[Openstack-operators] [openstack-operators]disable snat for router gateway

Bajin, Joseph jbajin at verisign.com
Thu Jan 21 21:23:16 UTC 2016

Your right, it seems wonky, but nothing is wrong with your setup. 

I did find a bug in neutron that sorta explained why this was happening. [1]

The explanation in the bug says this:

There is a use case where SNAT is disabled on a Neutron router and there are upstream routes for tenant networks using the Neutron router as the next hop. What you're proposing would break that use case.

So, good news everything is working as it should. Bad news, that its using up an IP.  I did see that midonet has patched their neutron code to not do this. (Add an IP address to the neutron router)

[1] https://bugs.launchpad.net/neutron/+bug/1518296

On 1/21/16, 11:04 AM, "Ricardo J. Barberis" <ricardo at palmtx.com.ar> wrote:

>Hello all,
>El Martes 19/01/2016, Kevin Bringard (kevinbri) escribió:
>> To expand on Joseph's explanation: when SNAT is enabled, an IP is pulled
>> from the floating pool and assigned as a "default SNAT" for the router when
>> its gateway is set. Similar to how your home router has a single external
>> IP and all your internal devices SNAT out from that IP, all Vms on that
>> network will have external access which originate from that IP address.
>I have disabled snat but my router still gets a public IP:
># neutron router-gateway-clear tenant-router
>Removed gateway from router tenant-router
># neutron router-gateway-set --disable-snat tenant-router public
>Set gateway for router tenant-router
># neutron router-show tenant-router
>| Field                 | 
>Value                                                                                                                                                                                       |
>| admin_state_up        | 
>True                                                                                                                                                                                        |
>| distributed           | 
>True                                                                                                                                                                                        |
>| external_gateway_info | {"network_id": "22531842-aa93-49f1-a2f6-5180164fdf3e", "enable_snat": false, "external_fixed_ips": 
>[{"subnet_id": "d6ad786c-69f1-479a-a455-fd1741a8faa2", "ip_address": "138.XXX.XXX.XXX"}]} |
>| ha                    | 
>False                                                                                                                                                                                       |
>| id                    | 
>ee344029-6f62-491b-bff7-cfd8a88d2bc7                                                                                                                                                        |
>| name                  | 
>tenant-router                                                                                                                                                                                  |
>routes                |                                                                                                                                                                                             |
>| status                | 
>ACTIVE                                                                                                                                                                                      |
>| tenant_id             | 
>29ddecf0820348a1b1ae0e06d9ba52bb                                                                                                                                                            |
>> As Joseph pointed out, if you have this option disabled, unless you
>> explicitly assign a floating IP address to a VM (which sets up a 1:1
>> DNAT/SNAT for the internal/floating IP) Vms won't be able to access the
>> outside world because there will be no default SNAT rule mapping them to an
>> externally routable IP address.
>My VM on that router has no internet connection until I add a floating IP to
>it, so the snat part is working nicely but I'm still wasting a public IP per
>My setup:
>2 controllers
>2 network nodes
>1 compute node
>All of them CentOS 7 with liberty from CentOS Cloud SIG, neutron configured with DVR:
># rpm -qa | sort | grep neutron
>My questions:
>Any hints regarding not assigning a public IP to the router gateway?
>Should I create a sepparate network for the routers as suggested elsewhere in
>this thread?
>If so, disabling snat would be pointless, right?
>Thanks in advance,
>Ricardo J. Barberis
>Usuario Linux Nº 250625: http://counter.li.org/
>Usuario LFS Nº 5121: http://www.linuxfromscratch.org/
>Senior SysAdmin / IT Architect - www.DonWeb.com
>OpenStack-operators mailing list
>OpenStack-operators at lists.openstack.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5296 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20160121/c17aaa69/attachment.bin>

More information about the OpenStack-operators mailing list