Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

So, I made the following solution. Double nat solution was overcomplicated for my taste, so I tried to make it simpler. And for my case I did it. It works for the provider router network solution. It will also allow to add another public subnets later - the only requirement is that this subnet should be routed to the hardware node IP address. The problem is with single IPs, but in some cases it could be solved by using greate that /32 mask and setting pool with one IP only.

What do we need to do: 0. In my case network node works in virtual machine, so br-ex interface is linked with virtual interface on the host machine. In case of hardware network node I would recommend do not connect br-ex to any physical interfaces.

  1. As admin create external network:

    neutron net-create ext_net --router:external=True

  2. Add routing subnet into created network:

    neutron subnet-create ext_net \
    --allocation-pool start=172.16.0.2,end=172.16.0.2 \
    --gateway 172.16.0.1 172.16.0.0/30 \
    --disable-dhcp --name routing-subnet

  3. Create main router:

    neutron router-create ext_router

  4. Set router gateway. After that step router should get IP address 172.16.0.2:

    neutron router-gateway-set ext_router ext_net

  5. On hardware network node set 172.16.0.1 as IP for br-ex. Now you should be able to ping router interface:

    ping 172.16.0.2

  6. At this moment it's a good time to set routing of the public subnet to 172.16.0.2.

  7. Set S-NAT on the network node (assume eth0 is an external NIC and has public IP):

    iptables -t nat -A POSTROUTING -o eth0 -s 172.16.0.0/15 -j MASQUERADE

  8. Add a public subnet as a subnet to ext_net network. Let's try to imagine that we have x.y.z.0/29 subnet. Don't forget to set 172.16.0.1 as a gateway for these subnets. I believe that you can add unlimited amount of subnets.

    neutron subnet-create ext_net \
    --allocation-pool start=x.y.z.1,end=x.y.z.6 \
    --gateway 172.16.0.1 x.y.z.0/29 \
    --disable-dhcp --name public1-subnet

  9. Add interfaces to the other tenants' private networks to the router:

    neutron router-interface-add main_router OTHER_TENANT_SUBNET_ID_OR_NAME

  10. Now you can assign floating IPs to VMs and it should works. VMs without floating IPs will go to the Internet with hardware network node public IP.

So, I made the following solution. Double nat solution was overcomplicated for my taste, so I tried to make it simpler. And for my case I did it. It works for the provider router network solution. It will also allow to add another public subnets later - the only requirement is that this subnet should be routed to the hardware node IP address. The problem is with single IPs, but in some cases it could be solved by using greate that /32 mask and setting pool with one IP only.

What do we need to do: do:

0. In my case network node works in virtual machine, so br-ex interface is linked with virtual interface on the host machine. In case of hardware network node I would recommend do not connect br-ex to any physical interfaces.

  1. As admin create external network:

    neutron net-create ext_net --router:external=True

  2. Add routing subnet into created network:

    neutron subnet-create ext_net \
    --allocation-pool start=172.16.0.2,end=172.16.0.2 \
    --gateway 172.16.0.1 172.16.0.0/30 \
    --disable-dhcp --name routing-subnet

  3. Create main router:

    neutron router-create ext_router

  4. Set router gateway. After that step router should get IP address 172.16.0.2:

    neutron router-gateway-set ext_router ext_net

  5. On hardware network node set 172.16.0.1 as IP for br-ex. Now you should be able to ping router interface:

    ping 172.16.0.2

  6. At this moment it's a good time to set routing of the public subnet to 172.16.0.2.

  7. Set S-NAT on the network node (assume eth0 is an external NIC and has public IP):

    iptables -t nat -A POSTROUTING -o eth0 -s 172.16.0.0/15 -j MASQUERADE

  8. Add a public subnet as a subnet to ext_net network. Let's try to imagine that we have x.y.z.0/29 subnet. Don't forget to set 172.16.0.1 as a gateway for these subnets. I believe that you can add unlimited amount of subnets.

    neutron subnet-create ext_net \
    --allocation-pool start=x.y.z.1,end=x.y.z.6 \
    --gateway 172.16.0.1 x.y.z.0/29 \
    --disable-dhcp --name public1-subnet

  9. Add interfaces to the other tenants' private networks to the router:

    neutron router-interface-add main_router OTHER_TENANT_SUBNET_ID_OR_NAME

  10. Now you can assign floating IPs to VMs and it should works. VMs without floating IPs will go to the Internet with hardware network node public IP.