[Openstack-operators] VPNaaS and FWaaS

Mariano Cunietti mcunietti at enter.it
Tue May 10 08:03:15 UTC 2016

Hi Kyle,

> I know there are operators relying on these functions, particularly in the
> public cloud space in Europe, so this would impact those people. I also know
> this list doesn't necessarily reach all of them either, so I will try and
> reach out by other means as well, but it would be very useful to try and get
> a clearer picture of how many people are using VPNaaS and FWaaS. If you are,
> could you please respond to this thread ?

We are using VPNaaS and FWaaS on entercloudsuite.com, on Juno.
With VPNaaS it basically works (or: works basically) but there are some issues with the configuration of MTU and some other server side configurations that drop some client connections. I can can provide more details if you want on a private thread.
With FWaaS we are providing it but we also deprecate it; moreover, it’s generating a lot of confusion and overlap with Security Groups

I'm actually really surprised that people are *using* FWaaS. It's been
marked experimental for over 3 years now, and it only recently in
Liberty received work which made it somewhat useful, which was the
ability to apply a firewall on a specific Neutron router rather than
all tenant routers. FWaaS in production sounds pretty risky to me, but
I supposed that our fault for not being clear on it's readiness.

Agree, but the words EXPERIMENTAL and NOT PRODUCTION READY are pretty visible in the documentation.
So, not your fault at all

> If we have metrics that a constituent part of the user community need these
> functions, then we can try and find a way to help the Neutron team to cover
> the resourcing gaps.
If people are using these, IMHO that's another reason to keep them
around. I've already said that we have at least one large user of VPN,
so that project will continue to be worked on even if it's removed
from Neutron.

Here’s what WE’D LOVE to have:

  *   VPNaaS
  *   IDS or some TAPaaS to redirect router traffic to a tenant’s instance (remember we all sell instances)
  *   IPS, that is the ability not only to eavesdrop but also to drop traffic using Snort or better Suricata + ELK (https://github.com/StamusNetworks/SELKS/blob/master/README.rst)
  *   FWaaS meant as multiple firewall “flavors”. Lots of customers ask for PFSense or their own Linux/FreeBSD solution
  *   Network analytics in general (with InfluxDB or Monasca)



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20160510/3bd665df/attachment.html>

More information about the OpenStack-operators mailing list