Etienne, I don't know why those instructions didn't work, they might be out of date. The only thing you should need to do is: $ cd devstack $ cp samples/local.conf . Then edit local.conf adding this line: Q_AGENT=linuxbridge The OVS firewall isn't supported with Linuxbridge so something is getting configured wrong for you. Here's the output of those commands with one instance running: # Generated by ebtables-save v1.0 on Wed Jun 24 14:47:29 EDT 2020 *broute :BROUTING ACCEPT *nat :PREROUTING ACCEPT :OUTPUT ACCEPT :POSTROUTING ACCEPT :neutronMAC-tap4d964d27-f1 DROP :neutronARP-tap4d964d27-f1 DROP -A PREROUTING -i tap4d964d27-f1 -j neutronMAC-tap4d964d27-f1 -A PREROUTING -p ARP -i tap4d964d27-f1 -j neutronARP-tap4d964d27-f1 -A neutronMAC-tap4d964d27-f1 -i tap4d964d27-f1 --among-src fa:16:3e:fc:11:5d, -j RETURN -A neutronARP-tap4d964d27-f1 -p ARP --arp-ip-src 10.0.0.52 -j ACCEPT *filter :INPUT ACCEPT :FORWARD ACCEPT :OUTPUT ACCEPT # Generated by iptables-save v1.6.1 on Wed Jun 24 14:48:14 2020 *raw :PREROUTING ACCEPT [44786:17706194] :OUTPUT ACCEPT [43058:17506872] :neutron-linuxbri-OUTPUT - [0:0] :neutron-linuxbri-PREROUTING - [0:0] -A PREROUTING -j neutron-linuxbri-PREROUTING -A OUTPUT -j neutron-linuxbri-OUTPUT -A neutron-linuxbri-PREROUTING -m physdev --physdev-in brqfaa76863-64 -m comment --comment "Set zone for d964d27-f1" -j CT --zone 4097 -A neutron-linuxbri-PREROUTING -i brqfaa76863-64 -m comment --comment "Set zone for d964d27-f1" -j CT --zone 4097 -A neutron-linuxbri-PREROUTING -m physdev --physdev-in tap4d964d27-f1 -m comment --comment "Set zone for d964d27-f1" -j CT --zone 4097 COMMIT # Completed on Wed Jun 24 14:48:14 2020 # Generated by iptables-save v1.6.1 on Wed Jun 24 14:48:14 2020 *mangle :PREROUTING ACCEPT [2917433:882107232] :INPUT ACCEPT [2917028:882034866] :FORWARD ACCEPT [194:18278] :OUTPUT ACCEPT [2804721:860994909] :POSTROUTING ACCEPT [2805020:861023798] -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill COMMIT # Completed on Wed Jun 24 14:48:14 2020 # Generated by iptables-save v1.6.1 on Wed Jun 24 14:48:14 2020 *nat :PREROUTING ACCEPT [63212:5609172] :INPUT ACCEPT [62969:5550870] :OUTPUT ACCEPT [8666:687238] :POSTROUTING ACCEPT [8692:689476] -A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN -A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE -A POSTROUTING -s 172.24.4.0/24 -o enp0s3 -j MASQUERADE COMMIT # Completed on Wed Jun 24 14:48:14 2020 # Generated by iptables-save v1.6.1 on Wed Jun 24 14:48:14 2020 *filter :INPUT ACCEPT [44633:17691259] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [43095:17511784] :neutron-filter-top - [0:0] :neutron-linuxbri-FORWARD - [0:0] :neutron-linuxbri-INPUT - [0:0] :neutron-linuxbri-OUTPUT - [0:0] :neutron-linuxbri-i4d964d27-f - [0:0] :neutron-linuxbri-local - [0:0] :neutron-linuxbri-o4d964d27-f - [0:0] :neutron-linuxbri-s4d964d27-f - [0:0] :neutron-linuxbri-sg-chain - [0:0] :neutron-linuxbri-sg-fallback - [0:0] -A INPUT -j neutron-linuxbri-INPUT -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A FORWARD -j neutron-filter-top -A FORWARD -j neutron-linuxbri-FORWARD -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT -A FORWARD -i virbr0 -o virbr0 -j ACCEPT -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -j neutron-filter-top -A OUTPUT -j neutron-linuxbri-OUTPUT -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT -A neutron-filter-top -j neutron-linuxbri-local -A neutron-linuxbri-FORWARD -m physdev --physdev-out tap4d964d27-f1 --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-linuxbri-sg-chain -A neutron-linuxbri-FORWARD -m physdev --physdev-in tap4d964d27-f1 --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-linuxbri-sg-chain -A neutron-linuxbri-FORWARD -m physdev --physdev-out tap911598f6-84 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT -A neutron-linuxbri-FORWARD -m physdev --physdev-in tap911598f6-84 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT -A neutron-linuxbri-FORWARD -m physdev --physdev-out tapde4c00d9-1a --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT -A neutron-linuxbri-FORWARD -m physdev --physdev-in tapde4c00d9-1a --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT -A neutron-linuxbri-FORWARD -m physdev --physdev-out tap78fe25bb-91 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT -A neutron-linuxbri-FORWARD -m physdev --physdev-in tap78fe25bb-91 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT -A neutron-linuxbri-FORWARD -m physdev --physdev-out tapef8fc4f1-d0 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT -A neutron-linuxbri-FORWARD -m physdev --physdev-in tapef8fc4f1-d0 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT -A neutron-linuxbri-FORWARD -m physdev --physdev-out tap96f1b960-fc --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT -A neutron-linuxbri-FORWARD -m physdev --physdev-in tap96f1b960-fc --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT -A neutron-linuxbri-INPUT -m physdev --physdev-in tap4d964d27-f1 --physdev-is-bridged -m comment --comment "Direct incoming traffic from VM to the security group chain." -j neutron-linuxbri-o4d964d27-f -A neutron-linuxbri-i4d964d27-f -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN -A neutron-linuxbri-i4d964d27-f -d 10.0.0.52/32 -p udp -m udp --sport 67 --dport 68 -j RETURN -A neutron-linuxbri-i4d964d27-f -d 255.255.255.255/32 -p udp -m udp --sport 67 --dport 68 -j RETURN -A neutron-linuxbri-i4d964d27-f -m set --match-set NIPv4e6aa58dd-5219-485c-9d0c- src -j RETURN -A neutron-linuxbri-i4d964d27-f -p icmp -j RETURN -A neutron-linuxbri-i4d964d27-f -p tcp -m tcp --dport 22 -j RETURN -A neutron-linuxbri-i4d964d27-f -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP -A neutron-linuxbri-i4d964d27-f -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-linuxbri-sg-fallback -A neutron-linuxbri-o4d964d27-f -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN -A neutron-linuxbri-o4d964d27-f -j neutron-linuxbri-s4d964d27-f -A neutron-linuxbri-o4d964d27-f -p udp -m udp --sport 68 --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN -A neutron-linuxbri-o4d964d27-f -p udp -m udp --sport 67 --dport 68 -m comment --comment "Prevent DHCP Spoofing by VM." -j DROP -A neutron-linuxbri-o4d964d27-f -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN -A neutron-linuxbri-o4d964d27-f -j RETURN -A neutron-linuxbri-o4d964d27-f -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP -A neutron-linuxbri-o4d964d27-f -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-linuxbri-sg-fallback -A neutron-linuxbri-s4d964d27-f -s 10.0.0.52/32 -m mac --mac-source FA:16:3E:FC:11:5D -m comment --comment "Allow traffic from defined IP/MAC pairs." -j RETURN -A neutron-linuxbri-s4d964d27-f -m comment --comment "Drop traffic without an IP/MAC allow rule." -j DROP -A neutron-linuxbri-sg-chain -m physdev --physdev-out tap4d964d27-f1 --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-linuxbri-i4d964d27-f -A neutron-linuxbri-sg-chain -m physdev --physdev-in tap4d964d27-f1 --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-linuxbri-o4d964d27-f -A neutron-linuxbri-sg-chain -j ACCEPT -A neutron-linuxbri-sg-fallback -m comment --comment "Default drop rule for unmatched traffic." -j DROP COMMIT # Completed on Wed Jun 24 14:48:14 2020 # Generated by ip6tables-save v1.6.1 on Wed Jun 24 14:48:35 2020 *raw :PREROUTING ACCEPT [312:52061] :OUTPUT ACCEPT [37:5520] :neutron-linuxbri-OUTPUT - [0:0] :neutron-linuxbri-PREROUTING - [0:0] -A PREROUTING -j neutron-linuxbri-PREROUTING -A OUTPUT -j neutron-linuxbri-OUTPUT -A neutron-linuxbri-PREROUTING -m physdev --physdev-in brqfaa76863-64 -m comment --comment "Set zone for d964d27-f1" -j CT --zone 4097 -A neutron-linuxbri-PREROUTING -i brqfaa76863-64 -m comment --comment "Set zone for d964d27-f1" -j CT --zone 4097 -A neutron-linuxbri-PREROUTING -m physdev --physdev-in tap4d964d27-f1 -m comment --comment "Set zone for d964d27-f1" -j CT --zone 4097 COMMIT # Completed on Wed Jun 24 14:48:35 2020 # Generated by ip6tables-save v1.6.1 on Wed Jun 24 14:48:35 2020 *mangle :PREROUTING ACCEPT [20920:4369591] :INPUT ACCEPT [20896:4367543] :FORWARD ACCEPT [4392:454320] :OUTPUT ACCEPT [1202:213915] :POSTROUTING ACCEPT [5754:689031] COMMIT # Completed on Wed Jun 24 14:48:35 2020 # Generated by ip6tables-save v1.6.1 on Wed Jun 24 14:48:35 2020 *filter :INPUT ACCEPT [306:51613] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [37:5520] :neutron-filter-top - [0:0] :neutron-linuxbri-FORWARD - [0:0] :neutron-linuxbri-INPUT - [0:0] :neutron-linuxbri-OUTPUT - [0:0] :neutron-linuxbri-i4d964d27-f - [0:0] :neutron-linuxbri-local - [0:0] :neutron-linuxbri-o4d964d27-f - [0:0] :neutron-linuxbri-s4d964d27-f - [0:0] :neutron-linuxbri-sg-chain - [0:0] :neutron-linuxbri-sg-fallback - [0:0] -A INPUT -j neutron-linuxbri-INPUT -A FORWARD -j neutron-filter-top -A FORWARD -j neutron-linuxbri-FORWARD -A OUTPUT -j neutron-filter-top -A OUTPUT -j neutron-linuxbri-OUTPUT -A neutron-filter-top -j neutron-linuxbri-local -A neutron-linuxbri-FORWARD -m physdev --physdev-out tap4d964d27-f1 --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-linuxbri-sg-chain -A neutron-linuxbri-FORWARD -m physdev --physdev-in tap4d964d27-f1 --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-linuxbri-sg-chain -A neutron-linuxbri-FORWARD -m physdev --physdev-out tap911598f6-84 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT -A neutron-linuxbri-FORWARD -m physdev --physdev-in tap911598f6-84 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT -A neutron-linuxbri-FORWARD -m physdev --physdev-out tapde4c00d9-1a --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT -A neutron-linuxbri-FORWARD -m physdev --physdev-in tapde4c00d9-1a --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT -A neutron-linuxbri-FORWARD -m physdev --physdev-out tap78fe25bb-91 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT -A neutron-linuxbri-FORWARD -m physdev --physdev-in tap78fe25bb-91 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT -A neutron-linuxbri-FORWARD -m physdev --physdev-out tapef8fc4f1-d0 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT -A neutron-linuxbri-FORWARD -m physdev --physdev-in tapef8fc4f1-d0 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT -A neutron-linuxbri-FORWARD -m physdev --physdev-out tap96f1b960-fc --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT -A neutron-linuxbri-FORWARD -m physdev --physdev-in tap96f1b960-fc --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT -A neutron-linuxbri-INPUT -m physdev --physdev-in tap4d964d27-f1 --physdev-is-bridged -m