Mailing-List: contact users-help@cloudstack.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@cloudstack.apache.org
Received-SPF: pass (nike.apache.org: domain of Vadim.Kimlaychuk@elion.ee
 designates 84.50.226.3 as permitted sender)
From: Vadim Kimlaychuk <Vadim.Kimlaychuk@Elion.ee>
To: "users@cloudstack.apache.org" <users@cloudstack.apache.org>
Subject: RE: To let SSVM reach outside network.
Thread-Topic: To let SSVM reach outside network.
Thread-Index: AQHQAoictf4k5HajjUS1/p0ULyHFjZxmGUeggABHVQCAASjEsIAAb6gAgAZDJ0M=
Date: Sun, 23 Nov 2014 13:51:38 +0000
Message-ID: <1B7CBA4567FE1144BDB5E05E2498C0ACB3A31853@ex2010mb2>
References: 
 <CA+n1gAcVWqUrxqbYQBLr5sne+4_cBKonYaJsjimqwDOgBFyCew@mail.gmail.com>
	<1B7CBA4567FE1144BDB5E05E2498C0ACB3A23E6A@ex2010mb1>
	<CA+n1gAd+Wo9yQtdxfydY1yAJAcHMHX4rYfLuzQwJa+VjB1YSGg@mail.gmail.com>
	<1B7CBA4567FE1144BDB5E05E2498C0ACB3A29F30@ex2010mb2>,<CA+n1gAeNOsEhaV61pF6DJczO8FPCAttVgTfB5xjjYXmKMa9SWw@mail.gmail.com>
In-Reply-To: 
 <CA+n1gAeNOsEhaV61pF6DJczO8FPCAttVgTfB5xjjYXmKMa9SWw@mail.gmail.com>
Accept-Language: en-US, et-EE
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

Hello Dan,=0A=
=0A=
         Sorry for the late reply, have to be out from internet sometimes :=
)=0A=
         You have problem with routing. According to arp table default inte=
rface -- eth2 it is not connected to you 192.168.0.* network and can't see =
gateway (192.168.0.100) what is not ture.  Arp table looks ugly -- you have=
 3 interfaces connected to the same network with same Metric.  How do you t=
hink VM will choose the correct one??  I suppose it will take the first one=
 in line -- eth1 and that is why you see eth1 with complete MAC for 192.168=
.0.100. It always uses eth1 to reach other networks, but default gw is eth2=
.=0A=
         For me, network layout looks awkward. It is better to re-partition=
 and re-think it.  If you don't want to -- try to fix routing table manuall=
y. Put metrics to your routes and eth2 should be the highest (i.e. have low=
est number).  This will temporarty solve the problem, but you still have a =
chance to loose your changes after reboot, because routing table is created=
 dynamically.=0A=
=0A=
       Fix you network and I believe everything will work out-of-the box.=
=0A=
=0A=
Regards,=0A=
=0A=
Vadim.=0A=
=0A=
________________________________________=0A=
From: Dan Dong [dongdan39@gmail.com]=0A=
Sent: Wednesday, November 19, 2014 17:45=0A=
To: users@cloudstack.apache.org=0A=
Subject: Re: To let SSVM reach outside network.=0A=
=0A=
Hi, Vadim,=0A=
  1. route -n=0A=
root@s-1-VM:~# route -n=0A=
Kernel IP routing table=0A=
Destination     Gateway         Genmask         Flags Metric Ref    Use=0A=
Iface=0A=
0.0.0.0         192.168.0.100    0.0.0.0         UG    0      0        0=0A=
eth2=0A=
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth=
0=0A=
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth=
1=0A=
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth=
2=0A=
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth=
3=0A=
=0A=
Noted that to the same 192.168.0.0 network, eth1 is searched before eth2,=
=0A=
while eth2 is supposed to be the public NIC. Should one change the order?=
=0A=
=0A=
2. root@s-1-VM:~# arp -n=0A=
cloud (192.168.0.100) at 84:2b:2b:01:c3:d0 [ether] on eth1=0A=
cloud (192.168.0.100) at <incomplete> on eth2=0A=
? (169.254.0.1) at fe:00:a9:fe:01:7a [ether] on eth0=0A=
=0A=
Noted that MAC is incomplete on eth2, while MAC detected on eth1 is the=0A=
correct address of the internal NIC of the Management Server(the gateway=0A=
for 192.168.0.0 subnet).=0A=
=0A=
3. The network layout is quite simple here( basic network):=0A=
Management Server external NIC:10.*=0A=
Management Server internal NIC: 192.168.0.100=0A=
=0A=
KVM host NIC: 192.168.0.101=0A=
SSVM and guest VMs are all in 192.168.0.*/24 network.=0A=
=0A=
4. NAT is configured on the Management Server so 192.168.0.0/24 subnet=0A=
could reach the internet(download packages from internet etc., e.g, from=0A=
KVM host itself)=0A=
=0A=
Cheers,=0A=
Dan=0A=
=0A=
=0A=
