You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Hieu Le <hi...@gmail.com> on 2012/10/01 03:16:39 UTC
Re: Problem with VM private IP
Any one can help ???
On Thu, Sep 27, 2012 at 7:09 PM, Hieu Le <hi...@gmail.com> wrote:
> Hi (again),
>
> I have applied the patch for hairpin Nat with vrvm but here come another
> problems, CS always said "Fail to enable static NAT" each time I Nat public
> IP for VM.
>
> I also tried to upgrade to 3.0.4 and the problem hadn't gone away.
>
> In VRVM, the hairpin Nat rule were also disappeared.
>
> Please help! !!
>
> Sent from my HTC©
> On Sep 25, 2012 3:48 PM, "Jayapal Reddy Uradi" <
> jayapalreddy.uradi@citrix.com> wrote:
>
>>
>> There is no hair pin NAT related rule in the NAT table.
>> Hairpin NAT issue is fixed in 3.0.3.
>>
>> http://bugs.cloudstack.org/browse/CS-13500
>>
>> Thanks,
>> Jayapal
>>
>> -----Original Message-----
>> From: Hieu Le [mailto:hieulq89@gmail.com]
>> Sent: Tuesday, September 25, 2012 12:24 PM
>> To: cloudstack-dev@incubator.apache.org
>> Subject: Re: Problem with VM private IP
>>
>> Here is VR iptables rules:
>>
>> root@r-17-VRDLAB:~# iptables -nL -v --line-numbers -t filter Chain INPUT
>> (policy DROP 124 packets, 9432 bytes)
>> num pkts bytes target prot opt in out source
>> destination
>> 1 0 0 ACCEPT all -- * * 0.0.0.0/0
>> 224.0.0.18
>> 2 0 0 ACCEPT all -- * * 0.0.0.0/0
>> 225.0.0.50
>> 3 38 3648 ACCEPT all -- eth0 * 0.0.0.0/0
>> 0.0.0.0/0 state RELATED,ESTABLISHED
>> 4 11168 1852K ACCEPT all -- eth1 * 0.0.0.0/0
>> 0.0.0.0/0 state RELATED,ESTABLISHED
>> 5 5 526 ACCEPT all -- eth2 * 0.0.0.0/0
>> 0.0.0.0/0 state RELATED,ESTABLISHED
>> 6 102 8520 ACCEPT icmp -- * * 0.0.0.0/0
>> 0.0.0.0/0
>> 7 5 293 ACCEPT all -- lo * 0.0.0.0/0
>> 0.0.0.0/0
>> 8 29 9614 ACCEPT udp -- eth0 * 0.0.0.0/0
>> 0.0.0.0/0 udp dpt:67
>> 9 23 1787 ACCEPT udp -- eth0 * 0.0.0.0/0
>> 0.0.0.0/0 udp dpt:53
>> 10 629 37740 ACCEPT tcp -- eth1 * 0.0.0.0/0
>> 0.0.0.0/0 state NEW tcp dpt:3922
>> 11 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
>> 0.0.0.0/0 state NEW tcp dpt:8080
>> 12 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
>> 0.0.0.0/0 state NEW tcp dpt:80
>>
>> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>> num pkts bytes target prot opt in out source
>> destination
>> 1 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0
>> 0.0.0.0/0 state RELATED,ESTABLISHED
>> 2 1 60 ACCEPT all -- eth2 eth0 0.0.0.0/0
>> 10.1.1.118 state NEW
>> 3 3 164 ACCEPT all -- eth2 eth0 0.0.0.0/0
>> 10.1.1.132 state NEW
>> 4 21 9986 ACCEPT all -- eth2 eth0 0.0.0.0/0
>> 0.0.0.0/0 state RELATED,ESTABLISHED
>> 5 29 1600 ACCEPT all -- eth0 eth2 0.0.0.0/0
>> 0.0.0.0/0
>>
>> Chain OUTPUT (policy ACCEPT 280 packets, 48879 bytes)