comment --comment "Direct incoming traffic from VM to the security group chain." -j neutron-linuxbri-o4d964d27-f -A neutron-linuxbri-i4d964d27-f -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j RETURN -A neutron-linuxbri-i4d964d27-f -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j RETURN -A neutron-linuxbri-i4d964d27-f -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j RETURN -A neutron-linuxbri-i4d964d27-f -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN -A neutron-linuxbri-i4d964d27-f -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j RETURN -A neutron-linuxbri-i4d964d27-f -d fd93:c6f1:57f8:0:f816:3eff:fefc:115d/128 -p udp -m udp --sport 547 --dport 546 -j RETURN -A neutron-linuxbri-i4d964d27-f -d fe80::/64 -p udp -m udp --sport 547 --dport 546 -j RETURN -A neutron-linuxbri-i4d964d27-f -p ipv6-icmp -j RETURN -A neutron-linuxbri-i4d964d27-f -m set --match-set NIPv6e6aa58dd-5219-485c-9d0c- src -j RETURN -A neutron-linuxbri-i4d964d27-f -p tcp -m tcp --dport 22 -j RETURN -A neutron-linuxbri-i4d964d27-f -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP -A neutron-linuxbri-i4d964d27-f -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-linuxbri-sg-fallback -A neutron-linuxbri-o4d964d27-f -s ::/128 -d ff02::/16 -p ipv6-icmp -m icmp6 --icmpv6-type 131 -m comment --comment "Allow IPv6 ICMP traffic." -j RETURN -A neutron-linuxbri-o4d964d27-f -s ::/128 -d ff02::/16 -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m comment --comment "Allow IPv6 ICMP traffic." -j RETURN -A neutron-linuxbri-o4d964d27-f -s ::/128 -d ff02::/16 -p ipv6-icmp -m icmp6 --icmpv6-type 143 -m comment --comment "Allow IPv6 ICMP traffic." -j RETURN -A neutron-linuxbri-o4d964d27-f -j neutron-linuxbri-s4d964d27-f -A neutron-linuxbri-o4d964d27-f -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m comment --comment "Drop IPv6 Router Advts from VM Instance." -j DROP -A neutron-linuxbri-o4d964d27-f -p ipv6-icmp -m comment --comment "Allow IPv6 ICMP traffic." -j RETURN -A neutron-linuxbri-o4d964d27-f -p udp -m udp --sport 546 --dport 547 -m comment --comment "Allow DHCP client traffic." -j RETURN -A neutron-linuxbri-o4d964d27-f -p udp -m udp --sport 547 --dport 546 -m comment --comment "Prevent DHCP Spoofing by VM." -j DROP -A neutron-linuxbri-o4d964d27-f -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN -A neutron-linuxbri-o4d964d27-f -j RETURN -A neutron-linuxbri-o4d964d27-f -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP -A neutron-linuxbri-o4d964d27-f -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-linuxbri-sg-fallback -A neutron-linuxbri-s4d964d27-f -s fd93:c6f1:57f8:0:f816:3eff:fefc:115d/128 -m mac --mac-source FA:16:3E:FC:11:5D -m comment --comment "Allow traffic from defined IP/MAC pairs." -j RETURN -A neutron-linuxbri-s4d964d27-f -s fe80::f816:3eff:fefc:115d/128 -m mac --mac-source FA:16:3E:FC:11:5D -m comment --comment "Allow traffic from defined IP/MAC pairs." -j RETURN -A neutron-linuxbri-s4d964d27-f -m comment --comment "Drop traffic without an IP/MAC allow rule." -j DROP -A neutron-linuxbri-sg-chain -m physdev --physdev-out tap4d964d27-f1 --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-linuxbri-i4d964d27-f -A neutron-linuxbri-sg-chain -m physdev --physdev-in tap4d964d27-f1 --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-linuxbri-o4d964d27-f -A neutron-linuxbri-sg-chain -j ACCEPT -A neutron-linuxbri-sg-fallback -m comment --comment "Default drop rule for unmatched traffic." -j DROP COMMIT # Completed on Wed Jun 24 14:48:35 2020