I videogiochi non influenzano i bambini.
> Voglio dire, se pac-man avesse influenzato la nostra generazione,
> staremmo tutti saltando in sale scure,
> masticando pillole magiche e ascoltando musica elettronica
> ripetitiva...”
>
> (Kristian Wilson, Nintendo Inc, 1989)
>
>
--
“I videogiochi non influenzano i bambini.
Voglio dire, se pac-man avesse influenzato la nostra generazione,
staremmo tutti saltando in sale scure,
masticando pillole magiche e ascoltando musica elettronica
ripetitiva...”
(Kristian Wilson, Nintendo Inc, 1989)
Re: [Advanced Zone] Isolated Source NAT issue (NAT not working)
Posted by Andrei Mikhailovsky <an...@arhont.com>.
Francesco,
I believe you need to add a firewall rule to allow ingress ICMP traffic. Once allowed you should be able to ping it.
Andrei
----- Original Message -----
From: "Francesco Maria Magnini" <fm...@gmail.com>
To: users@cloudstack.apache.org
Sent: Thursday, 19 December, 2013 11:23:37 PM
Subject: Re: [Advanced Zone] Isolated Source NAT issue (NAT not working)
Hi Geoff,
I've added a "permit all" egress rule (source 0.0.0.0/0 ALL) and now guest
VMs can connect to Internet.
Is it normal that the Virtual Router is still not reachable through the
public network?
I cannot ping its public IP address (other 2 public SSVM are pingables).
Regards
On Thu, Dec 19, 2013 at 7:12 PM, Geoff Higginbottom <
geoff.higginbottom@shapeblue.com> wrote:
> Francesco,
>
> Have you enabled egress rules to allow outbound traffic for guest VMs
>
> If you are trying to ping the public IP of the VR it will not respond due
> to security settings, however the SSVM and CPVM do respond.
>
> Regards
>
> Geoff Higginbottom
> CTO / Cloud Architect
>
> D: +44 20 3603 0542<tel:+442036030542> | S: +44 20 3603 0540<tel:
> +442036030540>| M: +447968161581<tel:+447968161581>
>
> geoff.higginbottom@shapeblue.com<ma...@shapeblue.com>
> |www.shapeblue.com<htp://www.shapeblue.com/> | Twitter:@shapeblue<
> https://twitter.com/#!/shapeblue>
>
> ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N
> 4HS<x-apple-data-detectors://5>
>
>
> On 19 Dec 2013, at 18:04, "Francesco Maria Magnini" <fmm1982@gmail.com
> <ma...@gmail.com>> wrote:
>
> Hi guys,
>
> I cannot ping internet from VMs.
> Pinging from Virtual Router is ok.
>
> In addition, SSVM are reachable from outside (storage/proxy ssvm) through
> addresses configured in public network range, Virtual router is not
> reachable (but can ping internet).
>
> Any idea?
>
>
> --
> "I videogiochi non influenzano i bambini.
> Voglio dire, se pac-man avesse influenzato la nostra generazione,
> staremmo tutti saltando in sale scure,
> masticando pillole magiche e ascoltando musica elettronica
> ripetitiva..."
>
> (Kristian Wilson, Nintendo Inc, 1989)
> This email and any attachments to it may be confidential and are intended
> solely for the use of the individual to whom it is addressed. Any views or
> opinions expressed are solely those of the author and do not necessarily
> represent those of Shape Blue Ltd or related companies. If you are not the
> intended recipient of this email, you must neither take any action based
> upon its contents, nor copy or show it to anyone. Please contact the sender
> if you believe you have received this email in error. Shape Blue Ltd is a
> company incorporated in England & Wales. ShapeBlue Services India LLP is a
> company incorporated in India and is operated under license from Shape Blue
> Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil
> and is operated under license from Shape Blue Ltd. ShapeBlue is a
> registered trademark.
>
--
“I videogiochi non influenzano i bambini.
Voglio dire, se pac-man avesse influenzato la nostra generazione,
staremmo tutti saltando in sale scure,
masticando pillole magiche e ascoltando musica elettronica
ripetitiva...”
(Kristian Wilson, Nintendo Inc, 1989)
Re: [Advanced Zone] Isolated Source NAT issue (NAT not working)
Posted by Francesco Maria Magnini <fm...@gmail.com>.
Hi Geoff,
I've added a "permit all" egress rule (source 0.0.0.0/0 ALL) and now guest
VMs can connect to Internet.
