Open Stack

Thanks again,

Could you just tell me why this SNAT rule is there, is it so that VMs can contact other VMs by their floating IP?  I know this SNAT rule is there to render something possible but I don't know what.

Boris

De : Vishvananda Ishaya [mailto:vishvananda at gmail.com]
Envoyé : 18 juillet 2012 15:40
À : Boris-Michel Deschenes
Cc : openstack at lists.launchpad.net
Objet : Re: [Openstack] SNAT question


On Jul 18, 2012, at 9:44 AM, Boris-Michel Deschenes wrote:


Thanks everybody,

Vish, I think you've got it, but here are some more details about the setup just to be sure we're on the same level:

my private network is defined as 172.0.0.0/21
my floating network is defined as 10.129.44.0/22
physical cloud machines (10.129.40.0/24)
outside of the cloud, all machine are in the 10 (10.140.x.x for example)

Again the problem is that when I ping FROM 10.140.32.235 (outside the cloud) TO 10.129.44.6 (a VM INSIDE the cloud), tcpdump on the VM will show the source address as 10.129.40.12 (nova-network controller) and NOT 10.140.32.235 (the real pinger).

I'm not setting up fixed_range and floating_range because I always thought they were just unneeded duplicate config flags for the network config I do with nova-manage (network create and floating create), obviously they are setup on their own at runtime and here are the values taken from the logfiles:

fixed_range =  10.0.0.0/8
floating_range = 4.4.4.0/24

So, Vish's theory makes sense, since my external machine (10.140.32.235) included in the filter for SNAT, the packet is modified and nova-network's IP is set as the source...

Vish, should I set fixed_range to 10.129.44.0/22 (this is my floating range) so that this SNATTING takes place only when the communication is 100% intra-VMs?

If by private network you mean the fixed network you created for your vms with nova-manage, then fixed_range should equal or contain your private network, so you could set it to 172.0.0.0/21.

If I've misunderstood and your vms are getting fixed ips in the 10.x range, then you should set fixed_range to 10.0.0.0/16 so it excludes the 10.129 addresses.

There are separate snat rules automatically created for floating ips, so the fixed range rule is to allow vms to communicate with the outside world via their fixed ip (if they don't have a floating ip assigned yet)

Vish

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20120718/efb4ae40/attachment.html>