Dear all,
Today I had a fight with the all new vcloud director 5.1 appliance. The setup is very common: one vcloud cell with one vcenter. the servers are located in one vlan, the users are located in another.
However, I couldn't make this setup to work.
During the deploy of the vcloud director appliance, the IP addresses for the web interface and the proxy were configured like this:
web: 192.168.5.1/24 (eth0)
proxy: 192.168.5.2/24 (eth1)
the two ip's are in the same subnet, but as far as I know, this aligns with the vcloud director installation manual.
However, if you ping to this machine (after deployment) from another subnet, only one of the two IP adresses is responding. The result is that you might be able to use the web interface, but fail to use the vmrc consoles, or notice the inverse behavior.
I'm absolutely not a Linux specialist, but I could narrow down this problem to a problem with the linux RP_filter in the SUSE appliance. (=reverse path filtering) This filter is designed to mitigate spoofing, but in this specific case (two vcloud ip's in same vlan), it has to be disabled to get this setup working:
disable the rp_filter by editing /etc/sysctl.conf. Find this section:
# Comment the next two lines to disable Spoof protection (reverse-path filter) # Turn on Source Address Verification in all interfaces to # prevent some spoofing attacks net.ipv4.conf.default.rp_filter=1 net.ipv4.conf.all.rp_filter=1
put the two lines in comment, and apply changes with sysctl -p. If any interfaces still show rp_filter=1, reboot or set them to zero yourself:
sysctl -w net.ipv4.conf.eth0.rp_filter=0
Hope this helps!