>> num pkts bytes target prot opt in out source
>> destination
>>
>>
>> root@r-17-VRDLAB:~# iptables -nL -v --line-numbers -t nat Chain
>> PREROUTING (policy ACCEPT 143 packets, 10644 bytes)
>> num pkts bytes target prot opt in out source
>> destination
>> 1 1 60 DNAT all -- eth2 * 0.0.0.0/0
>> 192.168.3.120 to:10.1.1.118
>> 2 3 164 DNAT all -- eth2 * 0.0.0.0/0
>> 192.168.3.115 to:10.1.1.132
>>
>> Chain POSTROUTING (policy ACCEPT 4 packets, 224 bytes)
>> num pkts bytes target prot opt in out source
>> destination
>> 1 2 96 SNAT all -- * eth2 10.1.1.132
>> 0.0.0.0/0 to:192.168.3.115
>> 2 4 192 SNAT all -- * eth2 10.1.1.118
>> 0.0.0.0/0 to:192.168.3.120
>> 3 2 138 SNAT all -- * eth2 0.0.0.0/0
>> 0.0.0.0/0 to:192.168.3.116
>>
>> Chain OUTPUT (policy ACCEPT 2 packets, 138 bytes)
>> num pkts bytes target prot opt in out source
>> destination
>>
>>
>> root@r-17-VRDLAB:~# iptables -nL -v --line-numbers -t mangle Chain
>> PREROUTING (policy ACCEPT 543 packets, 44292 bytes)
>> num pkts bytes target prot opt in out source
>> destination
>> 1 552 346K VPN_192.168.3.116 all -- * * 0.0.0.0/0
>> 192.168.3.116
>> 2 13 5167 FIREWALL_192.168.3.120 all -- * *
>> 0.0.0.0/0 192.168.3.120
>> 3 22 5571 FIREWALL_192.168.3.115 all -- * *
>> 0.0.0.0/0 192.168.3.115
>> 4 118 5980 FIREWALL_192.168.3.116 all -- * *
>> 0.0.0.0/0 192.168.3.116
>> 5 11705 1887K CONNMARK all -- * * 0.0.0.0/0
>> 0.0.0.0/0 state RELATED,ESTABLISHED CONNMARK restore
>> 6 1 60 MARK all -- eth2 * 0.0.0.0/0
>> 192.168.3.120 state NEW MARK set 0x2
>> 7 1 60 CONNMARK all -- eth2 * 0.0.0.0/0
>> 192.168.3.120 state NEW CONNMARK save
>> 8 124 10012 MARK all -- eth0 * 10.1.1.118
>> 0.0.0.0/0 state NEW MARK set 0x2
>> 9 124 10012 CONNMARK all -- eth0 * 10.1.1.118
>> 0.0.0.0/0 state NEW CONNMARK save
>> 10 3 164 MARK all -- eth2 * 0.0.0.0/0
>> 192.168.3.115 state NEW MARK set 0x2
>> 11 3 164 CONNMARK all -- eth2 * 0.0.0.0/0
>> 192.168.3.115 state NEW CONNMARK save
>> 12 17 1445 MARK all -- eth0 * 10.1.1.132
>> 0.0.0.0/0 state NEW MARK set 0x2
>> 13 17 1445 CONNMARK all -- eth0 * 10.1.1.132
>> 0.0.0.0/0 state NEW CONNMARK save
>>
>> Chain INPUT (policy ACCEPT 514 packets, 42811 bytes)
>> num pkts bytes target prot opt in out source
>> destination
>>
>> Chain FORWARD (policy ACCEPT 54 packets, 11810 bytes)
>> num pkts bytes target prot opt in out source
>> destination
>>
>> Chain OUTPUT (policy ACCEPT 231 packets, 42784 bytes)
>> num pkts bytes target prot opt in out source
>> destination
>>
>> Chain POSTROUTING (policy ACCEPT 285 packets, 54594 bytes)
>> num pkts bytes target prot opt in out source
>> destination
>> 1 27 9270 CHECKSUM udp -- * * 0.0.0.0/0
>> 0.0.0.0/0 udp dpt:68 CHECKSUM fill
>>
