[Openstack] Public IPs without NAT

Matej matej at tam.si
Fri Apr 25 18:54:32 UTC 2014


Hello Amit, I am replying also to the group, perhaps someone will find this
useful one day :-)

I have two physical networks, let's say they are: 192.168.22.0/24 and
102.203.103.80/29. I have a HW router that is the gateway for both networks
and there are 2 NICs from every node (compute, network/controller combined
in my case). Every of those 2 NICs is connected to the appropriately
connected port on the router.


OVS configuration
[ovs]
debug = False
tenant_network_type = gre
tunnel_id_ranges = 1:1000
enable_tunneling = True
local_ip = 192.168.22.10
integration_bridge = br-int
tunnel_bridge = br-tun
network_vlan_ranges = physnet1,physnet2
bridge_mappings = physnet1:br-em1,physnet2:br-em2

[agent]
polling_interval = 2

[securitygroup]
firewall_driver =
neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

br-em1 is the bridge for em1 interface, br-em2 is bridge for em2


Networks are created normally via neutron, for example public net:

net-create --provider:physical_network=physnet1
--provider:network_type=flat --shared public_net

subnet-create public_net 102.203.103.80/29 --name public_subnet
--no-gateway --host-route
destination=0.0.0.0/0,nexthop=102.203.103.81--allocation-pool
start=102.203.103.83,end=102.203.103.86 --dns-nameservers
list=true 8.8.8.8



That's just basics, if you need any other information and I will be able to
help, I will be happy to.

Best regards,
Matej



On Fri, Apr 25, 2014 at 11:58 AM, amit gupta <sameidea at gmail.com> wrote:

