[ubuntu-cloud] [SOLVED] Re: Introducing myself and first question

Mirto Silvio Busico mirtosilvio.busico at fastwebnet.it
Sun Feb 20 17:13:03 UTC 2011 

Il 17/02/2011 09:51, Mirto Silvio Busico ha scritto:
> Hello Torsten,
> thanks for your timely reply
>
> Il 17/02/2011 08:23, Torsten Spindler ha scritto:
>> Hello Mirto,
>>
>> thanks for providing the additional information!
>>
>>
>> On Wed, 2011-02-16 at 20:09 +0100, Mirto Silvio Busico wrote:
>> ...
>>> The NC machine is able to ping and ssh the frontend (192.168.1.64) but
>>> doesn't reach the client (192.168.1.127 that is also the gateway to
>>> reach internet)
>>>
>>> The path should be: NC (192.168.64.2) --> FrontEnd (eth0
>>> 192.168.64.1)--> FrontEnd (eth1 192.168.1.127) --> client (eth0
>>> 192.168.1.127) --> client (wlan0 10.94.169.14) -->ISP wireless router
>>> (10.94.169.1) --> ISP and Internet
>>>
>>> On the client routing and maquerading is done with shorewall
>> The problem here is that your front-end is trying to serve a dual
>> purpose role, one time as UEC front-end, one time as router for the NC. 
>> According to
>> http://open.eucalyptus.com/wiki/EucalyptusNetworkConfiguration_v2.0
>> this is not recommended, as Eucalyptus and hence UEC will flush your
>> firewall rules from the front-end and apply it's own logic, quoting that
>> page:
>> "You are not running a firewall on the front end (CC) or your firewall
>> is compatible with the dynamic changes performed by Eucalyptus when
>> working with security groups. (Note that Eucalyptus will flush the
>> 'filter' and 'nat' tables upon boot)."
> Very intersting page! I'll study it.
>> Though also mentioned on the above page is the ability to add rules to a
>> preload file, with which I admit to have no experience:
>> "iptables-save > $EUCALYPTUS/var/run/eucalyptus/net/iptables-preload"
>>
>> Or, in other words, I suspect that UEC's firewall rules on the front-end
>> hinder the traffic coming from the NCs and going to your client
>> computer. Would it be possible to use a different system as router for
>> the NCs? This would be the easiest way to test.
> Il try to investigate this evening
>> Regards,
>> Torsten
>>
>>
>>
> Thanks again
>     Mirto
>
Hello Torsen,

The problem was that the frontend forwards the intenal network packetk
untouched.

So the client receives (on eth0) packets with NC (192.168.64.2) source.

To solve the problem, I just added, on the client, a route back to the
internal network, through the frontend.

In my configuration
NC (192.168.64.2) --> FrontEnd (eth0 192.168.64.1)
--> FrontEnd (eth1 192.168.1.64) -->
client (eth0 192.168.1.127) --> client (wlan0 10.94.169.14) -->
ISP wireless router (10.94.169.1) --> ISP and Internet

I added to the eth0 client interface:
    up route add -net 192.168.64.0 netmask 255.255.255.0 gw 192.168.1.64

This solved the prblem and the NC is able to get software updates from
Internet

Thanks for the collaboration
    Mirto







-------------- next part --------------
A non-text attachment was scrubbed...
Name: mirtosilvio_busico.vcf
Type: text/x-vcard
Size: 284 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-cloud/attachments/20110220/11652960/attachment.vcf>

More information about the Ubuntu-cloud mailing list