>> Chain FIREWALL_192.168.3.115 (1 references)
>> num pkts bytes target prot opt in out source
>> destination
>> 1 15 5203 ACCEPT all -- * * 0.0.0.0/0
>> 0.0.0.0/0 state RELATED,ESTABLISHED
>> 2 0 0 RETURN udp -- * * 0.0.0.0/0
>> 0.0.0.0/0 udp dpts:1:65535
>> 3 5 248 RETURN tcp -- * * 0.0.0.0/0
>> 0.0.0.0/0 tcp dpts:1:65535
>> 4 2 120 RETURN icmp -- * * 0.0.0.0/0
>> 0.0.0.0/0 icmp type 255
>> 5 0 0 DROP all -- * * 0.0.0.0/0
>> 0.0.0.0/0
>>
>> Chain FIREWALL_192.168.3.116 (1 references)
>> num pkts bytes target prot opt in out source
>> destination
>> 1 0 0 ACCEPT all -- * * 0.0.0.0/0
>> 0.0.0.0/0 state RELATED,ESTABLISHED
>> 2 118 5980 DROP all -- * * 0.0.0.0/0
>> 0.0.0.0/0
>>
>> Chain FIREWALL_192.168.3.120 (1 references)
>> num pkts bytes target prot opt in out source
>> destination
>> 1 8 4903 ACCEPT all -- * * 0.0.0.0/0
>> 0.0.0.0/0 state RELATED,ESTABLISHED
>> 2 2 120 RETURN icmp -- * * 0.0.0.0/0
>> 0.0.0.0/0 icmp type 255
>> 3 3 144 RETURN tcp -- * * 0.0.0.0/0
>> 0.0.0.0/0 tcp dpts:1:65535
>> 4 0 0 RETURN udp -- * * 0.0.0.0/0
>> 0.0.0.0/0 udp dpts:1:65535
>> 5 0 0 DROP all -- * * 0.0.0.0/0
>> 0.0.0.0/0
>>
>> Chain VPN_192.168.3.116 (1 references)
>> num pkts bytes target prot opt in out source
>> destination
>> 1 434 340K ACCEPT all -- * * 0.0.0.0/0
>> 0.0.0.0/0 state RELATED,ESTABLISHED
>> 2 118 5980 RETURN all -- * * 0.0.0.0/0
>> 0.0.0.0/0
>> root@r-17-VRDLAB:~#
>>
>>
>> On Tue, Sep 25, 2012 at 12:37 PM, Jayapal Reddy Uradi <
>> jayapalreddy.uradi@citrix.com> wrote:
>>
>> > Debug the traffic flow ... whether the traffic sent to VR guest
>> > network interface then public interface .
>> > Please share the VR iptables rules.
>> >
>> > Thanks,
>> > Jayapal
>> >
>> > -----Original Message-----
>> > From: Hieu Le [mailto:hieulq89@gmail.com]
>> > Sent: Tuesday, September 25, 2012 8:42 AM
>> > To: cloudstack-dev@incubator.apache.org
>> > Subject: Re: Problem with VM private IP
>> >
>> > Yep, I have read the admin guide and setup firewall rule + enable
>> > static NAT for all tested VM and still facing this problem.
>> >
>> > On Tue, Sep 25, 2012 at 10:01 AM, Ahmad Emneina
>> > <Ahmad.Emneina@citrix.com
>> > >wrote:
>> >
>> > > Have you looked at the Administration Guide[1]? See page 75 and see
>> > > if that solves your connectivity issue. You still need to poke the
>> > > hole in the firewal and setup a NAT rule from within cloudstack.
>> > >
>> > > [1]:
>> > > http://download.cloud.com/releases/3.0.0/CloudStack3.0AdminGuide.pdf
>> > >
>> > > On 9/24/12 7:56 PM, "Hieu Le" <hi...@gmail.com> wrote:
>> > >
>> > > >Hi,
>> > > >
>> > > >The telnet packets are not reaching the telnet server VM.
>> > > >
>> > > >I'm using CS 3.0.2.
>> > > >
>> > > >Thanks for replying !
