[Openstack-operators] [openstack-operators]disable snat for router gateway

Ricardo J. Barberis ricardo at palmtx.com.ar
Thu Jan 21 16:04:59 UTC 2016


Hello all,

El Martes 19/01/2016, Kevin Bringard (kevinbri) escribió:
> To expand on Joseph's explanation: when SNAT is enabled, an IP is pulled
> from the floating pool and assigned as a "default SNAT" for the router when
> its gateway is set. Similar to how your home router has a single external
> IP and all your internal devices SNAT out from that IP, all Vms on that
> network will have external access which originate from that IP address.

I have disabled snat but my router still gets a public IP:

# neutron router-gateway-clear tenant-router
Removed gateway from router tenant-router

# neutron router-gateway-set --disable-snat tenant-router public
Set gateway for router tenant-router

# neutron router-show tenant-router
+-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field                 | 
Value                                                                                                                                                                                       |
+-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| admin_state_up        | 
True                                                                                                                                                                                        |
| distributed           | 
True                                                                                                                                                                                        |
| external_gateway_info | {"network_id": "22531842-aa93-49f1-a2f6-5180164fdf3e", "enable_snat": false, "external_fixed_ips": 
[{"subnet_id": "d6ad786c-69f1-479a-a455-fd1741a8faa2", "ip_address": "138.XXX.XXX.XXX"}]} |
| ha                    | 
False                                                                                                                                                                                       |
| id                    | 
ee344029-6f62-491b-bff7-cfd8a88d2bc7                                                                                                                                                        |
| name                  | 
tenant-router                                                                                                                                                                                  |
| 
routes                |                                                                                                                                                                                             |
| status                | 
ACTIVE                                                                                                                                                                                      |
| tenant_id             | 
29ddecf0820348a1b1ae0e06d9ba52bb                                                                                                                                                            |
+-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+


> As Joseph pointed out, if you have this option disabled, unless you
> explicitly assign a floating IP address to a VM (which sets up a 1:1
> DNAT/SNAT for the internal/floating IP) Vms won't be able to access the
> outside world because there will be no default SNAT rule mapping them to an
> externally routable IP address.

My VM on that router has no internet connection until I add a floating IP to
it, so the snat part is working nicely but I'm still wasting a public IP per
tenant/project.


My setup:

2 controllers
2 network nodes
1 compute node

All of them CentOS 7 with liberty from CentOS Cloud SIG, neutron configured with DVR:

# rpm -qa | sort | grep neutron
openstack-neutron-7.0.0-2.el7.noarch
openstack-neutron-common-7.0.0-2.el7.noarch
openstack-neutron-ml2-7.0.0-2.el7.noarch
python-neutron-7.0.0-2.el7.noarch
python-neutronclient-3.1.0-1.el7.noarch


My questions:

Any hints regarding not assigning a public IP to the router gateway?

Should I create a sepparate network for the routers as suggested elsewhere in
this thread?

If so, disabling snat would be pointless, right?


Thanks in advance,
-- 
Ricardo J. Barberis
Usuario Linux Nº 250625: http://counter.li.org/
Usuario LFS Nº 5121: http://www.linuxfromscratch.org/
Senior SysAdmin / IT Architect - www.DonWeb.com



More information about the OpenStack-operators mailing list