[Openstack-operators] [openstack-operators]disable snat for router gateway
Ricardo J. Barberis
ricardo at palmtx.com.ar
Thu Jan 21 16:04:59 UTC 2016
Hello all,
El Martes 19/01/2016, Kevin Bringard (kevinbri) escribió:
> To expand on Joseph's explanation: when SNAT is enabled, an IP is pulled
> from the floating pool and assigned as a "default SNAT" for the router when
> its gateway is set. Similar to how your home router has a single external
> IP and all your internal devices SNAT out from that IP, all Vms on that
> network will have external access which originate from that IP address.
I have disabled snat but my router still gets a public IP:
# neutron router-gateway-clear tenant-router
Removed gateway from router tenant-router
# neutron router-gateway-set --disable-snat tenant-router public
Set gateway for router tenant-router
# neutron router-show tenant-router
+-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field |
Value |
+-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| admin_state_up |
True |
| distributed |
True |
| external_gateway_info | {"network_id": "22531842-aa93-49f1-a2f6-5180164fdf3e", "enable_snat": false, "external_fixed_ips":
[{"subnet_id": "d6ad786c-69f1-479a-a455-fd1741a8faa2", "ip_address": "138.XXX.XXX.XXX"}]} |
| ha |
False |
| id |
ee344029-6f62-491b-bff7-cfd8a88d2bc7 |
| name |
tenant-router |
|
routes | |
| status |
ACTIVE |
| tenant_id |
29ddecf0820348a1b1ae0e06d9ba52bb |
+-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
> As Joseph pointed out, if you have this option disabled, unless you
> explicitly assign a floating IP address to a VM (which sets up a 1:1
> DNAT/SNAT for the internal/floating IP) Vms won't be able to access the
> outside world because there will be no default SNAT rule mapping them to an
> externally routable IP address.
My VM on that router has no internet connection until I add a floating IP to
it, so the snat part is working nicely but I'm still wasting a public IP per
tenant/project.
My setup:
2 controllers
2 network nodes
1 compute node
All of them CentOS 7 with liberty from CentOS Cloud SIG, neutron configured with DVR:
# rpm -qa | sort | grep neutron
openstack-neutron-7.0.0-2.el7.noarch
openstack-neutron-common-7.0.0-2.el7.noarch
openstack-neutron-ml2-7.0.0-2.el7.noarch
python-neutron-7.0.0-2.el7.noarch
python-neutronclient-3.1.0-1.el7.noarch
My questions:
Any hints regarding not assigning a public IP to the router gateway?
Should I create a sepparate network for the routers as suggested elsewhere in
this thread?
If so, disabling snat would be pointless, right?
Thanks in advance,
--
Ricardo J. Barberis
Usuario Linux Nº 250625: http://counter.li.org/
Usuario LFS Nº 5121: http://www.linuxfromscratch.org/
Senior SysAdmin / IT Architect - www.DonWeb.com
More information about the OpenStack-operators
mailing list