[Openstack-operators] [openstack-operators]disable snat for router gateway

Akshay Kumar Sanghai akshaykumarsanghai at gmail.com
Tue Jan 19 21:34:59 UTC 2016


Hi Aaron,
The physical router is not getting a arp reply for the vm from neutron
router when snat is disabled. When floating ip is used, the router creates
one more interface on its qg- interface for that floating ip associated
with the vm and when arp request is broadcasted, the neutron router does a
proxy arp.
How did you solve the proxy arp reply problem when you implemented the snat
disabled router and without assigning a floating ip?

Thanks,
Akshay

On Tue, Jan 19, 2016 at 10:26 PM, Aaron Segura <aaron.segura at gmail.com>
wrote:

> It's possible.  We do it all the time.
>
> However, without proper routing, Kevin and Joseph are correct.  The VM
> will never receive replies to outbound packets because the upstream devices
> don't know where to send them.
>
> I also forgot to mention - The edge device also needs to NAT the fixed IP
> of the VM to a public IP if you intend for your VMs to access the
> Internet.  We use a global PAT rule to catch any VMs without a floating IP
> and allow them egress on a shared public IP.
>
> On Tue, Jan 19, 2016 at 10:09 AM Akshay Kumar Sanghai <
> akshaykumarsanghai at gmail.com> wrote:
>
>> Hi Aaron,Mike,Kevin,Joseph,
>> Thanks for your inputs.
>> But I am still confused as Aaron and Mike are suggesting that it is
>> possible and Joseph and Kevin are suggesting its not possible.
>> I tried to ping from the vm in openstack to outside of the cloud with
>> only fixed ip assigned, but ping failed. When i assigned the floating ip to
>> that vm, I can ping a system outside of the cloud. So, I am in doubt
>> whether it is possible or not or there is some configuration issue in my
>> setup.
>> Guys, Please help as i can't find a proper documentation regarding this.
>>
>> Thanks,
>> Akshay
>>
>> On Tue, Jan 19, 2016 at 8:47 PM, Mike Spreitzer <mspreitz at us.ibm.com>
>> wrote:
>>
>>> Aaron Segura <aaron.segura at gmail.com> wrote on 01/16/2016 12:19:53 PM:
>>>
>>> > You shouldn't have to do anything other than disable SNAT and set a
>>> > route for your tenant network upstream.
>>
>> Indeed, I have exercised exactly this.
>>>
>>> Regards,
>>> Mike
>>>
>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20160120/17f154dd/attachment.html>


More information about the OpenStack-operators mailing list