[VICTORIA] Not working SNAT over VXLAN?

Gaël THEROND gael.therond at bitswalk.com
Tue Mar 8 20:04:43 UTC 2022

Hi everyone!

I’m facing a weird situation on a tenant of one of our Openstack cluster
based on Victoria.

On this tenant, the network topology is as follow:

One DMZ network ( linked to our public network through a
neutron router where there is a VM acting as a bastion/router for the MGMT

One MGMT network ( where all VMs are linked to.

On the DMZ network, there is a linux Debian 11, let’s call it VM-A with a
Floating IP from the public pool, this VM is both attached to the DMZ
network (ens3 / AND the MGMT network (ens4 /

All other VMs, let’s call them VM-X are exclusively attached to the MGMT
network (ens4).

I’ve setup VM-A with ip_forward kernel module and the following iptables

# iptables -t nat -A POSTROUTING -o ens3 -J SNAT —to-source

My VM-X are on their own setup with a default gateway via VM-A:

# ip route add default via

The setup seems to be working as if I don’t put the iptables rule and the
kernel forwarding I can’t see any packets on my DMZ interface (ens3) on
VM-A from VM-X.

Ok so now that you get the whole schema, let dive into the issue.

So when all rules, modules and gateway are set, I can fully see my VM-X
traffic (ICMP ping to a dns server) going from VM-X (ens4) to VM-A (ens4)
then forwarded to VM-A (ens3) and finally going to our public IP targeted

What’s not working however is the response not reaching back to VM-X.

I’ve tcpdump the whole traffic from VM-X to VM-A on each point of the

from inside the VM-X nic, on the tap device, on the qbr bridge, on the qvb
veth, on the qvo second side of the veth through the ovs bridges and

However the response packets aren’t reaching back further than on the VM-A
qvo veth.
Once it exit the VM-A the traffic never reaches the VM-X.

What’s really suspicious in here is that a direct ping from VM-X
( to VM-A ( is coming back correctly, so it looks
like if ovs detected that the response on a SNAT case isn’t legit or
something similar.

Is anyone able to get such setup working?

Here are few additional information:
Host runs on CentOS 8.5 latest update.
Our platform is a Openstack Victoria deployed using kolla-ansible.
We are using a OVS based deployment.
Our tunnels are VXLAN.
All VMs have a fully open secgroup applied and all ports have it (I checked
it twice and even on host iptables).

If you ever need additional information feel free to let me know !
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20220308/22646df7/attachment.htm>

More information about the openstack-discuss mailing list