Is it normal that the Virtual Router is still not reachable through the
public network?
I cannot ping its public IP address (other 2 public SSVM are pingables).
Regards
On Thu, Dec 19, 2013 at 7:12 PM, Geoff Higginbottom <
geoff.higginbottom@shapeblue.com> wrote:
> Francesco,
>
> Have you enabled egress rules to allow outbound traffic for guest VMs
>
> If you are trying to ping the public IP of the VR it will not respond due
> to security settings, however the SSVM and CPVM do respond.
>
> Regards
>
> Geoff Higginbottom
> CTO / Cloud Architect
>
> D: +44 20 3603 0542<tel:+442036030542> | S: +44 20 3603 0540<tel:
> +442036030540>| M: +447968161581<tel:+447968161581>
>
> geoff.higginbottom@shapeblue.com<ma...@shapeblue.com>
> |www.shapeblue.com<htp://www.shapeblue.com/> | Twitter:@shapeblue<
> https://twitter.com/#!/shapeblue>
>
> ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N
> 4HS<x-apple-data-detectors://5>
>
>
> On 19 Dec 2013, at 18:04, "Francesco Maria Magnini" <fmm1982@gmail.com
> <ma...@gmail.com>> wrote:
>
> Hi guys,
>
> I cannot ping internet from VMs.
> Pinging from Virtual Router is ok.
>
> In addition, SSVM are reachable from outside (storage/proxy ssvm) through
> addresses configured in public network range, Virtual router is not
> reachable (but can ping internet).
>
> Any idea?
>
>
> --
> "I videogiochi non influenzano i bambini.
> Voglio dire, se pac-man avesse influenzato la nostra generazione,
> staremmo tutti saltando in sale scure,
> masticando pillole magiche e ascoltando musica elettronica
> ripetitiva..."
>
> (Kristian Wilson, Nintendo Inc, 1989)
> This email and any attachments to it may be confidential and are intended
> solely for the use of the individual to whom it is addressed. Any views or
> opinions expressed are solely those of the author and do not necessarily
> represent those of Shape Blue Ltd or related companies. If you are not the
> intended recipient of this email, you must neither take any action based
> upon its contents, nor copy or show it to anyone. Please contact the sender
> if you believe you have received this email in error. Shape Blue Ltd is a
> company incorporated in England & Wales. ShapeBlue Services India LLP is a
> company incorporated in India and is operated under license from Shape Blue
> Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil
> and is operated under license from Shape Blue Ltd. ShapeBlue is a
> registered trademark.
>
--
“I videogiochi non influenzano i bambini.
Voglio dire, se pac-man avesse influenzato la nostra generazione,
staremmo tutti saltando in sale scure,
masticando pillole magiche e ascoltando musica elettronica
ripetitiva...”
(Kristian Wilson, Nintendo Inc, 1989)
Re: [Advanced Zone] Isolated Source NAT issue (NAT not working)
Posted by Geoff Higginbottom <ge...@shapeblue.com>.
Francesco,
Have you enabled egress rules to allow outbound traffic for guest VMs
If you are trying to ping the public IP of the VR it will not respond due to security settings, however the SSVM and CPVM do respond.
Regards
Geoff Higginbottom
CTO / Cloud Architect
D: +44 20 3603 0542<tel:+442036030542> | S: +44 20 3603 0540<tel:+442036030540>| M: +447968161581<tel:+447968161581>
geoff.higginbottom@shapeblue.com<ma...@shapeblue.com> |www.shapeblue.com<htp://www.shapeblue.com/> | Twitter:@shapeblue<https://twitter.com/#!/shapeblue>
ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS<x-apple-data-detectors://5>
On 19 Dec 2013, at 18:04, "Francesco Maria Magnini" <fm...@gmail.com>> wrote:
Hi guys,
I cannot ping internet from VMs.
Pinging from Virtual Router is ok.
In addition, SSVM are reachable from outside (storage/proxy ssvm) through
addresses configured in public network range, Virtual router is not
reachable (but can ping internet).
Any idea?
--
"I videogiochi non influenzano i bambini.
Voglio dire, se pac-man avesse influenzato la nostra generazione,
staremmo tutti saltando in sale scure,
masticando pillole magiche e ascoltando musica elettronica
ripetitiva..."
(Kristian Wilson, Nintendo Inc, 1989)
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.