[Openstack] SNAT question

Kieron B kieronb at gmail.com
Wed Jul 18 16:05:06 UTC 2012 

It sounds like you may be using overlapping IP space (in the
10.0.0.0/8network).  The iptables rule you provided is meant to
source-NAT outbound
traffic from your VMs (it's a catch-all for VMs without a floating IP
assigned).

If you are using the 10.0.0.0/8 space outside of your Openstack
environment, you'll need to address that.  Start by checking that your
"--fixed_range" flag in nova.conf is set appropriately.  It appears it's
set to 10.0.0.0/8, but maybe you can reduce that down to a /16; however, if
you are in fact using overlapping space, you'll need to fix that.  Your VMs
will never be able to reach your "external" hosts if they believe they are
in the same network.

Kieron

On Wed, Jul 18, 2012 at 11:25 AM, Boris-Michel Deschenes <
boris-michel.deschenes at ubisoft.com> wrote:

> Hi guys,****
>
> ** **
>
> I have a question regarding NAT in openstack****
>
> ** **
>
> I have an openstack cloud (FlatDHCP, multi_host=false) with one
> nova-network node doing the nating.****
>
> ** **
>
> I have noticed that when I ping an external machine from within a VM, on
> the receiving end I see the IP of the VM (so the outgoing SNAT works
> properly).****
>
> I have also noticed that when I ping a VM inside the cloud from a machine
> outside, the VM sees the external IP of the nova-network node as the source
> of the ping and not the real IP of the “pinger”…  (this is the problem for
> me).****
>
> ** **
>
> I looked at the nova-network machine’s iptables and I see this:****
>
> ** **
>
> -A nova-network-snat -s 10.0.0.0/8 -j SNAT --to-source 10.129.40.12****
>
> ** **
>
> So it’s basically setting the nova-network node as the source IP for all
> incoming traffic, in my situation, this prevents an application running
> inside the cloud to properly identifies the server located outside,
> currently, the only peer it sees is the nova-network node and not the IP of
> the server (located outside the cloud) so my application tries to connect
> to nova-network instead of the server that initiated the connection.****
>
> ** **
>
> Would it be possible to have SNAT work in a way where, when connecting to
> a VM from outside the cloud, the VM sees the source IP as the real source
> IP and not the nova-network controller’s ip ?****
>
> ** **
>
> Thank you very much****
>
> ** **
>
> Boris****
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20120718/b2afb3ea/attachment.html>

More information about the Openstack mailing list