[Openstack] disable source nat by default
Adrian Lewis
adrian at alsiconsulting.co.uk
Mon May 18 21:14:04 UTC 2015
This assumes that every router is directly attached to the internet. This
may be the case with home broadband routers and many public clouds but for
just about every corporate network in the world there are several devices
that do routing that are not directly attached to the internet. The
requirement to turn off NAT by default would suit a lot of use cases in my
opinion. NAT is generally not used with IPv6 at all. NAT for IPv4 has a
place and that is at the edge of the network and we should not assume that
a Neutron router namespace is necessarily the edge.
I’ve not experimented with OpenStack much yet but this is the sort of
bizarre (or bizarre to me at least) assumption that also exists with
CloudStack and is one of the reasons why I’m considering abandoning it in
favour of OpenStack. Can anyone offer any knowledge on this front? Am I
about to face the same problem with OpenStack?
*From:* George Mihaiescu [mailto:lmihaiescu at gmail.com]
*Sent:* 18 May 2015 11:39
*To:* Simone Spinelli
*Cc:* openstack at lists.openstack.org
*Subject:* Re: [Openstack] disable source nat by default
Couldn't you achieve the same goal with egress security rules?
Without SNAT enabled, those instances wouldn't be able to reach the
Internet at all, so no package updates, etc.
On 18 May 2015 05:13, "Simone Spinelli" <simone.spinelli at gmail.com> wrote:
Hi all,
by default neutron routers have source nat enabled and they masquerade
using the external ip address: you can disable this function using API once
the router is created.
Is there a way to disable this function by default (I mean create routers
with source nat disabled )?
Any help is appreciated.
Best regards
Simone
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack at lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20150518/686a88fb/attachment.html>
More information about the Openstack
mailing list