Ok so maybe I am on to something here. On controller-0 we have: nameserver 38.145.33.91 nameserver 38.145.32.66 nameserver 38.145.32.79
+ ip route default via 192.168.24.1 dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1350 qdisc pfifo_fast state UP qlen 1000 link/ether fa:16:3e:f4:4b:6f brd ff:ff:ff:ff:ff:ff inet 192.168.24.15/24 brd 192.168.24.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:fef4:4b6f/64 scope link valid_lft forever preferred_lft forever
So we are going towards the internet (aka our dns servers) via the undercloud.
On the undercloud we have the correct nat rules to break out: *nat :PREROUTING ACCEPT [3471:247475] :INPUT ACCEPT [856:52186] :OUTPUT ACCEPT [129545:7804244] :POSTROUTING ACCEPT [129545:7804244] :BOOTSTACK_MASQ - [0:0] :DOCKER - [0:0] -A PREROUTING -d 169.254.169.254/32 -i br-ctlplane -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8775 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -j BOOTSTACK_MASQ -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE -A BOOTSTACK_MASQ -s 192.168.24.0/24 -d 192.168.24.0/24 -j RETURN -A BOOTSTACK_MASQ -s 192.168.24.0/24 -j MASQUERADE -A DOCKER -i docker0 -j RETURN
*but* in the FORWARD chain we have this: *filter :INPUT ACCEPT [0:0] :FORWARD DROP [2899:203965] :OUTPUT ACCEPT [5947438:33329856685] -A FORWARD -j neutron-filter-top -A FORWARD -j neutron-openvswi-FORWARD -A FORWARD -d 192.168.24.0/24 -p tcp -m state --state NEW -m comment --comment "140 ctlplane-subnet cidr nat ipv4" -j ACCEPT -A FORWARD -j DOCKER-ISOLATION -A FORWARD -o docker0 -j DOCKER -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT
Is it me or we are missing the UDP forwarding rule?
Ok so maybe I am on to something here. On controller-0 we have:
nameserver 38.145.33.91
nameserver 38.145.32.66
nameserver 38.145.32.79
+ ip route
default via 192.168.24.1 dev eth0
2: eth0: <BROADCAST, MULTICAST, UP,LOWER_ UP> mtu 1350 qdisc pfifo_fast state UP qlen 1000 3eff:fef4: 4b6f/64 scope link
link/ether fa:16:3e:f4:4b:6f brd ff:ff:ff:ff:ff:ff
inet 192.168.24.15/24 brd 192.168.24.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::f816:
valid_lft forever preferred_lft forever
So we are going towards the internet (aka our dns servers) via the undercloud.
On the undercloud we have the correct nat rules to break out:
*nat
:PREROUTING ACCEPT [3471:247475]
:INPUT ACCEPT [856:52186]
:OUTPUT ACCEPT [129545:7804244]
:POSTROUTING ACCEPT [129545:7804244]
:BOOTSTACK_MASQ - [0:0]
:DOCKER - [0:0]
-A PREROUTING -d 169.254.169.254/32 -i br-ctlplane -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8775
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -j BOOTSTACK_MASQ
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A BOOTSTACK_MASQ -s 192.168.24.0/24 -d 192.168.24.0/24 -j RETURN
-A BOOTSTACK_MASQ -s 192.168.24.0/24 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
*but* in the FORWARD chain we have this: 33329856685] openvswi- FORWARD
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [2899:203965]
:OUTPUT ACCEPT [5947438:
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-
-A FORWARD -d 192.168.24.0/24 -p tcp -m state --state NEW -m comment --comment "140 ctlplane-subnet cidr nat ipv4" -j ACCEPT
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
Is it me or we are missing the UDP forwarding rule?