[Neutron] How to provide internet access to tier 2 instance

Joris Engbers info at jorisengbers.nl
Wed Apr 7 14:44:19 UTC 2021


I have tried a similar set-up and it seems to work here. On Router 2 I 
have added a static route for 0.0.0.0/0 to the IP of Router1 in the 
'private' network.

With this addition it is possible to ping 1.1.1.1. Just to be sure, I 
disabled port security on every intermediate port, but after reenabling 
them, it still works.

I did find that the l3 agent is slow to clean up static routes after 
removing them in my version from OpenStack, this caused me to do a lot 
more debugging than necessary. With a fresh router it worked instantly.

Joris



On 04-04-2021 16:44, Bernd Bausch wrote:
> I have a pretty standard single-server Victoria Devstack, where I 
> created this network topology:
>
> public       private      backend
>   |             |             |
>   |  /-------\  |-- I1        |- I2
>   |--|Router1|--|             |
>   |  \-------/  |             |
>   |             |  /-------\  |
>   |             |--|Router2|--|
>   |             |  \-------/  |
>   |             |             |
>
> I1 and I2 are instances.
>
> My question:
>
> Is it possible to give I2 access to the external world to install 
> software and download files? I don't need access **to** I2 **from** 
> the external world.
>
> My unsuccessful attempt:
>
> After adding a static default route via Router1 to Router2, I can ping 
> the internet from Router2's namespace, but not from I2.
>
> My guess is that Router1 ignores traffic from networks that are not 
> attached to it. I don't have enough experience to understand the 
> netfilter rules in Router1's namespace, and in any case, rather than 
> tweaking them I need a supported method to give I2 internet access, or 
> the confirmation that it is not possible.
>
> Thanks much for any insights and suggestions.
>
> Bernd
>



More information about the openstack-discuss mailing list