[Openstack] SNAT question

Xiaolin Zhang zhangxiaolins at gmail.com
Wed Jul 18 16:05:10 UTC 2012 

I have encountered exactly the same situation with our deployment with all
outbound packets from vm tagged with server's ip as their SNAT.

After doing some investigation, I found nova-network init itself, this
filter rule will be populated;
and I wounder maybe this is a aimed design feature - to isolate all
fixed-ips and make them only visible within a subnet.

Could any expert help to clarify?

*Best Regards,
Xiaolin Zhang*



On Wed, Jul 18, 2012 at 11:25 PM, Boris-Michel Deschenes <
boris-michel.deschenes at ubisoft.com> wrote:

> Hi guys,****
>
> ** **
>
> I have a question regarding NAT in openstack****
>
> ** **
>
> I have an openstack cloud (FlatDHCP, multi_host=false) with one
> nova-network node doing the nating.****
>
> ** **
>
> I have noticed that when I ping an external machine from within a VM, on
> the receiving end I see the IP of the VM (so the outgoing SNAT works
> properly).****
>
> I have also noticed that when I ping a VM inside the cloud from a machine
> outside, the VM sees the external IP of the nova-network node as the source
> of the ping and not the real IP of the “pinger”…  (this is the problem for
> me).****
>
> ** **
>
> I looked at the nova-network machine’s iptables and I see this:****
>
> ** **
>
> -A nova-network-snat -s 10.0.0.0/8 -j SNAT --to-source 10.129.40.12****
>
> ** **
>
> So it’s basically setting the nova-network node as the source IP for all
> incoming traffic, in my situation, this prevents an application running
> inside the cloud to properly identifies the server located outside,
> currently, the only peer it sees is the nova-network node and not the IP of
> the server (located outside the cloud) so my application tries to connect
> to nova-network instead of the server that initiated the connection.****
>
> ** **
>
> Would it be possible to have SNAT work in a way where, when connecting to
> a VM from outside the cloud, the VM sees the source IP as the real source
> IP and not the nova-network controller’s ip ?****
>
> ** **
>
> Thank you very much****
>
> ** **
>
> Boris****
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20120719/33df2c6a/attachment.html>

More information about the Openstack mailing list