Open Stack

 I did some experiment with two subnets - one for DMZ, the other 
for non-DMZ. But, it looks like that separation of network traffic between them
doesn't work with two quantum routers.

 We use linux-bridge plugin.
Network name space is not supported.

 When two subnets (e.g. 10.12.83.0/24, 10.12.84.0/24) are created, 
the Quantum network node has ports to both subnets(10.12.83.1/24, 10.12.84.1/24).
Two quantum routers were created for each subnets.
Pinging from a VM in 10.12.83.0/24 to a VM in 10.12.84.0/24 is routed by
the Quantum network node itself.
Before Quantum router routes the packets to the external network,
the Quantum network node routes internally because it knows both network.
I want the traffic to be routed to the external network through the
Quantum router. But it doesn't happen.

 Am I doing something wrong?

 Thanks,
 David


----- Original Message -----
> In my reply I suggested you to create two quantum routers which I
> believe should solve this for you.
> 
> 
> 
> 
> quantum net-create DMZ-net --external=True
> quantum subnet-create --name DMZ-Subnet1 DMZ-net <dmz_cidr> # Public
> ip pool
> 
> quantum net-create non-DMZ --external=True
> quantum subnet-create --name nonDMZ-Subnet1 non-DMZ dmz_cidr> #
> Public ip pool
> 
> 
> 
> 
> 
> quantum router-create DMZ-router
> quantum router-create non-DMZ-router
> quantum router-interface-add DMZ-router DMZ DMZ-Subnet1
> quantum router-interface-add non-DMZ-router nonDMZ-Subnet1
> 
> 
> quantum router-gateway-set DMZ-router DMZ-net
> quantum router-gateway-set non-DMZ-router non-DMZ
> 
> 
> 
> 
> On Thu, Apr 4, 2013 at 10:51 AM, David Kang < dkang at isi.edu > wrote:
> 
> 
> 
> 
> Hi Aron,
> 
> Thank you for your reply.
> 
> We deploy one (quantum) subnet as a DMZ network and the other
> (quantum) subnet
> as a non-DMZ network.
> They are routed to the network node where quantum services (dhcp, l3,
> linuxbridge)
> are running.
> They can talk each other through network node, now.
> 
> However, we do not want to the network node to route the traffic
> between them directly.
> Instead we want them to be routed to different (external) routers such
> that
> we can apply filtering/firewall/etc. on the traffic from DMZ network.
> 
> Do you think is it possible using two l3-agents or any other way?
> Currently, I manually set up routings for those two subnets.
> 
> Thanks,
> David
> 
> 
> 
> ----- Original Message -----
> > Hi David,
> >
> >
> > The quantum network node would route traffic between the non-DMZ-DMZ
> > network if both of those subnets are uplinked to the same quantum
> > router. I believe if you create another router for your dmz hosts
> > then
> > traffic in/out of that network should route our to your physical
> > infrastructure which will go through your router to do filtering.
> >
> >
> > Thanks,
> >
> >
> > Aaron
> >
> >
> >
> > On Wed, Apr 3, 2013 at 8:26 AM, David Kang < dkang at isi.edu > wrote:
> >
> >
> >
> > Hi,
> >
> > We are trying to set up Quantum network for non-DMZ and DMZ
> > networks.
> > The cloud has both non-DMZ networks and a DMZ network.
> > We need to route traffic from DMZ network to a specific router
> > before
> > it reaches
> > anywhere else in non-DMZ networks.
> > However, Quantum Network Node routes the traffic between DMZ network
> > and
> > non-DMZ network within itself by default.
> > Have anybody configured Quantum for this case?
> > Any help will be appreciated.
> > We are using Quantum linuxbridge-agent.
> >
> > Thanks,
> > David
> >
> > --
> > ----------------------
> > Dr. Dong-In "David" Kang
> > Computer Scientist
> > USC/ISI
> >
> > _______________________________________________
> > Mailing list: https://launchpad.net/~openstack
> > Post to : openstack at lists.launchpad.net
> > Unsubscribe : https://launchpad.net/~openstack
> > More help : https://help.launchpad.net/ListHelp
> 
> --
> ----------------------
> Dr. Dong-In "David" Kang
> Computer Scientist
> USC/ISI

-- 
----------------------
Dr. Dong-In "David" Kang
Computer Scientist
USC/ISI