search

apache / cloudstack

Apache CloudStack is an opensource Infrastructure as a Service (IaaS) cloud computing platform
https://cloudstack.apache.org/
Apache License 2.0
2.1k stars 1.11k forks source link

With VR + VNF + L2 Network, the VMs in L2 Network cannot be reached from the Internet (But the opposite is possible) #9791

Open btzq opened 1 month ago

btzq commented 1 month ago
ISSUE TYPE
COMPONENT NAME
VR + VNF
CLOUDSTACK VERSION
4.19.1
CONFIGURATION

Advanced Networking VPC VNF + L2 Network

OS / ENVIRONMENT
SUMMARY

We have 1 VPC and 1 L2 Network connected together with a VNF (PFsense) in between.

Results Summary:

Background: We’ve allowed any on the VNF firewall rules as attached in the screenshot below:

Screenshot 2024-10-14 at 9 03 26 PM

Traffic is allowed any on 10.26.1.254 interface

Screenshot 2024-10-14 at 9 03 55 PM

Traffic is allowed any on 10.26.8.254

We then run some tests.

Test 1: From L2 VM (10.26.8.230) to VPC VM (10.26.1.250) Screenshot 2024-10-14 at 9 04 32 PM

Results: Ping and traceroute test from 10.26.8.230 to 10.26.1.250 works as expected. (PASS)

Screenshot 2024-10-14 at 9 05 11 PM

Test 2: From VPC VM (10.26.1.250) to L2 VM (10.26.8.230)

Screenshot 2024-10-14 at 9 05 32 PM

Results: Ping and traceroute test from 10.26.1.250 to 10.26.8.230 is not possible (FAILED)

Screenshot 2024-10-14 at 9 06 01 PM

Test 3: From L2 VM (10.26.8.230) to Private Gateway VM (10.88.5.82) Screenshot 2024-10-14 at 9 07 42 PM Results: Ping and traceroute test from 10.26.8.230 to 10.88.5.82 works as expected (PASS)

Test 4: From Private Gateway VM (10.88.5.82) to L2 VM (10.26.8.230) Screenshot 2024-10-14 at 9 08 14 PM

Results: Ping and traceroute test from 10.88.5.82 to 10.26.8.230 does not work (FAILED) Screenshot 2024-10-14 at 9 08 36 PM

We've been trying to debug Tests 2 and 4 for a while now with no sucess. Anyone has any ideas? Or is Cloudstack designed not to allow this to be possible?

STEPS TO REPRODUCE
NA
EXPECTED RESULTS
Tests 2 and 4 should be able to work
ACTUAL RESULTS
Tests 2 and 4 does not work
weizhouapache commented 1 month ago

@btzq it looks like a route to 10.26.8.0/254 is missing in the VPC VR. you can retry aftering adding a route manually.

ip route add 10.26.8.0/24 via 10.26.1.254
btzq commented 1 month ago

Hey @weizhouapache , but this would require operator to manually intervene, right? And if the router is destroyed (eg. CleanUp), this setting will dissapear, and it will need to be re-added manually.

Is there another way to do it?

weizhouapache commented 1 month ago

Hey @weizhouapache , but this would require operator to manually intervene, right? And if the router is destroyed (eg. CleanUp), this setting will dissapear, and it will need to be re-added manually.

@btzq correct.

Is there another way to do it?

no. currently static routes only applies on VPC private gateway. https://cloudstack.apache.org/api/apidocs-4.19/apis/createStaticRoute.html

We have plan to extend it to support VPC and isolated networks. probably next major release (4.21).

btzq commented 1 month ago

@weizhouapache i see, looking forward to this enhancement then!

Should i close this ticket? Or leave it open to track this request?

weizhouapache commented 1 month ago

@weizhouapache i see, looking forward to this enhancement then!

Should i close this ticket? Or leave it open to track this request?

you can keep it open.

btw: have you tested the manual static route ? does it work in your case ?

btzq commented 1 month ago

@weizhouapache We tried your solution and it did not work.

After we've added the route, the VR is able to reach the destination, but source to destination still wouldnt work.

weizhouapache commented 1 month ago

@weizhouapache We tried your solution and it did not work.

After we've added the route, the VR is able to reach the destination, but source to destination still wouldnt work.

What are the network acl rules of the vpc tier ? Allow all ?