[Openstack-operators] Juno neutron - Tenant Network with multiple routers, how to nat/filter ?
Alberto Molina Coballes
alb.molina at gmail.com
Fri Nov 27 20:00:16 UTC 2015
2015-11-27 20:28 GMT+01:00 Saverio Proto <zioproto at gmail.com>:
> Hello,
>
> I have a cloud user that is trying to implement the following topology
>
> ext_net <|R1|> internal_net <|R2|> dbservers_network
>
> where
> - internal_net: 10.0.2.0/24
> - dbservers_net: 10.0.3.0/24
>
> Now according to the documentation:
> http://docs.openstack.org/admin-guide-cloud/networking_adv-features.html
>
> My user was able to set up the necessary static routes on R1 to reach
> the dbservers_network and on R2 to have a default via R1
>
> However, it seems impossible to manipulate Nat rules on R1 and R2.
> R1 for example will SNAT traffic only for source IPs into 10.0.2.0
> making impossible for hosts in dbservers_network to access the
> Internet.
>
> To see the configuration, I can as an Operator use iptables commands
> into the namespaces on the network node. But what can users do ?
>
> So far, I ended up with the feeling, that is not possible to have two
> hop topologies where hosts two hops away from the gateway can make
> traffic with the outside Internet. Is this really the case ?
>
>
Hi Saverio,
Recently I was facing the same situation and AFAIK cloud users can't set
NAT rules on internal routers via neutron API Those NAT rules are
restricted to routers connected to an external router (setting the router
gateway or doing floating IPs associations). In our case this limitation
was solved using an instance as a router and maybe you can find useful the
description of the followed steps:
https://albertomolina.wordpress.com/2015/11/22/playing-around-with-openstack-using-an-instance-as-router/
I hope this helps
Cheers
Alberto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20151127/32e90055/attachment.html>
More information about the OpenStack-operators
mailing list