>
> Hi Matej,
>
> Great! glad to hear that.
>
> I have been trying to do this as well so can you please summarize how you
> did this and also post some configurations.
>
> Regards,
> Amit
>
>
> On 4/25/2014 1:48 AM, Matej wrote:
>
>    Hello Zuo,
>
>  thank you the information. You are right, br-int cannot be used in bridge
> and that was one of my mistakes.
>  I was able to solve my issue entirely with the following set-up:
>  two physical interfaces on each network and compute node and one physical
> interface is used for private (192.168.22.0/24<https://urldefense.proofpoint.com/v1/url?u=http://192.168.22.0/24&k=uWCMTgG0stZxwOEwDWvrOA%3D%3D%0A&r=SrS6LVctHAotDvfalKfFvzCQXOUI4d%2BwuHpBCRhEqKk%3D%0A&m=dyJUUfOWysXrOJTA6fC22O%2FzWvhPr3QAv4w3w0kMIAg%3D%0A&s=1668f040c678d9a9564f28ca93152458aeb9befba077d0ec9ef1786bc74f73ae>)
> traffic, the other for public networks.
>
>  And things work just as intended to work!
>
>  Thank you very much for all the information provided, this list is very
> helpful resource.
>
>  Matej
>
>
> On Fri, Apr 25, 2014 at 4:11 AM, Zuo Changqian <dummyhacker85 at gmail.com>wrote:
>
>> Hi, Matej. About
>>
>>
>>   network_vlan_ranges = physnet1
>>   bridge_mappings = physnet1:br-int
>>
>>  I think br-int can not be used here.
>>
>> You may need another physical interface (or something can function like
>> this) on all compute nodes, let's say ethX, and create a new bridge like:
>>
>>    ovs-vsctl add-br flatnet-br
>>    ovs-vsctl add-port flatnet-br ethX
>>
>>  This must be done on all your compute nodes. On network node, I think
>> just adding flatnet-br is enough, for there is no VM running here.
>>
>>  Then change all your ovs_neutron_plugin.ini like:
>>
>>    network_vlan_ranges = flatnet
>>    bridge_mappings = flatnet:flatnet-br
>>
>>  Now you can use flatnet as your provider network, and VM should connect
>> through it directly to outside physical network environment. It bases on
>> our VLAN + flat testing envrionment (We totally disabled L3 agent and NAT),
>> hope this could help.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> 2014-04-24 0:29 GMT+08:00 Matej <matej at tam.si>:
>>
>>>   Hello,
>>>
>>> To hopefully move into the right way (first phase with using flat network with private IPs and then moving further to public IPs), I have removed all previous routers and networks,
>>>
>>>
>>>
>>> my plan now is to use only hardware router (IP 192.168.22.1) and having a flat network type.
>>>
>>>
>>>
>>> I have added the following two lines to
>>> /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini on Controller and
>>> Compute:
>>>
>>> network_vlan_ranges = physnet1
>>> bridge_mappings = physnet1:br-int
>>>
>>>  My current ovs_neutron_plugin.ini on Controller:
>>>
>>>  [ovs]
>>> tenant_network_type = gre
>>> tunnel_id_ranges = 1:1000
>>> enable_tunneling = True
>>> local_ip = 192.168.22.10
>>> integration_bridge = br-int
>>> tunnel_bridge = br-tun
>>> tunnel_types=gre
>>>  network_vlan_ranges = physnet1
>>> bridge_mappings = physnet1:br-int
>>>
>>>
>>> [agent]
>>> polling_interval = 2
>>>
>>> [securitygroup]
>>> firewall_driver =
>>> neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
>>>
>>>  My current ovs_neutron_plugin.ini on Compute:
>>>
>>>  [ovs]
>>> tenant_network_type = gre
>>> tunnel_id_ranges = 1:1000
>>> enable_tunneling = True
>>>  local_ip = 192.168.22.11
>>> tunnel_bridge = br-tun
>>> integration_bridge = br-int
>>> tunnel_types = gre
>>> network_vlan_ranges = physnet1
>>> bridge_mappings = physnet1:br-int
>>>
>>>
>>> [agent]
>>> polling_interval = 2
>>>
>>> [securitygroup]
>>> firewall_driver =
>>> neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
>>>
>>>  My first goal is to get VMs having IP addresses from the subnet
>>> 192.168.22.0/24<https://urldefense.proofpoint.com/v1/url?u=http://192.168.22.0/24&k=uWCMTgG0stZxwOEwDWvrOA%3D%3D%0A&r=SrS6LVctHAotDvfalKfFvzCQXOUI4d%2BwuHpBCRhEqKk%3D%0A&m=dyJUUfOWysXrOJTA6fC22O%2FzWvhPr3QAv4w3w0kMIAg%3D%0A&s=1668f040c678d9a9564f28ca93152458aeb9befba077d0ec9ef1786bc74f73ae>,
>>> namely from the pool
>>>
>>> Now I am able to create a net:
>>>
>>> +---------------------------+--------------------------------------+
>>> | Field                     | Value                                |
>>>
>>> +---------------------------+--------------------------------------+
>>>
>>> | admin_state_up            | True                                 |
>>> | id                        | 43796de1-ea43-4cbe-809a-0554ed4de55f |
>>> | name                      | privat                               |
>>>
>>>
>>> | provider:network_type     | flat                                 |
>>>
>>> | provider:physical_network | physnet1                             |
>>> | provider:segmentation_id  |                                      |
>>> | router:external           | False                                |
>>> | shared                    | True                                 |
>>>
>>>
>>>
>>> | status                    | ACTIVE                               |
>>> | subnets                   | db596734-3f9a-4699-abe5-7887a2a15b88 |
>>> | tenant_id                 | a0edd2a531bb41e6b17e0fd644bfd494     |
>>> +---------------------------+--------------------------------------+
>>>
>>>
>>>
>>>
>>>
>>> And a subnet:
>>>
>>> | Field            | Value                                                   |
>>> +------------------+---------------------------------------------------------+
