[Neutron] How to provide internet access to tier 2 instance
Joris Engbers
info at jorisengbers.nl
Wed Apr 7 14:44:19 UTC 2021
I have tried a similar set-up and it seems to work here. On Router 2 I
have added a static route for 0.0.0.0/0 to the IP of Router1 in the
'private' network.
With this addition it is possible to ping 1.1.1.1. Just to be sure, I
disabled port security on every intermediate port, but after reenabling
them, it still works.
I did find that the l3 agent is slow to clean up static routes after
removing them in my version from OpenStack, this caused me to do a lot
more debugging than necessary. With a fresh router it worked instantly.
Joris
On 04-04-2021 16:44, Bernd Bausch wrote:
> I have a pretty standard single-server Victoria Devstack, where I
> created this network topology:
>
> public private backend
> | | |
> | /-------\ |-- I1 |- I2
> |--|Router1|--| |
> | \-------/ | |
> | | /-------\ |
> | |--|Router2|--|
> | | \-------/ |
> | | |
>
> I1 and I2 are instances.
>
> My question:
>
> Is it possible to give I2 access to the external world to install
> software and download files? I don't need access **to** I2 **from**
> the external world.
>
> My unsuccessful attempt:
>
> After adding a static default route via Router1 to Router2, I can ping
> the internet from Router2's namespace, but not from I2.
>
> My guess is that Router1 ignores traffic from networks that are not
> attached to it. I don't have enough experience to understand the
> netfilter rules in Router1's namespace, and in any case, rather than
> tweaking them I need a supported method to give I2 internet access, or
> the confirmation that it is not possible.
>
> Thanks much for any insights and suggestions.
>
> Bernd
>
More information about the openstack-discuss
mailing list