[Openstack] Ended up withn a weird network topology when using Namespaces / Overlap IP / L3 - Grizzly

Martinx - ジェームズ thiagocmartinsc at gmail.com
Tue Oct 1 16:36:45 UTC 2013


I have running a OpenStack environment based on the following guide (+ a
few customization):


BUT, in the end of the day, my tenant's IPv4 network topology is weird,
from the tenant's point of view.

Let me try to explain it.

*** After connecting the tenant's router into the External network, by
running the following command:

 "quantum router-gateway-set $put_router_proj_one_id_here

...the tenant is finally able to browse the Internet, since its router now
have a public IP (+ MASQUERADE NAT rules on its Namespace), allocated from

I can see that the above command `quantum router-gateway-set', allocates a
public IP (from allocation-pool) and it appears as expected within the
tenant namespace.

Another BUT, the Internet still can't reach the tenant's internal/invalid
subnet, so, I think, a `Floating IP' is required... Then, I started a new
Instance, to act as somekind of NAT router with a `Floating IP' attached to
it. This way, the tenant's web server will be reachable from the Internet...

So, here is my question:

1- How can I "move / migrate" the NAT rules from within the so called "NAT
Instance", to the tenant's router itself (which resides on its
Namespace)? *With
FWaaS or something?!*

Because the way I'm doing it today, for each tenant, I need to give 2 IPv4
public IPs, which is a waste. I can only allocate 1 IPv4 public IP for each
tenant, not 2 (one for its router, another for Floating IP)...

Also, I'm seeing more problems with this topology, for example, if I
install a Zimbra Instance, which is a Collaboration Suite
(LDAP+SMTP+IMAP+etc), the e-mails that come from the Internet, reach the
NAT Instance before goingi to Zimbra but, the Zimbra's default gateway *is
the tenant's router* (within its Namespace), this means that the reverse
DNS entry of each tenant router running Zimbra, must be pointed to its
SMTP!! Otherwise, lots of e-mails doesn't get out from the Cloud...   :-/

I can imagine that, if a tenant can configure its own router NAT table,
which resides within its Namespace, it will not need a `Floating IP', since
it already have it "allocated by default" after connecting its router to
the External network (router-gateway-set)...

Am I missing something?!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131001/a0b0d48a/attachment.html>

More information about the Openstack mailing list