You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Sean Lair <sl...@ippathways.com> on 2016/02/06 22:47:19 UTC
Guest VMs cannot access Internet
Hi all,
I'm having an issue I'm hoping you can assist with. Brand new Cloudstack 4.8 deployment running on CentOS7 and KVM hypervisors. Using advanced networking with VLAN isolation.
Deploying new VMs using the default CentOS5.5 instance works great. The virtual router is deployed as expected to perform source NAT. If I log into the virtual router, it can ping the Internet and the guest VMs. The guest VMs can ping each other as they are on the same subnet. The virtual router has an Internet public IP it is using for Source NAT.
The guest VMs however cannot access the Internet. Under the public IP address [Source NAT] -> Firewall, I'm allowing 0.0.0.0/0 ICMP with "-1" for ICMP Type and code. For the Egress rules for the guest network, I have 0.0.0.0/0 All protocols and All ports. I can ping the outside of the virtual router (public IP) from the Internet.
>From my troubleshooting above I'm guessing it is something to do with the virtual router, but am not sure how to troubleshoot next.
Thanks in advance for any assistance.
Thanks
Sean
Re: Guest VMs cannot access Internet
Posted by Sanjeev N <sa...@apache.org>.
Can you check the iptable rules on VR? By default all the egress traffic is
blocked. When you allow the egress traffic, make sure that these newly
added rules are being placed on top of the default deny rules in the
egress_outbound chain inside VR.
-Sanjeev
On Sun, Feb 7, 2016 at 5:25 AM, Sean Lair <sl...@ippathways.com> wrote:
> Here is the output:
>
> -----------------------------------------
> [root@dc01cloudkvm01 ~]# systemctl status firewalld
> â firewalld.service
> Loaded: not-found (Reason: No such file or directory)
> Active: inactive (dead)
>
> ---------------------------------------------
>
> [root@dc01cloudkvm01 ~]# iptables-save
> # Generated by iptables-save v1.4.21 on Sat Feb 6 23:46:44 2016
> *mangle
> :PREROUTING ACCEPT [1306448:4376908074]
> :INPUT ACCEPT [1185701:4364833786]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [1294026:2863147676]
> :POSTROUTING ACCEPT [1294026:2863147676]
> -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM
> --checksum-fill
> COMMIT
> # Completed on Sat Feb 6 23:46:44 2016
> # Generated by iptables-save v1.4.21 on Sat Feb 6 23:46:44 2016
> *nat
> :PREROUTING ACCEPT [120793:12078892]
> :INPUT ACCEPT [46:4604]
> :OUTPUT ACCEPT [1446:103514]
> :POSTROUTING ACCEPT [1446:103514]
> -A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
> -A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
> -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j
> MASQUERADE --to-ports 1024-65535
> -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j
> MASQUERADE --to-ports 1024-65535
> -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
> COMMIT
> # Completed on Sat Feb 6 23:46:44 2016
> # Generated by iptables-save v1.4.21 on Sat Feb 6 23:46:44 2016
> *filter
> :INPUT ACCEPT [1185701:4364833786]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [1294026:2863147676]
> -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
> -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
> -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
> -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
> -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate
> RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
> -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
> -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
> -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
> -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
> COMMIT
> # Completed on Sat Feb 6 23:46:44 2016
> -----------------------
>
> -----Original Message-----
> From: Nux! [mailto:nux@li.nux.ro]
> Sent: Saturday, February 6, 2016 5:38 PM
> To: users@cloudstack.apache.org
> Subject: Re: Guest VMs cannot access Internet
>
> That's not you check it, CentOS 7 now comes with firewalld and the
> iptables-services are not installed by defaut.
> "iptables-save" will output the current state of the firewall
>
> --
> Sent from the Delta quadrant using Borg technology!
>
> Nux!
> www.nux.ro
>
> ----- Original Message -----
> > From: "Sean Lair" <sl...@ippathways.com>
> > To: users@cloudstack.apache.org
> > Sent: Saturday, 6 February, 2016 22:56:23
> > Subject: RE: Guest VMs cannot access Internet
>
> > Thanks for the response! the iptables service is currently stopped:
> >
> > # systemctl stop iptables
> > Failed to stop iptables.service: Unit iptables.service not loaded.
