[Openstack-operators] [openstack-operators]disable snat for router gateway

Kevin Bringard (kevinbri) kevinbri at cisco.com
Tue Jan 19 15:02:43 UTC 2016


To expand on Joseph's explanation: when SNAT is enabled, an IP is pulled from the floating pool and assigned as a "default SNAT" for the router when its gateway is set. Similar to how your home router has a single external IP and all your internal devices SNAT out from that IP, all Vms on that network will have external access which originate from that IP address.

As Joseph pointed out, if you have this option disabled, unless you explicitly assign a floating IP address to a VM (which sets up a 1:1 DNAT/SNAT for the internal/floating IP) Vms won't be able to access the outside world because there will be no default SNAT rule mapping them to an externally routable IP address.



On 1/15/16, 7:04 PM, "Bajin, Joseph" <jbajin at verisign.com> wrote:

>The instance would still require a floating IP. That is the only way the host would get outside of the tenant network.  
>
>
>We do this for some of our tenants to ensure that we know that only connections outbound would be controlled by Floating IPs. 
>
>
>
>
>
>On Jan 15, 2016, at 6:55 PM, Akshay Kumar Sanghai <akshaykumarsanghai at gmail.com> wrote:
>
>
>
>Hi,In the cli of neutron router-gateway-set, thers is an option of disable snat. http://docs.openstack.org/cli-reference/neutron.html#neutron-router-gateway-set
>
>
>Does that mean i can create a tenant network and the packet will go out with the same fixed ip of the vm? Assume the tenant network created is routable or identifiable in the physical network.
>I tried to disable snat for the router gateway, but the packet wasn't going out from the external interface. Do i need to edit some iptable rules or the disable snat option doesn't work?
>
>S 
>Thanks,
>Akshay
>
>
>
>
>
>_______________________________________________
>OpenStack-operators mailing list
>OpenStack-operators at lists.openstack.org
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>
>
>
>


More information about the OpenStack-operators mailing list