2 answers
- 10-1
Hi Josef,
Please make sure that your OpenStack security group has the ports open like this
Ingress IPv4 TCP 1 - 65535 0.0.0.0/0 - Ingress IPv4 TCP 22 (SSH) 0.0.0.0/0 - Ingress IPv4 UDP 1 - 65535 0.0.0.0/0 - Ingress IPv4 UDP 53 0.0.0.0/0 - Also, could you run these commands:
in the packet generator: tcpdump -i eth1
in the firewall: tcpdump -i eth2
You should see traffic flowing through:
14:16:11.384577 IP 192.168.10.200.15320 > 192.168.20.250.http-alt: UDP, length 120
14:16:11.484337 IP 192.168.10.200.15320 > 192.168.20.250.http-alt: UDP, length 120
14:16:11.584315 IP 192.168.10.200.15320 > 192.168.20.250.http-alt: UDP, length 120
14:16:11.684496 IP 192.168.10.200.15320 > 192.168.20.250.http-alt: UDP, length 120
14:16:11.784383 IP 192.168.10.200.15320 > 192.168.20.250.http-alt: UDP, length 120
Please let us know.
- Josef Reisinger
Hi Marco, I created a SG as the one above, just to be sure (the default one is 100% open as the one above, but who knows). When trying to attach it to a running instance, I got an error. Funnily, restarting the demo now works.
Thanks for you advise anyway, it seems to have some hidden "healing" effect
- Marco Platania
I'm glad to see that it works. Most of the time, changing the SG requires a VM reboot to take effect
Add your comment... - 10-1
Hi Josef,
We faced similar issue while working on vFW scenario. What we observed in our case is that the iptables were having filtering rules due to which packets are getting filtered.
We cleared the iptable rules on pg, fw, sink by using following commands:
#clear iptables
iptables -F
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
You can check iptables using “iptables -L -v” command.
Second possibility why packets are not flowing is the port security in your openstack neutron configuration Is enable. Port security should be disable, you will need admin rights for openstack.
Add your comment...
I have spun up a stack in Openstack Ocata containing the three VMs for the firewall demo. I am able to connect to http://<sink-ip>:667/ and can see some graphics. But there is no traffic at all. I can see in pgn & fwl that there is some VPN setup with vpp.. but I cannot see any real traffic on (un)protected_network.
I used
curl -X PUT -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "Content-Type: application/json" -H "Cache-Control: no-cache" -H "Postman-Token: 9005870c-900b-2e2e-0902-ef2009bb0ff7" -d '{"pg-streams":{"pg-stream": [{"id":"fw_udp1", "is-enabled":"true"},{"id":"fw_udp2", "is-enabled":"true"},{"id":"fw_udp3", "is-enabled":"true"},{"id":"fw_udp4", "is-enabled":"true"},{"id":"fw_udp5", "is-enabled":"true"},{"id":"fw_udp6", "is-enabled":"true"},{"id":"fw_udp7", "is-enabled":"true"},{"id":"fw_udp8", "is-enabled":"true"},{"id":"fw_udp9", "is-enabled":"true"},{"id":"fw_udp10", "is-enabled":"true"}]}}' "http://localhost:8183/restconf/config/sample-plugin:sample-plugin/pg-streams"to trigger some messages ... with no success. Is there any documentation available which helps to understand what the vFW stack does?