>>> | allocation_pools | {"start": "192.168.22.201", "end": "192.168.22.254"}    |
>>>
>>>
>>>
>>> | cidr             | 192.168.22.0/24 <https://urldefense.proofpoint.com/v1/url?u=http://192.168.22.0/24&k=uWCMTgG0stZxwOEwDWvrOA%3D%3D%0A&r=SrS6LVctHAotDvfalKfFvzCQXOUI4d%2BwuHpBCRhEqKk%3D%0A&m=dyJUUfOWysXrOJTA6fC22O%2FzWvhPr3QAv4w3w0kMIAg%3D%0A&s=1668f040c678d9a9564f28ca93152458aeb9befba077d0ec9ef1786bc74f73ae>                                         |
>>> | dns_nameservers  |                                                         |
>>> | enable_dhcp      | False                                                   |
>>>
>>>
>>>
>>> | gateway_ip       |                                                         |
>>> | host_routes      | {"destination": "0.0.0.0/0 <https://urldefense.proofpoint.com/v1/url?u=http://0.0.0.0/0&k=uWCMTgG0stZxwOEwDWvrOA%3D%3D%0A&r=SrS6LVctHAotDvfalKfFvzCQXOUI4d%2BwuHpBCRhEqKk%3D%0A&m=dyJUUfOWysXrOJTA6fC22O%2FzWvhPr3QAv4w3w0kMIAg%3D%0A&s=c1e870779ed1f1e00c7d60718803f6e567e728f1f8f825ba4a054776a2997745>", "nexthop": "192.168.22.1"} |
>>>
>>>
>>>
>>> | id               | db596734-3f9a-4699-abe5-7887a2a15b88                    |
>>> | ip_version       | 4                                                       |
>>> | name             | privat-subnet                                           |
>>>
>>>
>>>
>>> | network_id       | 43796de1-ea43-4cbe-809a-0554ed4de55f                    |
>>> | tenant_id        | a0edd2a531bb41e6b17e0fd644bfd494                        |
>>> +------------------+---------------------------------------------------------+
>>>
>>>
>>>
>>>
>>>
>>> I am not using DHCP and then I start CirrOS instance
>>> +--------------------------------------+------+--------+------------+-------------+-----------------------+
>>> | ID                                   | Name | Status | Task State | Power State | Networks              |
>>>
>>>
>>>
>>> +--------------------------------------+------+--------+------------+-------------+-----------------------+
>>> | 10925a36-fbcb-4348-b569-a3fcd5b242a2 | c1   | ACTIVE | -          | Running     | privat=192.168.22.203 |
>>>
>>>
>>>
>>> +--------------------------------------+------+--------+------------+-------------+-----------------------+
>>>
>>>
>>>
>>> Then I log-in to the CirrOS instance via Console and set IP 192.168.22.203 <https://urldefense.proofpoint.com/v1/url?u=http://192.168.22.203&k=uWCMTgG0stZxwOEwDWvrOA%3D%3D%0A&r=SrS6LVctHAotDvfalKfFvzCQXOUI4d%2BwuHpBCRhEqKk%3D%0A&m=dyJUUfOWysXrOJTA6fC22O%2FzWvhPr3QAv4w3w0kMIAg%3D%0A&s=675d079d80799f8fcc722baa899c3a2fea103d894be10f90e97e42e83c35b972>: sudo ifconfig eth0 inet 192.168.22.203 netmask 255.255.255.0, but no traffic goes thru.
>>>
>>>
>>>
>>>
>>> I have also tried to update network router:external to True, but with no success.
>>>
>>>
>>> What am I doing wrong here? I am in the phase of building a new infrastructure and can *afford* changes, but after spending so much time around those networking issues I really hope that I will be able to move further on.
>>>
>>>
>>>
>>>
>>>  Thank you for all the ideas in advance.
>>> Matej
>>>
>>>
>>>
>>>
>>> On Wed, Apr 23, 2014 at 10:47 AM, Robert van Leeuwen <
>>> Robert.vanLeeuwen at spilgames.com> wrote:
>>>
>>>> > neutron net-create public --tenant_id
>>>> a0edd2a531bb41e6b17e0fd644bfd494  --provider:network_type flat
>>>> --provider:physical_network default --shared True
>>>> > Invalid input for provider:physical_network. Reason: '[u'default',
>>>> u'True']' is not a valid string.
>>>> >
>>>> > For being able to use --provider:physical_network I need
>>>> bridge_mappings in configuration, right? When I add it, my existing GRE
>>>> network stops working.
>>>> > It seems I am lost here ...
>>>>
>>>>  You should be able to run bridge-mapped networks and GRE tunnels at
>>>> the same time.
>>>> Adding the bridge map config should not break GRE. (always do this in a
>>>> test setup first ;)
>>>> We used to do this up to Folsom (maybe even grizzly, do not remember
>>>> exact timelines)
>>>>
>>>> We moved to a full VLAN setup later on because GRE was adding
>>>> complexity without any real benefits.
>>>> (Since we do not expect to have thousands of networks we do not expect
>>>> to run out of VLANs)
>>>>
>>>> Cheers,
>>>> Robert van Leeuwen
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>  _______________________________________________
>>> Mailing list:
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack<https://urldefense.proofpoint.com/v1/url?u=http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack&k=uWCMTgG0stZxwOEwDWvrOA%3D%3D%0A&r=SrS6LVctHAotDvfalKfFvzCQXOUI4d%2BwuHpBCRhEqKk%3D%0A&m=dyJUUfOWysXrOJTA6fC22O%2FzWvhPr3QAv4w3w0kMIAg%3D%0A&s=979a651ea91c98acb0ef591c690834ac6b018a74a79a6914729eed1aa2cf46b3>
>>> Post to     : openstack at lists.openstack.org
>>> Unsubscribe :
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack<https://urldefense.proofpoint.com/v1/url?u=http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack&k=uWCMTgG0stZxwOEwDWvrOA%3D%3D%0A&r=SrS6LVctHAotDvfalKfFvzCQXOUI4d%2BwuHpBCRhEqKk%3D%0A&m=dyJUUfOWysXrOJTA6fC22O%2FzWvhPr3QAv4w3w0kMIAg%3D%0A&s=979a651ea91c98acb0ef591c690834ac6b018a74a79a6914729eed1aa2cf46b3>
>>>
>>>
>>
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140425/cc215107/attachment.html>


More information about the Openstack mailing list