> >
> > -----Original Message-----
> > From: Nux! [mailto:nux@li.nux.ro]
> > Sent: Saturday, February 6, 2016 4:13 PM
> > To: users@cloudstack.apache.org
> > Subject: Re: Guest VMs cannot access Internet
> >
> > Hi Sean,
> >
> > Have you double checked iptables rules are correct (or disabled) on
> > the underlying KVM hypervisor?
> >
> > Lucian
> >
> > --
> > Sent from the Delta quadrant using Borg technology!
> >
> > Nux!
> > www.nux.ro
> >
> > ----- Original Message -----
> >> From: "Sean Lair" <sl...@ippathways.com>
> >> To: users@cloudstack.apache.org
> >> Sent: Saturday, 6 February, 2016 21:47:19
> >> Subject: Guest VMs cannot access Internet
> >
> >> Hi all,
> >>
> >> I'm having an issue I'm hoping you can assist with. Brand new
> >> Cloudstack 4.8 deployment running on CentOS7 and KVM hypervisors.
> >> Using advanced networking with VLAN isolation.
> >>
> >> Deploying new VMs using the default CentOS5.5 instance works great.
> >> The virtual router is deployed as expected to perform source NAT. If
> >> I log into the virtual router, it can ping the Internet and the guest
> >> VMs. The guest VMs can ping each other as they are on the same
> >> subnet. The virtual router has an Internet public IP it is using for
> >> Source NAT.
> >>
> >> The guest VMs however cannot access the Internet. Under the public
> >> IP address [Source NAT] -> Firewall, I'm allowing 0.0.0.0/0 ICMP with
> >> "-1" for ICMP Type and code. For the Egress rules for the guest
> >> network, I have 0.0.0.0/0 All protocols and All ports. I can ping
> >> the outside of the virtual router (public
> >> IP) from the Internet.
> >>
> >> From my troubleshooting above I'm guessing it is something to do with
> >> the virtual router, but am not sure how to troubleshoot next.
> >>
> >> Thanks in advance for any assistance.
> >>
> >> Thanks
> > > Sean
>
RE: Guest VMs cannot access Internet
Posted by Sean Lair <sl...@ippathways.com>.
Here is the output:
-----------------------------------------
[root@dc01cloudkvm01 ~]# systemctl status firewalld
â firewalld.service
Loaded: not-found (Reason: No such file or directory)
Active: inactive (dead)
---------------------------------------------
[root@dc01cloudkvm01 ~]# iptables-save
# Generated by iptables-save v1.4.21 on Sat Feb 6 23:46:44 2016
*mangle
:PREROUTING ACCEPT [1306448:4376908074]
:INPUT ACCEPT [1185701:4364833786]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1294026:2863147676]
:POSTROUTING ACCEPT [1294026:2863147676]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Sat Feb 6 23:46:44 2016
# Generated by iptables-save v1.4.21 on Sat Feb 6 23:46:44 2016
*nat
:PREROUTING ACCEPT [120793:12078892]
:INPUT ACCEPT [46:4604]
:OUTPUT ACCEPT [1446:103514]
:POSTROUTING ACCEPT [1446:103514]
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Sat Feb 6 23:46:44 2016
# Generated by iptables-save v1.4.21 on Sat Feb 6 23:46:44 2016
*filter
:INPUT ACCEPT [1185701:4364833786]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1294026:2863147676]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
COMMIT
# Completed on Sat Feb 6 23:46:44 2016
-----------------------
-----Original Message-----
From: Nux! [mailto:nux@li.nux.ro]
Sent: Saturday, February 6, 2016 5:38 PM
To: users@cloudstack.apache.org
Subject: Re: Guest VMs cannot access Internet
That's not you check it, CentOS 7 now comes with firewalld and the iptables-services are not installed by defaut.