2014-11-19 1:23 GMT-06:00 Vadim Kimlaychuk <Vadim.Kimlaychuk@elion.ee>:=0A=
=0A=
> Dan,=0A=
>=0A=
> I would suggest you to use external proxy/GW to hide you network. Not the=
=0A=
> same host that contains management server. Because if you would like to=
=0A=
> scale it up - how do you do it?? Management server should be rather simpl=
e=0A=
> component of infrastructure and to put more functions on it is a bad idea=
.=0A=
>=0A=
> Anyway=0A=
> 1. what does "route -n" says on your SSVM ??=0A=
> 2. If you use KVM your bridges tag the traffic. Are you sure that it is=
=0A=
> properly handled on your switch?? Run "arp -a" at your SSVM and see if VM=
=0A=
> "knowns" MAC of the gateway.=0A=
>=0A=
> I do expect you put the output of route and arp here otherwise we will=0A=
> continue guessing.=0A=
>=0A=
> It would be even better if you describe your network layout like on the=
=0A=
> first picture here:=0A=
> http://cloudstack-administration.readthedocs.org/en/latest/networking_and=
_traffic.html=0A=
>=0A=
> Vadim.=0A=
>=0A=
> -----Original Message-----=0A=
> From: Dan Dong [mailto:dongdan39@gmail.com]=0A=
> Sent: Tuesday, November 18, 2014 5:23 PM=0A=
> To: users@cloudstack.apache.org=0A=
> Subject: Re: To let SSVM reach outside network.=0A=
>=0A=
> Hi, Vadim,=0A=
>   We have to use 2 NICs on the management server as we want to hide the=
=0A=
> cloudstack cluster behind the 10.* network, so all KVM hosts and guest VM=
s=0A=
> are in the 192.168.0.* subnet, and they connect to the management server'=
s=0A=
> internal NIC(192.168.0.100). Is it a rule that the management server can=
=0A=
> only use one NIC? And the KVM hypersior host can reach the internet and=
=0A=
> download packages, but SSVM running on it could not see the internet.=0A=
>=0A=
> Cheers,=0A=
> Dan=0A=
>=0A=
>=0A=
> 2014-11-18 3:20 GMT-06:00 Vadim Kimlaychuk <Vadim.Kimlaychuk@elion.ee>:=
=0A=
>=0A=
> > Hello Dan,=0A=
> >=0A=
> >         It seems there is something wrong with your network setup and=
=0A=
> > here are some places to search:=0A=
> > 1. Why your management server has 2 NICs?  It should not work as NAT,=
=0A=
> > proxy or any kind of switch - keep this in mind.=0A=
> > 2. SSVM normally has to have 3 interfaces (at least). One -- with=0A=
> > public IP, one -- management network IP and one -- link local IP. If=0A=
> > you have separate storage network -- it may have one more, but this is=
=0A=
> > not your case. Check routing table for your SSVM with "route -n"=0A=
> > command. Find your default gateway. It should be public interface.=0A=
> > 3. Did you set up KVM hypervisor network correctly? Does it have 2=0A=
> > interfaces like in the setup guide? Does your hypervisor have access=0A=
> > to internet to be able to download template?=0A=
> >=0A=
> > Vadim.=0A=
> >=0A=
> > -----Original Message-----=0A=
> > From: Dan Dong [mailto:dongdan39@gmail.com]=0A=
> > Sent: Monday, November 17, 2014 7:02 PM=0A=
> > To: users@cloudstack.apache.org=0A=
> > Subject: To let SSVM reach outside network.=0A=
> >=0A=
> > Hi, All,=0A=
> >   I found I could not register my ISO image to the cloudstack( through=
=0A=
> > URL of=0A=
> http://releases.ubuntu.com/14.04.1/ubuntu-14.04.1-server-amd64.iso).=0A=
> > The SSVM is running and health check show no problems on it. But it=0A=
> > just could not see the outside network, although SSVM is on the same=0A=
> > network as KVM host, i.e. 192.168.0.*. My setup is as following:=0A=
> >=0A=
> > Management Server external NIC:10.*=0A=
> > Management Server internal NIC: 192.168.0.100=0A=
> >=0A=
> > KVM host NIC: 192.168.0.101=0A=
> > guest VMs are all in 192.168.0.*/24 network.=0A=
> >=0A=
> > From SSVM I can ping the internal IP of the Management Server at=0A=
> > 192.168.0.100, but could not ping the external IP of it at 10.*.=0A=
> >=0A=
> > From KVM host itself I can reach the outside internet as NAT is=0A=
> > configured on the Management Server to let the 192.168.0.0 traffic=0A=
> > through. Any hints how to let SSVM to reach the internet?=0A=
> >=0A=
> >=0A=
> > Cheers,=0A=
> > Dan=0A=
> >=0A=
>=0A=