>> > > >
>> > > >On Mon, Sep 24, 2012 at 5:52 PM, Jayapal Reddy Uradi <
>> > > >jayapalreddy.uradi@citrix.com> wrote:
>> > > >
>> > > >> Using firewall and port forwarding rules only we can access the
>> > > >>VM services from the public network also from the VMs using the
>> > > >>Public
>> > IPs.
>> > > >> For you telnet from outside network success but from failed from
>> > > >>VM to VM using public IP.
>> > > >> Seems hair pin NAT got failed ...
>> > > >>
>> > > >> Please capture the packets on the telnet server VM to see whether
>> > > >> telnet packets are reaching or not ?
>> > > >>
>> > > >> Which version of cloudstack Is it ?
>> > > >>
>> > > >> Thanks,
>> > > >> Jayapal
>> > > >>
>> > > >> -----Original Message-----
>> > > >> From: Hieu Le [mailto:hieulq89@gmail.com]
>> > > >> Sent: Monday, September 24, 2012 3:39 PM
>> > > >> To: cloudstack-dev@incubator.apache.org
>> > > >> Subject: Problem with VM private IP
>> > > >>
>> > > >> Hi everyone,
>> > > >>
>> > > >> I have a problem while working with VM private IP. My Cloud
>> > > >>system run 2 VMs in advance zone with private IP is 10.1.1.20 and
>> > > >>10.1.1.21 and VM NAT IP is 192.168.50.160 and 192.168.50.165.
>> > > >>From outside network, I can ping and telnet port 80 to both VMs
>> > > >>with public IPs. But from VM 10.1.1.21, I can't telnet to other
>> > > >>VM with its public IP.
>> > > >>
>> > > >> For details:
>> > > >> From VM1: 10.1.1.20 and 192.168.50.160.
>> > > >> ping 192.168.50.165 and ping 10.1.1.21 success telnet 10.1.1.21
>> > > >>80 success telnet 192.168.50.165 80 fail
>> > > >>
>> > > >> From VM2: 10.1.1.21 and 192.168.50.165 ping 192.168.50.160 and
>> > > >> ping
>> > > >> 10.1.1.20 success telnet 10.1.1.20 success telnet 192.168.50.160
>> > > >> 80 fail
>> > > >>
>> > > >> And I can't telnet another ports with public IP.
>> > > >>
>> > > >> Can you suggest some solutions for me to telnet VM from another
>> > > >> VM via public IP.
>> > > >>
>> > > >> Thank !
>> > > >>
>> > > >
>> > > >
>> > > >
>> > > >--
>> > > >..:: Hieu LE ::..
>> > > >
>> > > >Class: Information System - Course 52 School of Information and
>> > > >Communication Technology Hanoi University of Technology No 1, Dai
>> > > >Co Viet street - Hai Ba Trung district - Hanoi
>> > > >
>> > > >High Performance Computing Center
>> > > >Cloud Computing Group
>> > > >Gmail: hieulq89@gmail.com
>> > > >
>> > >
>> > >
>> > > --
>> > > Æ
>> > >
>> > >
>> > >
>> > >
>> >
>> >
>> > --
>> > ..:: Hieu LE ::..
>> >
>> > Class: Information System - Course 52
>> > School of Information and Communication Technology Hanoi University of
>> > Technology No 1, Dai Co Viet street - Hai Ba Trung district - Hanoi
>> >
>> > High Performance Computing Center
>> > Cloud Computing Group
>> > Gmail: hieulq89@gmail.com
>> >
>>
>>
>>
>> --
>> ..:: Hieu LE ::..
>>
>> Class: Information System - Course 52
>> School of Information and Communication Technology Hanoi University of
>> Technology No 1, Dai Co Viet street - Hai Ba Trung district - Hanoi
>>
>> High Performance Computing Center
>> Cloud Computing Group
>> Gmail: hieulq89@gmail.com
>>
>
--
..:: Hieu LE ::..
Class: Information System - Course 52
School of Information and Communication Technology
Hanoi University of Technology
No 1, Dai Co Viet street - Hai Ba Trung district - Hanoi
High Performance Computing Center
Cloud Computing Group
Gmail: hieulq89@gmail.com