I have tried a similar set-up and it seems to work here. On Router 2 I have added a static route for 0.0.0.0/0 to the IP of Router1 in the 'private' network. With this addition it is possible to ping 1.1.1.1. Just to be sure, I disabled port security on every intermediate port, but after reenabling them, it still works. I did find that the l3 agent is slow to clean up static routes after removing them in my version from OpenStack, this caused me to do a lot more debugging than necessary. With a fresh router it worked instantly. Joris On 04-04-2021 16:44, Bernd Bausch wrote:

I have a pretty standard single-server Victoria Devstack, where I created this network topology:

public       private      backend   |             |             |   |  /-------\  |-- I1        |- I2   |--|Router1|--|             |   |  \-------/  |             |   |             |  /-------\  |   |             |--|Router2|--|   |             |  \-------/  |   |             |             |

I1 and I2 are instances.

My question:

Is it possible to give I2 access to the external world to install software and download files? I don't need access **to** I2 **from** the external world.

My unsuccessful attempt:

After adding a static default route via Router1 to Router2, I can ping the internet from Router2's namespace, but not from I2.

My guess is that Router1 ignores traffic from networks that are not attached to it. I don't have enough experience to understand the netfilter rules in Router1's namespace, and in any case, rather than tweaking them I need a supported method to give I2 internet access, or the confirmation that it is not possible.

Thanks much for any insights and suggestions.

Bernd