Return-Path: X-Original-To: apmail-cloudstack-users-archive@www.apache.org Delivered-To: apmail-cloudstack-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6BB66C2CB for ; Sat, 14 Sep 2013 19:20:15 +0000 (UTC) Received: (qmail 53511 invoked by uid 500); 14 Sep 2013 19:20:14 -0000 Delivered-To: apmail-cloudstack-users-archive@cloudstack.apache.org Received: (qmail 53093 invoked by uid 500); 14 Sep 2013 19:20:13 -0000 Mailing-List: contact users-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@cloudstack.apache.org Delivered-To: mailing list users@cloudstack.apache.org Received: (qmail 53085 invoked by uid 99); 14 Sep 2013 19:20:12 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 14 Sep 2013 19:20:12 +0000 X-ASF-Spam-Status: No, hits=3.2 required=5.0 tests=FREEMAIL_REPLY,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of noeldkendall@hotmail.com designates 65.55.116.90 as permitted sender) Received: from [65.55.116.90] (HELO blu0-omc3-s15.blu0.hotmail.com) (65.55.116.90) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 14 Sep 2013 19:20:07 +0000 Received: from BLU173-W1 ([65.55.116.73]) by blu0-omc3-s15.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Sat, 14 Sep 2013 12:19:46 -0700 X-TMN: [BkXKogiiCEbBjFCvyN4b8CoFln8EBHqw] X-Originating-Email: [noeldkendall@hotmail.com] Message-ID: Content-Type: multipart/alternative; boundary="_9f1564e4-7ab1-45f9-974d-1e5bb7607ee3_" From: Noel Kendall To: "users@cloudstack.apache.org" Subject: RE: Advanced Network - SNAT not working Date: Sat, 14 Sep 2013 15:19:46 -0400 Importance: Normal In-Reply-To: References: ,,,,, MIME-Version: 1.0 X-OriginalArrivalTime: 14 Sep 2013 19:19:46.0607 (UTC) FILETIME=[5FC593F0:01CEB17F] X-Virus-Checked: Checked by ClamAV on apache.org --_9f1564e4-7ab1-45f9-974d-1e5bb7607ee3_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I have that Marty. I see the http outbound request coming in on the guest i= nterface of the VR=2Cand see the http request being sent out on the public = interface of the VR. The traffic is flowing fine from guest to the outbound i/f of the VR. This is tcpdump on the public i/f while guest is doing wget to 6x.xxx.xxx.x= xx 19:17:58.834932 06:e3:3a:00:01:0a > 00:0c:86:4e:fe:00=2C ethertype IPv4 (0x= 0800)=2C length 74: 10.11.79.178.39074 > 6x.xxx.xxx.xx.80: Flags [S]=2C seq= 1859313238=2C win 14600=2C options [mss 1460=2CsackOK=2CTS val 27489348 ec= r 0=2Cnop=2Cwscale 4]=2C length 0 0x0000: 4500 003c ad1d 4000 3f06 2d13 0a= 0b 4fb2 0x0010: 416e c660 98a2 0050 6ed2 de56 0000 0000 0x0020: a002 3908= 516c 0000 0204 05b4 0402 080a 0x0030: 01a3 7444 0000 0000 0103 0304 > Date: Sat=2C 14 Sep 2013 19:29:53 +0100 > Subject: Re: Advanced Network - SNAT not working > From: msweet.dev@gmail.com > To: users@cloudstack.apache.org >=20 > Hi Noel=2C >=20 > Can you run a tcpdump on both VR interfaces=2C this should make it appare= nt > what is happening? >=20 > Thanks=2C > Marty >=20 >=20 > On Sat=2C Sep 14=2C 2013 at 6:41 PM=2C Noel Kendall wrote: >=20 > > http://pastebin.com/3FZmFnvZ > > Many thanks Marty. > > Noel > > > Date: Sat=2C 14 Sep 2013 18:07:55 +0100 > > > Subject: Re: Advanced Network - SNAT not working > > > From: msweet.dev@gmail.com > > > To: users@cloudstack.apache.org > > > > > > Hi Noel=2C > > > > > > Could you put the IP tables on pastebin? GMail has collapsed the line= s > > > horrifically. > > > Have you also tried a tcpdump on both interfaces on the VR? > > > tcpdump -i eth0 <--- Or whatever it may be called > > > > > > I would expect worse connectivity if it was a pure NAT issue=2C but I= will > > > review the tables later. > > > > > > Thanks=2C > > > Marty > > > > > > > > > On Sat=2C Sep 14=2C 2013 at 5:55 PM=2C Noel Kendall > >wrote: > > > > > > > Not seeing return packets on VR. Suspect=2C therefore=2C that SNAT = is > > fouled > > > > up in some way.I have been doing wget to from guest=2C can see the > > outgoing > > > > request fine=2C both in the guest andthe VR. > > > > Could it be that the SNAT table entries from the 10.11.0.0/16 subne= t > > to > > > > dpt www are interfering withthe SNAT to public ip?? (wild guess) - = not > > an > > > > iptables expert by any