[Openstack] [neutron] Port Forwarding

Abbass MAROUNI abbass.marouni at virtualscale.fr
Fri Dec 20 11:40:10 UTC 2013 

Thanks Thiago,

Did you try to add Port Forwarding iptables' rules directly to the
OpenStack router ?

Best Regards,
Abbass


2013/12/19 Martinx - ジェームズ <thiagocmartinsc at gmail.com>

> Cool! You're welcome!        =)
>
> My topology is "Per-Tenant Router with Private Networks", it does looks
> like your first example but, a bit different, like this:
>
> ---
> Yours:
>
> Internet ---- public-network ----  OpenStack-Router ----
> Private-OpenStack-Network ---- NAT-Instance
>
>                                                                      |
>
>                                                                      --
> Other-Instances
> -
> Mine:
>
> Internet ---- public-network ----  OpenStack-Router ----
> Private-OpenStack-Network ---- NAT-Instance
>
>                                                 |
>
>                                                 -- Other-Instances
> ---
>
>  The "NAT Instance" is just a regular Instance (plus its Floating IP),
> there is nothing "connected behind it" (i.e. no eth0 public / eth1
> private), it is "parallel / side-by-side" to the others Instances, the
> network traffic comes in and out the "NAT Instance" trough the same
> ethernet interface (another creepy point of this IPv4 topology).
>
> Best,
> Thiago
>
> On 19 December 2013 15:31, Abbass MAROUNI <abbass.marouni at virtualscale.fr>wrote:
>
>> Dear Thiago,
>>
>> Thanks a lot for your answer.
>>
>> One more thing, do your configuration look something like this :
>>
>>
>> Internet ---- public-network ----  OpenStack-Router ----
>> Private-OpenStack-Network ---- NAT-Instance
>>
>>                                                                      |
>>
>>                                                                      --
>> Other-Instances
>>
>> I tried setting up a dedicated router/firewall but couldn't make to work,
>> it looks something like :
>>
>> Internet ---- public-network ----  OpenStack-Router ----
>> Private-OpenStack-Network ---- Dedicated-Router (A VM) ----
>> Private-OpenStack-Network-2 ---- Other-Instances
>>
>>
>> For some reason the above configuration fails to deliver the packets to
>> the 'Other-Instances', the 'Other-instances' use the Dedicated-Router as
>> their gateway. Another drawback is the cloud-init of the 'Other-Instances'.
>>
>> So I decided to try my luck with the first configuration, but it didn't
>> work also. Maybe my iptables for the NAT-Instance were wrong. I'll try
>> yours tomorrow !
>>
>> Thanks a lot,
>>
>> Best Regards,
>>
>>
>>
>> 2013/12/19 Martinx - ジェームズ <thiagocmartinsc at gmail.com>
>>
>>> Abbass,
>>>
>>> The only way I figured out to do this, is by creating a "NAT Instance",
>>> with a Floating IP attached to it and, the "magic" happens here:
>>>
>>> Contents of my /etc/network/nat-rules.save
>>>
>>> ---
>>> # Generated by iptables-save v1.4.12 on Fri Oct 18 02:41:35 2013
>>> *filter
>>> :INPUT ACCEPT [0:0]
>>> :FORWARD ACCEPT [0:0]
>>> :OUTPUT ACCEPT [0:0]
>>> COMMIT
>>> # Completed on Fri Oct 18 02:41:35 2013
>>> # Generated by iptables-save v1.4.12 on Fri Oct 18 02:41:35 2013
>>> *nat
>>> :PREROUTING ACCEPT [0:0]
>>> :INPUT ACCEPT [0:0]
>>> :OUTPUT ACCEPT [0:0]
>>> :POSTROUTING ACCEPT [0:0]
>>> -A PREROUTING -d 192.168.50.2/32 -p tcp -m tcp --dport 80 -j DNAT
>>> --to-destination 192.168.50.11
>>> -A PREROUTING -d 192.168.50.2/32 -p tcp -m tcp --dport 443 -j DNAT
>>> --to-destination 192.168.50.11
>>> -A PREROUTING -d 192.168.50.2/32 -p tcp -m tcp --dport 25 -j DNAT
>>> --to-destination 192.168.50.20
