How can I configure neutron to allow routing between private networks in the same tenant? When I connect two private subnets with a router, I can't ping instances across the router.
Asked
Active
Viewed 152 times
2 Answers
0
The router isn't enough. You also need to specify a security group rule allowing incoming ICMP packets to the VMs.
Barak
- 3,066
- 2
- 20
- 33
-
Yes, I've done that: wide open security groups. It's not a complicated setup. It simply doesn't work, which is not good. All interfaces can be pinged, but not instances. IOW, if I have two subnets, 10.10.10.0/24 and 20.20.20.0/24, I can ping the router interfaces from both networks (10.10.10.1 and 20.20.20.1). But if I create instances on either network, I can't ping them from the other. Oddly, I can always ping 10.10.10.3 or 20.20.20.3, even if there is no instance. In any case, I was hoping neutron could handle this, as I don't want manual mess with IP tables and such. – DeWayne Apr 06 '15 at 22:25
-
Can you add a screen shot of the network topology from the horizon console, and the security group details? – Barak Apr 07 '15 at 12:40
0
It sounds like you need to set the host routes for each network or set the default gateway to be the router that connects the 2 networks.
-
Please add some comments about your solution on why and how it solves the problem – Bhavesh Odedra Feb 12 '16 at 14:40
-
Based on the OPs question, it would appear that the L3 routing setup is incorrect. If his security groups are correctly configured and he has no firewall in place, the instances on his private network don't have a route to the other network in order to respond to the ICMP requests. Without an IP route to the destination network, the responses will never be delivered. Without explaining the entirety of OSI, I don't know how else to explain "Network unreachable". – mfmeitbual Feb 23 '16 at 22:40