算节点上只能ping通该实例内部IP，ping不通浮动IP

如果有应用在跑,那就不好弄了,需要重新创建网络,要删掉现有的虚拟机.

这个问题和计算节点上的IPTABLES没啥关系,主要是控制节点的.

你查一下,NAT回流问题,很多解决的办法,你现在只能手动加上规则了.收起

回复 29# zhanghao001122
1、控制节点上已经有虚拟机在跑应用了，改网络模式对控制节点上的虚拟机有影响吗？
2、计算节点上没有iptables规则，手动建立可以吗？收起

这个问题还真不太好解决,因为这些规则是openstack来管理的,即使现在手动改了,以后重启了还是会有问题.

我建议你把网络的架构改一下.收起

跟我猜测的没错,应该就是NAT回流的问题.收起

试过将自己的笔记本曾加一条到虚拟机内部IP 192.168.200.0段的路由，指向控制节点IP，用vnc进入虚拟机内部ping笔记本IP地址，可以ping通笔记本IP地址，笔记本也可以ping通虚拟机内部200段IP。收起

我现在怀疑和NAT转换有关系.可能是数据包回流的问题造成的.收起

在做一个实验.
把那个虚拟机的floating ip去掉,然后ping一台物理主机(最好不要用控制和计算节点,找个其他的机器),ping之前在那个机器上写好路由,把去往虚拟机地址的包都转发给控制节点.是在虚拟机内部ping物理主机.收起

