<div dir="ltr">We have actually started to look at VPNaaS as a way to tie two different region's Tenant Networks together..  This will hopefully allow us to not have to look at users using too many Floating IPs to just support tools and products that have issues with Floating IPs.  </div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, May 10, 2016 at 4:18 AM, Matt Jarvis <span dir="ltr"><<a href="mailto:matt.jarvis@datacentred.co.uk" target="_blank">matt.jarvis@datacentred.co.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">We see FWaaS generally being used by customers with larger deployments, where they want overall firewall rules at the boundary as well as security groups. Since my original post on this thread, I went to look at the numbers - it's actually being used more widely than I originally thought on our platform, including many of our largest customers.  </div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On 10 May 2016 at 09:03, Mariano Cunietti <span dir="ltr"><<a href="mailto:mcunietti@enter.it" target="_blank">mcunietti@enter.it</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">



<div style="word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-family:Calibri,sans-serif">
<div>
<div>
<div>Hi Kyle,</div>
<div><br>
</div>
</div>
</div><span>
<span><span>
<blockquote style="BORDER-LEFT:#b5c4df 5 solid;PADDING:0 0 0 5;MARGIN:0 0 0 5">
<span style="color:rgb(0,0,0);font-family:-webkit-standard;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">>
 I know there are operators relying on these functions, particularly in the<br>
> public cloud space in Europe, so this would impact those people. I also know<br>
> this list doesn't necessarily reach all of them either, so I will try and<br>
> reach out by other means as well, but it would be very useful to try and get<br>
> a clearer picture of how many people are using VPNaaS and FWaaS. If you are,<br>
> could you please respond to this thread ?</span></blockquote>
</span></span>
<div><br>
</div>
</span><div>We are using VPNaaS and FWaaS on <a href="http://entercloudsuite.com" target="_blank">entercloudsuite.com</a>, on Juno.</div>
<div>With VPNaaS it basically works (or: works basically) but there are some issues with the configuration of MTU and some other server side configurations that drop some client connections. I can can provide more details if you want on a private thread.</div>
<div>With FWaaS we are providing it but we also deprecate it; moreover, it’s generating a lot of confusion and overlap with Security Groups</div><span>
<div><br>
</div>
<span><span>
<blockquote style="BORDER-LEFT:#b5c4df 5 solid;PADDING:0 0 0 5;MARGIN:0 0 0 5">
<span style="color:rgb(0,0,0);font-family:-webkit-standard;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><br>
><br>
</span><span style="color:rgb(0,0,0);font-family:-webkit-standard;font-size:medium;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline!important;float:none">I'm
 actually really surprised that people are *using* FWaaS. It's been</span><br style="color:rgb(0,0,0);font-family:-webkit-standard;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<span style="color:rgb(0,0,0);font-family:-webkit-standard;font-size:medium;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline!important;float:none">marked
 experimental for over 3 years now, and it only recently in</span><br style="color:rgb(0,0,0);font-family:-webkit-standard;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<span style="color:rgb(0,0,0);font-family:-webkit-standard;font-size:medium;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline!important;float:none">Liberty
 received work which made it somewhat useful, which was the</span><br style="color:rgb(0,0,0);font-family:-webkit-standard;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<span style="color:rgb(0,0,0);font-family:-webkit-standard;font-size:medium;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline!important;float:none">ability
 to apply a firewall on a specific Neutron router rather than</span><br style="color:rgb(0,0,0);font-family:-webkit-standard;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<span style="color:rgb(0,0,0);font-family:-webkit-standard;font-size:medium;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline!important;float:none">all
 tenant routers. FWaaS in production sounds pretty risky to me, but</span><br style="color:rgb(0,0,0);font-family:-webkit-standard;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<span style="color:rgb(0,0,0);font-family:-webkit-standard;font-size:medium;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline!important;float:none">I
 supposed that our fault for not being clear on it's readiness.</span></blockquote>
</span></span>
<div><br>
</div>
</span><div>Agree, but the words EXPERIMENTAL and NOT PRODUCTION READY are pretty visible in the documentation.</div>
<div>So, not your fault at all</div><span>
<div><br>
</div>
<span><span>
<blockquote style="BORDER-LEFT:#b5c4df 5 solid;PADDING:0 0 0 5;MARGIN:0 0 0 5">
<span style="color:rgb(0,0,0);font-family:-webkit-standard;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><br>
> If we have metrics that a constituent part of the user community need these<br>
> functions, then we can try and find a way to help the Neutron team to cover<br>
> the resourcing gaps.<br>
><br>
</span><span style="color:rgb(0,0,0);font-family:-webkit-standard;font-size:medium;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline!important;float:none">If
 people are using these, IMHO that's another reason to keep them</span><br style="color:rgb(0,0,0);font-family:-webkit-standard;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<span style="color:rgb(0,0,0);font-family:-webkit-standard;font-size:medium;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline!important;float:none">around.
 I've already said that we have at least one large user of VPN,</span><br style="color:rgb(0,0,0);font-family:-webkit-standard;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<span style="color:rgb(0,0,0);font-family:-webkit-standard;font-size:medium;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline!important;float:none">so
 that project will continue to be worked on even if it's removed</span><br style="color:rgb(0,0,0);font-family:-webkit-standard;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<span style="color:rgb(0,0,0);font-family:-webkit-standard;font-size:medium;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline!important;float:none">from
 Neutron.</span></blockquote>
</span></span>
<div><br>
</div>
</span><div>Here’s what WE’D LOVE to have:</div>
<ul>
<li>VPNaaS</li><li>IDS or some TAPaaS to redirect router traffic to a tenant’s instance (remember we all sell instances)</li><li>IPS, that is the ability not only to eavesdrop but also to drop traffic using Snort or better Suricata + ELK (<a href="https://github.com/StamusNetworks/SELKS/blob/master/README.rst" rel="noreferrer" style="color:rgb(42,128,185);text-decoration:none;font-family:Slack-Lato,appleLogo,sans-serif;font-size:15px" target="_blank">https://github.com/StamusNetworks/SELKS/blob/master/README.rst</a>)</li><li>FWaaS meant as multiple firewall “flavors”. Lots of customers ask for PFSense or their own Linux/FreeBSD solution </li><li>Network analytics in general (with InfluxDB or Monasca)</li></ul>
<div>Thanks</div><span><font color="#888888">
<div><br>
</div>
<div>Mariano</div>
<div><br>
</div>
<div><br>
</div>
</font></span></div>

</blockquote></div><br></div>

<br>
</div></div><div class="HOEnZb"><div class="h5"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;background-color:rgb(255,255,255)">DataCentred Limited registered in England and Wales no. 05611763</span></div></div><br>_______________________________________________<br>
OpenStack-operators mailing list<br>
<a href="mailto:OpenStack-operators@lists.openstack.org">OpenStack-operators@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a><br>
<br></blockquote></div><br></div>