Comment 5 for bug 1750880

Ok so maybe I am on to something here. On controller-0 we have:
nameserver 38.145.33.91
nameserver 38.145.32.66
nameserver 38.145.32.79

+ ip route
default via 192.168.24.1 dev eth0

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1350 qdisc pfifo_fast state UP qlen 1000
    link/ether fa:16:3e:f4:4b:6f brd ff:ff:ff:ff:ff:ff
    inet 192.168.24.15/24 brd 192.168.24.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fef4:4b6f/64 scope link
       valid_lft forever preferred_lft forever

So we are going towards the internet (aka our dns servers) via the undercloud.

On the undercloud we have the correct nat rules to break out:
*nat
:PREROUTING ACCEPT [3471:247475]
:INPUT ACCEPT [856:52186]
:OUTPUT ACCEPT [129545:7804244]
:POSTROUTING ACCEPT [129545:7804244]
:BOOTSTACK_MASQ - [0:0]
:DOCKER - [0:0]
-A PREROUTING -d 169.254.169.254/32 -i br-ctlplane -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8775
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -j BOOTSTACK_MASQ
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A BOOTSTACK_MASQ -s 192.168.24.0/24 -d 192.168.24.0/24 -j RETURN
-A BOOTSTACK_MASQ -s 192.168.24.0/24 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN

*but* in the FORWARD chain we have this:
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [2899:203965]
:OUTPUT ACCEPT [5947438:33329856685]
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-openvswi-FORWARD
-A FORWARD -d 192.168.24.0/24 -p tcp -m state --state NEW -m comment --comment "140 ctlplane-subnet cidr nat ipv4" -j ACCEPT
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT

Is it me or we are missing the UDP forwarding rule?