回复 22# zhanghao001122
会不会是iptables有问题，计算节点需要配置iptables吗？
控制节点iptables：
root@hwnode1:/home/ubuntu# iptables-save -t nat
# Generated by iptables-save v1.4.21 on Wed May 20 16:19:33 2015
*nat
:PREROUTING ACCEPT [133143:41811752]
:INPUT ACCEPT [130199:41418480]
:OUTPUT ACCEPT [63379:3994496]
:POSTROUTING ACCEPT [67196:4405430]
:nova-api-OUTPUT - [0:0]
:nova-api-POSTROUTING - [0:0]
:nova-api-PREROUTING - [0:0]
:nova-api-float-snat - [0:0]
:nova-api-snat - [0:0]
:nova-compute-OUTPUT - [0:0]
:nova-compute-POSTROUTING - [0:0]
:nova-compute-PREROUTING - [0:0]
:nova-compute-float-snat - [0:0]
:nova-compute-snat - [0:0]
:nova-network-OUTPUT - [0:0]
:nova-network-POSTROUTING - [0:0]
:nova-network-PREROUTING - [0:0]
:nova-network-float-snat - [0:0]
:nova-network-snat - [0:0]
:nova-postrouting-bottom - [0:0]
-A PREROUTING -j nova-network-PREROUTING
-A PREROUTING -j nova-compute-PREROUTING
-A PREROUTING -j nova-api-PREROUTING
-A OUTPUT -j nova-network-OUTPUT
-A OUTPUT -j nova-compute-OUTPUT
-A OUTPUT -j nova-api-OUTPUT
-A POSTROUTING -j nova-network-POSTROUTING
-A POSTROUTING -j nova-compute-POSTROUTING
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -j nova-api-POSTROUTING
-A POSTROUTING -j nova-postrouting-bottom
-A nova-api-snat -j nova-api-float-snat
-A nova-compute-snat -j nova-compute-float-snat
-A nova-network-OUTPUT -d 110.1.20.41/32 -j DNAT --to-destination 192.168.200.3
-A nova-network-OUTPUT -d 110.1.20.47/32 -j DNAT --to-destination 192.168.200.7
-A nova-network-OUTPUT -d 110.1.20.70/32 -j DNAT --to-destination 192.168.200.4
-A nova-network-OUTPUT -d 110.1.20.69/32 -j DNAT --to-destination 192.168.200.6
-A nova-network-POSTROUTING -s 192.168.200.0/24 -d 127.0.0.1/32 -j ACCEPT
-A nova-network-POSTROUTING -s 192.168.200.0/24 -d 192.168.200.0/24 -m conntrack ! --ctstate DNAT -j ACCEPT
-A nova-network-POSTROUTING -s 192.168.200.3/32 -m conntrack --ctstate DNAT -j SNAT --to-source 110.1.20.41
-A nova-network-POSTROUTING -s 192.168.200.7/32 -m conntrack --ctstate DNAT -j SNAT --to-source 110.1.20.47
-A nova-network-POSTROUTING -s 192.168.200.4/32 -m conntrack --ctstate DNAT -j SNAT --to-source 110.1.20.70
-A nova-network-POSTROUTING -s 192.168.200.6/32 -m conntrack --ctstate DNAT -j SNAT --to-source 110.1.20.69
-A nova-network-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8775
-A nova-network-PREROUTING -d 110.1.20.41/32 -j DNAT --to-destination 192.168.200.3
-A nova-network-PREROUTING -d 110.1.20.47/32 -j DNAT --to-destination 192.168.200.7
-A nova-network-PREROUTING -d 110.1.20.70/32 -j DNAT --to-destination 192.168.200.4
-A nova-network-PREROUTING -d 110.1.20.69/32 -j DNAT --to-destination 192.168.200.6
-A nova-network-float-snat -s 192.168.200.3/32 -d 192.168.200.3/32 -j SNAT --to-source 110.1.20.41
-A nova-network-float-snat -s 192.168.200.3/32 -o br100 -j SNAT --to-source 110.1.20.41
-A nova-network-float-snat -s 192.168.200.7/32 -d 192.168.200.7/32 -j SNAT --to-source 110.1.20.47
-A nova-network-float-snat -s 192.168.200.7/32 -o br100 -j SNAT --to-source 110.1.20.47
-A nova-network-float-snat -s 192.168.200.4/32 -d 192.168.200.4/32 -j SNAT --to-source 110.1.20.70
-A nova-network-float-snat -s 192.168.200.4/32 -o br100 -j SNAT --to-source 110.1.20.70
-A nova-network-float-snat -s 192.168.200.6/32 -d 192.168.200.6/32 -j SNAT --to-source 110.1.20.69
-A nova-network-float-snat -s 192.168.200.6/32 -o br100 -j SNAT --to-source 110.1.20.69
-A nova-network-snat -j nova-network-float-snat
-A nova-network-snat -s 192.168.200.0/24 -o br100 -j SNAT --to-source 110.1.20.21
-A nova-postrouting-bottom -j nova-network-snat
-A nova-postrouting-bottom -j nova-compute-snat
-A nova-postrouting-bottom -j nova-api-snat
COMMIT
# Completed on Wed May 20 16:19:33 2015

计算节点iptables
root@hwnode2:/home/ubuntu# iptables-save -t nat
# Generated by iptables-save v1.4.21 on Wed May 20 16:20:36 2015
*nat
:PREROUTING ACCEPT [111:22279]
:INPUT ACCEPT [19:5930]
:OUTPUT ACCEPT [205:13563]
:POSTROUTING ACCEPT [273:28920]
:nova-compute-OUTPUT - [0:0]
:nova-compute-POSTROUTING - [0:0]
:nova-compute-PREROUTING - [0:0]
:nova-compute-float-snat - [0:0]
:nova-compute-snat - [0:0]
:nova-postrouting-bottom - [0:0]
-A PREROUTING -j nova-compute-PREROUTING
-A OUTPUT -j nova-compute-OUTPUT
-A POSTROUTING -j nova-compute-POSTROUTING
-A POSTROUTING -j nova-postrouting-bottom
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A nova-compute-snat -j nova-compute-float-snat
-A nova-postrouting-bottom -j nova-compute-snat
COMMIT
# Completed on Wed May 20 16:20:36 2015
root@hwnode2:/home/ubuntu#收起

回复 22# zhanghao001122
试过不行哦，只有在控制节点ping才通。收起

做这么一个实验.找一个和管理网络同一网段的机器,ping那个floating ip,别用计算节点去ping,看看能通吗收起