1. Messages
  2. Accessing 192.168.x.x addresses from a diego_cell container

Accessing 192.168.x.x addresses from a diego_cell container

Ross Mark
 

This is my first time setting up bosh and cloud foundry on an AWS environment. Appologies if I'm asking this in the wrong group.

I've implemented the cf deployment using the minimal-aws.yml example as basis. The problem I'm facing is that our applications need to access a remote network via VPN with a 192.168.0.0/24 address. The VPN is working happily, dns using our own internal dns server is resolving correctly so the cf deployed containers can resolve the address they need however when they try and access any of the 192.168.0.x addresses (except dns) the requests are never forwarded from the internal 10.254.0.2 network. Looking at the iptables rules on the diego_cell vm (iptables -L -n -v) the problem appears to be in the w--forward chain which after checking the w--instance-c56ch9ro828 chain, which generates a RETURN, then DROPS the request.

What I'm looking for is how to configure the deployment so that network address 192.168.0.0/24 are ACCEPTED for forwarding. I have tested by manually adding an ACCEPT rule in the w--forward chain, and there is full connectivity once a rule is added.

The iptables output (trimmed to just include the FORWARD chains) is below.

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
327 36110 w--forward all -- w+ * 0.0.0.0/0 0.0.0.0/0

Chain w--forward (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
67 6522 w--instance-c56ch9ro828 all -- wbrdg-0afe0000 * 10.254.0.2 0.0.0.0/0 [goto] /* 275382a7-82d6-4d20-76fd-00e7bf0de5f7 */
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain w--instance-c56ch9ro828 (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 destination IP range 192.169.0.0-255.255.255.255 /* 275382a7-82d6-4d20-76fd-00e7bf0de5f7 */
59 5016 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 destination IP range 172.32.0.0-192.167.255.255 /* 275382a7-82d6-4d20-76fd-00e7bf0de5f7 */
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 destination IP range 169.255.0.0-172.15.255.255 /* 275382a7-82d6-4d20-76fd-00e7bf0de5f7 */
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 destination IP range 11.0.0.0-169.253.255.255 /* 275382a7-82d6-4d20-76fd-00e7bf0de5f7 */
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 destination IP range 0.0.0.0-9.255.255.255 /* 275382a7-82d6-4d20-76fd-00e7bf0de5f7 */
4 224 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 destination IP range 0.0.0.0-255.255.255.255 udp dpt:53 /* 275382a7-82d6-4d20-76fd-00e7bf0de5f7 */
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 destination IP range 0.0.0.0-255.255.255.255 tcp dpt:53 /* 275382a7-82d6-4d20-76fd-00e7bf0de5f7 */
0 0 ACCEPT all -- * * 10.254.0.0/30 10.254.0.0/30 /* 275382a7-82d6-4d20-76fd-00e7bf0de5f7 */
4 1282 w--default all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] /* 275382a7-82d6-4d20-7



Thanks in advance.

Ross
Join {cf-dev@lists.cloudfoundry.org to automatically receive all group messages.