"iptables-save" will output the current state of the firewall
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
----- Original Message -----
> From: "Sean Lair" <sl...@ippathways.com>
> To: users@cloudstack.apache.org
> Sent: Saturday, 6 February, 2016 22:56:23
> Subject: RE: Guest VMs cannot access Internet
> Thanks for the response! the iptables service is currently stopped:
>
> # systemctl stop iptables
> Failed to stop iptables.service: Unit iptables.service not loaded.
>
> -----Original Message-----
> From: Nux! [mailto:nux@li.nux.ro]
> Sent: Saturday, February 6, 2016 4:13 PM
> To: users@cloudstack.apache.org
> Subject: Re: Guest VMs cannot access Internet
>
> Hi Sean,
>
> Have you double checked iptables rules are correct (or disabled) on
> the underlying KVM hypervisor?
>
> Lucian
>
> --
> Sent from the Delta quadrant using Borg technology!
>
> Nux!
> www.nux.ro
>
> ----- Original Message -----
>> From: "Sean Lair" <sl...@ippathways.com>
>> To: users@cloudstack.apache.org
>> Sent: Saturday, 6 February, 2016 21:47:19
>> Subject: Guest VMs cannot access Internet
>
>> Hi all,
>>
>> I'm having an issue I'm hoping you can assist with. Brand new
>> Cloudstack 4.8 deployment running on CentOS7 and KVM hypervisors.
>> Using advanced networking with VLAN isolation.
>>
>> Deploying new VMs using the default CentOS5.5 instance works great.
>> The virtual router is deployed as expected to perform source NAT. If
>> I log into the virtual router, it can ping the Internet and the guest
>> VMs. The guest VMs can ping each other as they are on the same
>> subnet. The virtual router has an Internet public IP it is using for
>> Source NAT.
>>
>> The guest VMs however cannot access the Internet. Under the public
>> IP address [Source NAT] -> Firewall, I'm allowing 0.0.0.0/0 ICMP with
>> "-1" for ICMP Type and code. For the Egress rules for the guest
>> network, I have 0.0.0.0/0 All protocols and All ports. I can ping
>> the outside of the virtual router (public
>> IP) from the Internet.
>>
>> From my troubleshooting above I'm guessing it is something to do with
>> the virtual router, but am not sure how to troubleshoot next.
>>
>> Thanks in advance for any assistance.
>>
>> Thanks
> > Sean
Re: Guest VMs cannot access Internet
Posted by Nux! <nu...@li.nux.ro>.
That's not you check it, CentOS 7 now comes with firewalld and the iptables-services are not installed by defaut.
"iptables-save" will output the current state of the firewall
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
----- Original Message -----
> From: "Sean Lair" <sl...@ippathways.com>
> To: users@cloudstack.apache.org
> Sent: Saturday, 6 February, 2016 22:56:23
> Subject: RE: Guest VMs cannot access Internet
> Thanks for the response! the iptables service is currently stopped:
>
> # systemctl stop iptables
> Failed to stop iptables.service: Unit iptables.service not loaded.
>
> -----Original Message-----
> From: Nux! [mailto:nux@li.nux.ro]
> Sent: Saturday, February 6, 2016 4:13 PM
> To: users@cloudstack.apache.org
> Subject: Re: Guest VMs cannot access Internet
>
> Hi Sean,
>
> Have you double checked iptables rules are correct (or disabled) on the
> underlying KVM hypervisor?
>
> Lucian
>
> --
> Sent from the Delta quadrant using Borg technology!
>
> Nux!
> www.nux.ro
>
> ----- Original Message -----
>> From: "Sean Lair" <sl...@ippathways.com>
>> To: users@cloudstack.apache.org
>> Sent: Saturday, 6 February, 2016 21:47:19
>> Subject: Guest VMs cannot access Internet
>
>> Hi all,
>>
>> I'm having an issue I'm hoping you can assist with. Brand new
>> Cloudstack 4.8 deployment running on CentOS7 and KVM hypervisors.
>> Using advanced networking with VLAN isolation.
>>
>> Deploying new VMs using the default CentOS5.5 instance works great.
>> The virtual router is deployed as expected to perform source NAT. If
>> I log into the virtual router, it can ping the Internet and the guest
>> VMs. The guest VMs can ping each other as they are on the same
>> subnet. The virtual router has an Internet public IP it is using for Source
>> NAT.
