Enabling SNAT for Non-Private Addresses
Hi everyone, I'd like to inquire about SNAT settings for non-private addresses. I've created a network with the subnet 100.70.0.0/24 (please note, it starts with 100, not 10). I'm wondering why all hosts attached to such a network cannot establish an internet connection when the network is connected to a router with an external gateway that has internet access. However, I found documentation here: https://docs.openstack.org/neutron/zed/admin/intro-nat.html, which states that SNAT works only for private addresses (so mine are not included). Is there a way to enable SNAT for my subnet as well, but in a different way than manually configuring iptables settings on top of Neutron nodes? If so, could anyone share it? Thanks in advance for your help. /Jan Wasilewski
Hi, On 3/15/24 7:22 AM, Jan Wasilewski wrote:
Hi everyone,
I'd like to inquire about SNAT settings for non-private addresses. I've created a network with the subnet 100.70.0.0/24 <http://100.70.0.0/24> (please note, it starts with 100, not 10). I'm wondering why all hosts attached to such a network cannot establish an internet connection when the network is connected to a router with an external gateway that has internet access. However, I found documentation here: https://docs.openstack.org/neutron/zed/admin/intro-nat.html <https://docs.openstack.org/neutron/zed/admin/intro-nat.html>, which states that SNAT works only for private addresses (so mine are not included). Is there a way to enable SNAT for my subnet as well, but in a different way than manually configuring iptables settings on top of Neutron nodes? If so, could anyone share it?
The guide you linked is really only an intro guide on NAT, it shouldn't have any affect on whether a neutron router decides to do SNAT. Does your router have "enable_snat" set to True? -Brian
Hi Brian, Firstly, thank you for your response. In response to your query, the option is indeed set to True on this router: Link to the router configuration <https://paste.openstack.org/show/bDbRJFsXQBqYnSh1scRP/>. If there are any other aspects that need verification, please feel free to let me know. Best regards, /Jan Wasilewski pt., 15 mar 2024 o 16:16 Brian Haley <haleyb.dev@gmail.com> napisał(a):
Hi,
On 3/15/24 7:22 AM, Jan Wasilewski wrote:
Hi everyone,
I'd like to inquire about SNAT settings for non-private addresses. I've created a network with the subnet 100.70.0.0/24 <http://100.70.0.0/24> (please note, it starts with 100, not 10). I'm wondering why all hosts attached to such a network cannot establish an internet connection when the network is connected to a router with an external gateway that has internet access. However, I found documentation here: https://docs.openstack.org/neutron/zed/admin/intro-nat.html <https://docs.openstack.org/neutron/zed/admin/intro-nat.html>, which states that SNAT works only for private addresses (so mine are not included). Is there a way to enable SNAT for my subnet as well, but in a different way than manually configuring iptables settings on top of Neutron nodes? If so, could anyone share it?
The guide you linked is really only an intro guide on NAT, it shouldn't have any affect on whether a neutron router decides to do SNAT.
Does your router have "enable_snat" set to True?
-Brian
Hi Jan, The router info seems Ok. There are just too many other question I would have to know where else to go - deployment tool, network driver (ovn, ovs, etc), security group rules, etc. The next thing I'd do is run tcpdump on the hypervisor to see if the packets you're sending from the VM are getting SNATed and exiting via an interface. The issue could be unrelated to neutron if you never see any replies. -Brian On 3/15/24 12:30 PM, Jan Wasilewski wrote:
Hi Brian,
Firstly, thank you for your response. In response to your query, the option is indeed set to True on this router: Link to the router configuration <https://paste.openstack.org/show/bDbRJFsXQBqYnSh1scRP/>. If there are any other aspects that need verification, please feel free to let me know.
Best regards, /Jan Wasilewski
pt., 15 mar 2024 o 16:16 Brian Haley <haleyb.dev@gmail.com <mailto:haleyb.dev@gmail.com>> napisał(a):
Hi,
On 3/15/24 7:22 AM, Jan Wasilewski wrote: > Hi everyone, > > I'd like to inquire about SNAT settings for non-private addresses. I've > created a network with the subnet 100.70.0.0/24 <http://100.70.0.0/24> <http://100.70.0.0/24 <http://100.70.0.0/24>> > (please note, it starts with 100, not 10). I'm wondering why all hosts > attached to such a network cannot establish an internet connection when > the network is connected to a router with an external gateway that has > internet access. However, I found documentation here: > https://docs.openstack.org/neutron/zed/admin/intro-nat.html <https://docs.openstack.org/neutron/zed/admin/intro-nat.html> > <https://docs.openstack.org/neutron/zed/admin/intro-nat.html <https://docs.openstack.org/neutron/zed/admin/intro-nat.html>>, which > states that SNAT works only for private addresses (so mine are not > included). Is there a way to enable SNAT for my subnet as well, but in a > different way than manually configuring iptables settings on top of > Neutron nodes? If so, could anyone share it?
The guide you linked is really only an intro guide on NAT, it shouldn't have any affect on whether a neutron router decides to do SNAT.
Does your router have "enable_snat" set to True?
-Brian
participants (2)
-
Brian Haley
-
Jan Wasilewski