Hi Julian,

I've got several MAAS servers that seem to suffer the same fate, depending on what your definition of "Access the internet" is.

We first saw this at the Orange Box sprint in london where nodes could be deployed via d-i which was pulling packages from MAAS's squid-deb-proxy, IIRC, however they couldn't pull packages afterwards from ppa.launchpad.net or "the internet" in general (e.g. I couldn't ssh to a node and they wget a file from somewhere else).

A good example of this was when we tried usign juju to deploy certain charms that pull from places like github, the charms would fail because those sites were unreachable from the node itself (but not from the MAAS Server).  So we configured NAT to allow the nodes to pass through to the internet to reach "anywhere".

In our immediate case with certification, we have several NUCs that are configured as MAAS servers for deploying both the OS and certification tools.

So here is IP Tables after a fresh reboot of my NUC running the latest 14.04 MAAS:
ubuntu@critical-maas:~$ sudo iptables -L
[sudo] password for ubuntu: 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ubuntu@critical-maas:~$ sudo iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
ubuntu@critical-maas:~$ 
ubuntu@critical-maas:~$ COLUMNS=150 dpkg -l |grep maas
ii  maas                            1.5+bzr2252-0ubuntu1 all                  MAAS server all-in-one metapackage
ii  maas-cli                        1.5+bzr2252-0ubuntu1 all                  MAAS command line API tool
ii  maas-cluster-controller         1.5+bzr2252-0ubuntu1 all                  MAAS server cluster controller
ii  maas-common                     1.5+bzr2252-0ubuntu1 all                  MAAS server common files
ii  maas-dhcp                       1.5+bzr2252-0ubuntu1 all                  MAAS DHCP server
ii  maas-dns                        1.5+bzr2252-0ubuntu1 all                  MAAS DNS server
ii  maas-region-controller          1.5+bzr2252-0ubuntu1 all                  MAAS server complete region controller
ii  maas-region-controller-min      1.5+bzr2252-0ubuntu1 all                  MAAS Server minimum region controller
ii  maas-test                       0.1+bzr147+150+10~pp all                  Utility to test hardware compatibility with MAAS
ii  python-django-maas              1.5+bzr2252-0ubuntu1 all                  MAAS server Django web framework
ii  python-maas-client              1.5+bzr2252-0ubuntu1 all                  MAAS python API client
ii  python-maas-provisioningserver  1.5+bzr2252-0ubuntu1 all                  MAAS server provisioning libraries

Now I have the server installed and try a couple things to see if my node can talk to the internet:
ubuntu@supermicro:~$ host ubuntu.com
ubuntu.com has address 91.189.94.156
ubuntu.com mail is handled by 10 mx.canonical.com.

ubuntu@supermicro:~$ sudo ping -c 10 www.ubuntu.com
PING www.ubuntu.com (91.189.89.103) 56(84) bytes of data.

--- www.ubuntu.com ping statistics ---
10 packets transmitted, 0 received, 100% packet loss, time 9071ms

I am able to install something:
ubuntu@supermicro:~$ sudo apt-get install ksh
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  ksh
0 upgraded, 1 newly installed, 0 to remove and 3 not upgraded.
Need to get 1,583 kB of archives.
After this operation, 3,229 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com//ubuntu/ trusty/universe ksh amd64 93u+20120801-1 [1,583 kB]
Fetched 1,583 kB in 7s (223 kB/s)                                                                                                        
Selecting previously unselected package ksh.
(Reading database ... 69996 files and directories currently installed.)
Preparing to unpack .../ksh_93u+20120801-1_amd64.deb ...
Unpacking ksh (93u+20120801-1) ...
Processing triggers for man-db (2.6.7.1-1) ...
Setting up ksh (93u+20120801-1) ...
update-alternatives: using /bin/ksh93 to provide /bin/ksh (ksh) in auto mode

but is that going through the squid deb proxy?

Because I am unable to manually touch archive.ubuntu.com:
--2014-04-22 18:38:29--  http://archive.ubuntu.com/ubuntu/pool/universe/k/ksh/ksh_93u+20120801-1_amd64.deb
Resolving archive.ubuntu.com (archive.ubuntu.com)... 91.189.92.200, 91.189.91.13, 91.189.91.14, ...
Connecting to archive.ubuntu.com (archive.ubuntu.com)|91.189.92.200|:80... failed: Connection timed out.
Connecting to archive.ubuntu.com (archive.ubuntu.com)|91.189.91.13|:80... failed: Connection timed out.
Connecting to archive.ubuntu.com (archive.ubuntu.com)|91.189.91.14|:80... failed: Connection timed out.

So now I start NAT:
ubuntu@critical-maas:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ubuntu@critical-maas:~$ sudo iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  anywhere             anywhere      

And try again:
ubuntu@supermicro:~$ wget http://archive.ubuntu.com/ubuntu/pool/universe/k/ksh/ksh_93u+20120801-1_amd64.deb
--2014-04-22 18:46:23--  http://archive.ubuntu.com/ubuntu/pool/universe/k/ksh/ksh_93u+20120801-1_amd64.deb
Resolving archive.ubuntu.com (archive.ubuntu.com)... 91.189.91.14, 91.189.92.201, 91.189.92.200, ...
Connecting to archive.ubuntu.com (archive.ubuntu.com)|91.189.91.14|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1583190 (1.5M) [application/x-debian-package]
Saving to: ‘ksh_93u+20120801-1_amd64.deb’

100%[================================================================================================>] 1,583,190    173KB/s   in 5.9s   

2014-04-22 18:46:29 (262 KB/s) - ‘ksh_93u+20120801-1_amd64.deb’ saved [1583190/1583190]

et voila!

I don't have anything fancy set up here... my setup is literally:

node <--1Gb--> Cheap 8port Switch <--1Gb--> NUC <--1Gb--> Ext. LAN cheap 8 port swtich <-- 1Gb --> Gateway <--10Mb DSL --> Internet

I am not doing any weird packet filtering or other firewalling on my external connection, nor anywhere else.  Nothing sitting in a DMZ. 

So my theory is that by default, I am able to install things via archive.ubuntu and maybe even ppa.launchpad because of the deb proxy running on the MAAS server, however, as soon as I try any other type of request directly from the node, it fails without something like NAT on the MAAS server to pass traffic.