>>
>> The guest VMs however cannot access the Internet. Under the public IP
>> address [Source NAT] -> Firewall, I'm allowing 0.0.0.0/0 ICMP with
>> "-1" for ICMP Type and code. For the Egress rules for the guest
>> network, I have 0.0.0.0/0 All protocols and All ports. I can ping the
>> outside of the virtual router (public
>> IP) from the Internet.
>>
>> From my troubleshooting above I'm guessing it is something to do with
>> the virtual router, but am not sure how to troubleshoot next.
>>
>> Thanks in advance for any assistance.
>>
>> Thanks
> > Sean
RE: Guest VMs cannot access Internet
Posted by Sean Lair <sl...@ippathways.com>.
Thanks for the response! the iptables service is currently stopped:
# systemctl stop iptables
Failed to stop iptables.service: Unit iptables.service not loaded.
-----Original Message-----
From: Nux! [mailto:nux@li.nux.ro]
Sent: Saturday, February 6, 2016 4:13 PM
To: users@cloudstack.apache.org
Subject: Re: Guest VMs cannot access Internet
Hi Sean,
Have you double checked iptables rules are correct (or disabled) on the underlying KVM hypervisor?
Lucian
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
----- Original Message -----
> From: "Sean Lair" <sl...@ippathways.com>
> To: users@cloudstack.apache.org
> Sent: Saturday, 6 February, 2016 21:47:19
> Subject: Guest VMs cannot access Internet
> Hi all,
>
> I'm having an issue I'm hoping you can assist with. Brand new
> Cloudstack 4.8 deployment running on CentOS7 and KVM hypervisors.
> Using advanced networking with VLAN isolation.
>
> Deploying new VMs using the default CentOS5.5 instance works great.
> The virtual router is deployed as expected to perform source NAT. If
> I log into the virtual router, it can ping the Internet and the guest
> VMs. The guest VMs can ping each other as they are on the same
> subnet. The virtual router has an Internet public IP it is using for Source NAT.
>
> The guest VMs however cannot access the Internet. Under the public IP
> address [Source NAT] -> Firewall, I'm allowing 0.0.0.0/0 ICMP with
> "-1" for ICMP Type and code. For the Egress rules for the guest
> network, I have 0.0.0.0/0 All protocols and All ports. I can ping the
> outside of the virtual router (public
> IP) from the Internet.
>
> From my troubleshooting above I'm guessing it is something to do with
> the virtual router, but am not sure how to troubleshoot next.
>
> Thanks in advance for any assistance.
>
> Thanks
> Sean
Re: Guest VMs cannot access Internet
Posted by Nux! <nu...@li.nux.ro>.
Hi Sean,
Have you double checked iptables rules are correct (or disabled) on the underlying KVM hypervisor?
Lucian
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
----- Original Message -----
> From: "Sean Lair" <sl...@ippathways.com>
> To: users@cloudstack.apache.org
> Sent: Saturday, 6 February, 2016 21:47:19
> Subject: Guest VMs cannot access Internet
> Hi all,
>
> I'm having an issue I'm hoping you can assist with. Brand new Cloudstack 4.8
> deployment running on CentOS7 and KVM hypervisors. Using advanced networking
> with VLAN isolation.
>
> Deploying new VMs using the default CentOS5.5 instance works great. The virtual
> router is deployed as expected to perform source NAT. If I log into the
> virtual router, it can ping the Internet and the guest VMs. The guest VMs can
> ping each other as they are on the same subnet. The virtual router has an
> Internet public IP it is using for Source NAT.
>
> The guest VMs however cannot access the Internet. Under the public IP address
> [Source NAT] -> Firewall, I'm allowing 0.0.0.0/0 ICMP with "-1" for ICMP Type
> and code. For the Egress rules for the guest network, I have 0.0.0.0/0 All
> protocols and All ports. I can ping the outside of the virtual router (public
> IP) from the Internet.
>
> From my troubleshooting above I'm guessing it is something to do with the
> virtual router, but am not sure how to troubleshoot next.
>
> Thanks in advance for any assistance.
>
> Thanks
> Sean