>>> -A POSTROUTING ! -d 192.168.50.2/32 -j SNAT --to-source 192.168.50.2
>>> COMMIT
>>> # Completed on Fri Oct 18 02:41:35 2013
>>> ---
>>>
>>> Where:
>>>
>>> 1- The IP 192.168.50.2 is the "Nat Instance" itself, with a "public and
>>> valid Floating IP" attached to it;
>>>
>>> 2- The IP 192.168.50.11 is a Web Server, that the Internet needs to
>>> access;
>>>
>>> 3- The IP 192.168.50.20 is a Mail MX Server, so, the tenant can receive
>>> e-mails;
>>>
>>> 4- The latest line is the creepiest, it is required because the NAT
>>> Instance, is not the default gateway of the tenant network, so, you'll
>>> require to "MASQ" both source and destination address.
>>>
>>>
>>> This topology is "famous" even when using Amazon EC2 with private VPC,
>>> for example. But, honestly, I think it is terrible, mostly because of IPv4.
>>> This brings lots of problems, for example:
>>>
>>> * web server logs will register only the "NAT" Instance internal IP;
>>>
>>> * if you have a e-mail server instance, you'll need to figure out by
>>> yourself, the qrouter- public IP, to register it as an allowed IP (SPF) to
>>> send e-mails as your domain + plus register the "Reverse DNS" of the router
>>> Floating IP, as your e-mail (horrible)....
>>>
>>> * And problems go on...
>>>
>>>
>>> BTW, with IPv6 all those things will be left in the past, since NAT is a
>>> workaround of IPv4 networks and there is no NAT for IPv6 (when with Ubuntu
>>> 12.04). So, when with IPv6, there will be no "NAT Instance" or NAT rules to
>>> mange at the router (far much simpler and beauty) and your network will
>>> ALWAYS work as expected, we just need to wait a few months to join the
>>> future without any NAT!
>>>
>>> Regards,
>>> Thiago
>>>
>>>
>>>
>>> On 19 December 2013 14:35, Abbass MAROUNI <
>>> abbass.marouni at virtualscale.fr> wrote:
>>>
>>>> Could you please elaborate about your temporary solution ?
>>>> I couldn't get a VM to act as a router that will do the port forwarding
>>>> for other VMs in a private network. For some reason the VM cannot act as a
>>>> router.
>>>> Is it due to neutron networking ?
>>>>
>>>> Best regards,
>>>>
>>>>
>>>>
>>>> 2013/12/19 Martinx - ジェームズ <thiagocmartinsc at gmail.com>
>>>>
>>>>> I'm wondering about this too... I think that would be very nice to
>>>>> give the FWaaS, the ability to manage the NAT table of tenant router.
>>>>>
>>>>> This way, there is no need for a "NAT Instance" with a second Floating
>>>>> IP attached to it plus creepy NAT rules there (far away from the tenant
>>>>> router).
>>>>>
>>>>> Also, the IPv4 tenant router already have "by nature", 1 Floating IP
>>>>> for it, so, because there is no way to configure the NAT rules of the
>>>>> qrouter, we need to give at least 2 public IPs (one for the router itself,
>>>>> another for the "NAT Instance") for each tenant, with in IPv4 world, is a
>>>>> waste.
>>>>>
>>>>> Please Stackers! FWaaS needs to be able to handle NAT rules (I
>>>>> think)...    ;-)
>>>>>
>>>>> Cheers!
>>>>> Thiago
>>>>>
>>>>>
>>>>> On 19 December 2013 12:23, Abbass MAROUNI <
>>>>> abbass.marouni at virtualscale.fr> wrote:
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> Why is it not possible to do port forwarding with neutron L3 ?
>>>>>> Any alternative to manually adding to iptables of each virtual router
>>>>>> ?
>>>>>>
>>>>>> Best regards,
>>>>>>
>>>>>> _______________________________________________
>>>>>> Mailing list:
>>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>>>> Post to     : openstack at lists.openstack.org
>>>>>> Unsubscribe :
>>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131220/14cd99fb/attachment.html>

More information about the Openstack mailing list