stretch of the imagination > > > > 67.xxx.xxx.56 is the guest public IP10.11.79.178 is the guest IP on > > guest > > > > network > > > > iptables _L -t nat on the VR shows... > > > > Chain PREROUTING (policy ACCEPT)target prot opt source > > > > destination DNAT tcp -- anywhere anywhe= re > > > > tcp dpt:domain to:10.11.0.1 DNAT tcp -- anywhere > > > > 67.xxx.xxx.56 tcp dpt:www to:10.11.79.178:80 DNAT tcp = -- > > > > anywhere 67.xxx.xxx.56 tcp dpt:www > > to:10.11.79.178:80DNAT tcp -- anywhere 67.xxx.xxx.5= 6 > > tcp dpt:https > > > > to:10.11.79.178:443 DNAT tcp -- anywhere > > > > 67.xxx.xxx.56 tcp dpt:https to:10.11.79.178:443 DNAT t= cp > > -- > > > > anywhere 67.xxx.xxx.56 tcp dpt:ssh > > to:10.11.79.178:22DNAT tcp -- anywhere 67.xxx.xxx.5= 6 > > tcp dpt:ssh > > > > to:10.11.79.178:22 DNAT tcp -- anywhere > > 67.xxx.xxx.56 > > > > tcp dpt:ftp to:10.11.79.178:21 DNAT tcp -- anywhere > > > > 67.xxx.xxx.56 tcp dpt:ftp to:10.11.79.178:21 DNAT > > tcp > > > > -- anywhere 67.xxx.xxx.56 tcp dpt:5901 to: > > > > 10.11.79.178:5901 DNAT tcp -- anywhere > > 67.xxx.xxx.56 > > > > tcp dpt:5901 to:10.11.79.178:5901 > > > > Chain POSTROUTING (policy ACCEPT)target prot opt source > > > > destination SNAT all -- anywhere anywhe= re > > > > to:67.xxx.xxx.56 SNAT all -- anywhere > > anywhere > > > > to:67.xxx.xxx.56 SNAT all -- anywhere > > > > anywhere to:67.xxx.xxx.56 SNAT all -- anywhere > > > > anywhere to:67.xxx.xxx.56 SNAT all -- anywhere > > > > anywhere to:67.xxx.xxx.56SNAT all -- anywher= e > > > > anywhere to:67.xxx.xxx.56 SNAT all -- anyw= here > > > > anywhere to:67.xxx.xxx.56 SNAT all -- > > anywhere > > > > anywhere to:67.xxx.xxx.56 SNAT tcp -- > > > > 10.11.0.0/16 myguest tcp dpt:www to:10.11.0.1 S= NAT > > > > tcp -- 10.11.0.0/16 myguest tcp dpt:https > > > > to:10.11.0.1 SNAT tcp -- 10.11.0.0/16 myguest > > > > tcp dpt:ssh to:10.11.0.1 SNAT tcp -- 10.11.0.0/16 > > myguest > > > > tcp dpt:ftp to:10.11.0.1 SNAT tcp -- 10.11.0.0/= 16 > > > > myguest tcp dpt:5901 to:10.11.0.1 SNAT all -= - > > > > anywhere anywhere to:67.xxx.xxx.56 > > > > Chain OUTPUT (policy ACCEPT)target prot opt source > > > > destination DNAT tcp -- anywhere > > 67.xxx.xxx.56 > > > > tcp dpt:www to:10.11.79.178:80 DNAT tcp -- anywhere > > > > 67.xxx.xxx.56 tcp dpt:https to:10.11.79.178:443 DNAT > > tcp > > > > -- anywhere 67.xxx.xxx.56 tcp dpt:ssh to: > > > > 10.11.79.178:22 DNAT tcp -- anywhere 67.xxx.xxx= .56 > > > > tcp dpt:ftp to:10.11.79.178:21 DNAT tcp -- anywhere > > > > 67.xxx.xxx.56 tcp dpt:5901 to:10.11.79.178:5901 > > > > > > > > > Date: Sat=2C 14 Sep 2013 17:25:14 +0100 > > > > > Subject: Re: Advanced Network - SNAT not working > > > > > From: msweet.dev@gmail.com > > > > > To: users@cloudstack.apache.org > > > > > > > > > > Hi Noel=2C > > > > > > > > > > Can you try using telnet to connect to an external webserver? tel= net > > > > > www.google.com 80 > > > > > Can you also clarify: do you see the response packets reach the V= R > > and/or > > > > > on what interfaces? > > > > > > > > > > Thanks=2C > > > > > Marty > > > > > > > > > > On Saturday=2C September 14=2C 2013=2C Noel Kendall wrote: > > > > > > > > > > > Guest OS cannot receive responses to http GETs from resources o= n > > the > > > > > > Internet. > > > > > > Network is advanced=2C VLAN isolated. > > > > > > What is working: > > > > > > - can browse guest website from internet- can ssh to guest from > > > > internet- > > > > > > can VPN to guest network from internet > > > > > > - network VR can access internet sites no problem > > > > > > What is not working: > > > > > > - guest http traffic to external website gets to VR on internal > > NIC=2C > > > > > > packets forwarded to external site via external NIC > > > > > > > > > > > > Response traffic is not seen. Appears to be dropped. > > > > > > Have been looking hard at IPTABLES rules=2C doing tcpdumps=2C e= tc. > > > > > > Am at this point stumped. > > > > > > Any ideas on what could be wrong=2C or how to determine what co= uld be > > > > wrong? > > > > > > Thanks in advance everyone who tries to help! > > > > > > N. > > > > > > > > > > > > > > > > > > = --_9f1564e4-7ab1-45f9-974d-1e5bb7607ee3_--