[Openstack-operators] [Neutron] Floating IPs / Router Gateways

Mike Spreitzer mspreitz at us.ibm.com
Sat Apr 18 02:44:33 UTC 2015


> From: Mike Spreitzer/Watson/IBM at IBMUS
> 
> > From: Jacob Godin <jacobgodin at gmail.com> 
> > 
> > Ah, gotcha. So you're not using overlapping subnets then. 
> > 
> > Unfortunately that hack wouldn't work in our environment, but 
> > definitely something that others might consider using. 
> 
> Right, the solution I am using now imposes address constraints 
> between tenants that share a router.  I need to eliminate 
> constraints between tenants, so I have to abandon the solution I am 
> using.  So I, too, am looking for different solution. 
> 
> I want to support a lot of tenants doing fairly unrestricted stuff, 
> so all the connections --- from their Compute Instances that do NOT 
> have a floating IP --- to public servers is more than I want to SNAT
> onto a *single* public address. 

I found a few tantalizing leads in 
http://specs.openstack.org/openstack/neutron-specs/index.html
I can not check them out fully right now because review.openstack.org is 
temporarily down.

http://specs.openstack.org/openstack/neutron-specs/specs/kilo/specify-router-ext-ip.html
"Allow the external IP address of a router to be specified"

If you, like I, are intermediating the calls on Neutron and can transform 
a less specific call by the tenant into a precise formulation of your 
choosing (as either admin or the tenant, on a case by case basis), you can 
use the following solution.

Let the "external" network known to Neutron not be the actual public 
network but rather some other private network.  Using control over the 
router's IP on that other private network, scrunch all the router IP 
addresses into a dense range that is not in the allocation range.  Thus, 
the router IP addresses and the tenants' floating IP addresses are 
separated - you can put them in distinct large CIDR blocks.  Using some 
other router that connects that other private network to the actual public 
network, masquerade the router IP addresses onto however many public 
addresses you like, while doing 1:1 bidirectional NAT for the tenants' 
floating IP addresses.

Regards,
Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150417/dc42ba2b/attachment.html>


More information about the OpenStack-operators mailing list