Ask Your Question

Revision history [back]

for running a router VM inside your tenant you should disable anti-spoofing on veth, and you should instruct your neutron router what is the next hop for your "internal" network.

For example if you have your network called net-external where your neutron router has an interface at ip 192.168.0.1 you could put your VM to ip 192.168.0.254. Next you can have an internal network called net-internal where your VMROUTER is the default GW with IP 192.168.1.254.

So this could the steps:

neutron net-create net-external
neutron subnet-create --name subnet_external --allocation-pool start=192.168.0.100,end=192.168.0.200 net-external 192.168.0.0/24

Create a router01 and attach a new interface to the subnet_external -> you can do this on horizon

neutron net-create net-internal
neutron subnet-create --name subnet_internal --allocation-pool start=192.168.1.100,end=192.168.1.200 --gateway 192.168.1.254 net-internal 192.168.1.0/24

neutron security-group-create --description 'A permissive security group to be applied to the gateway' gateway-security-group
neutron security-group-rule-create --direction ingress --remote_ip_prefix 0.0.0.0/0 gateway-security-group

create the internal port:

neutron port-create --name internal_gw_port --fixed-ip ip_address=192.168.1.254 --security-group gateway-security-group net-internal

Now that's the trick! disable anti-spoofing to the internal subnet (you must change mac address):

neutron port-update internal_gw_port --allowed_address_pairs type=dict list=true mac_address=fa:16:3e:8d:69:50,ip_address=0.0.0.0/0

Now we create the port for the external subnet:

neutron port-create --name external_gw_port --fixed-ip ip_address=192.168.0.254 --security-group gateway-security-group net-external

and also we have to permit packets (no anti-spoofing) for the subnet_internal (192.168.1.0/24) on the external veth -> port external_gw_port (you must change mac address):

neutron port-update external_gw_port --allowed_address_pairs type=dict list=true mac_address=fa:16:3e:25:69:92,ip_address=192.168.1.0/24

Now you have to insert on your neutron router a static route to your subnet_internal -> neutron doesn't have access to this subnet, and it must forward packets to your VM

neutron router-update router01 --routes type=dict list=true nexthop=192.168.0.254,destination=192.168.1.0/24

Now you can boot your router VM and pass to it the 2 ports (you must change the port-id):

nova boot --flavor m1.small --key-name "YOUR KEY" --image YOUR_ROUTER_IMAGE --nic port-id=c95b4f6c-2ac5-405a-a532-bd6f7e299a73 --nic port-id=190f4b1b-eecf-483d-b156-3a66f1a4a836 --config-drive=true VMROUTER

Another little trick: if you wanna to use a floating ip on your instances besides your VMROUTER (on subnet_internal) you have to assign a multiple floating IPs to your VMROUTER on the same port, and to do this, you have to assign multiple "private" IPs on external_gw_port; for example to add the IP 192.168.0.251:

neutron port-update external_gw_port --fixed-ip subnet_id=ad19756e-2652-4e8f-a0fd-5dc3b0835070,ip_address=192.168.0.251 --fixed-ip subnet_id=ad19756e-2652-4e8f-a0fd-5dc3b0835070,ip_address=192.168.0.254

on the above example you could use 192.168.0.254 as a primary IP and the IP 192.168.0.251 as a secondary IP, and by this you could create a second NAT/PAT to your instances on subnet_internal.

HTH Amedeo