Ask Your Question
0

Incoming external subnet routing through a different subnet gateway

asked 2014-05-22 08:10:12 -0500

heathen gravatar image

updated 2014-05-22 08:16:49 -0500

Hello!

I'm totally stuck in my tries to figure out how to realize the following scheme:

I have very small amount of external IP addresses ( /29 subnet ). Since I don't want to loose 2 of that IPs just for routing I thought to make a routing with, for ex., 172.16.0.0/30 network and route my external IP subnet through it. Later I'll be able to get another /29 subnet, so I thought to expand this solution for this also.

But I have no idea how to realize it with OpenStack/Neutron. I spent a lot of times in different tries without any success. I tried to make two subnets for external network, but it's impossible to choose which IP to use for external gateway. Even if I would add one subnet (172.16.0.0/30) first and set gateway and then would add an external subnet, the router will use 172.16.0.x for SNAT (as I can understand it).

So I would be very appreciate for any additional advices how to realize this scheme.

I have a multinode setup with separate network node, openvswitch and gre networks.

Edit: just to make the idea a little bit clearer.

I would like to realise the scheme in which external hardware router interface has IP 172.16.0.1/30, virtual router interface has IP 172.16.0.2/30, hardware router route external public subnet to 172.16.0.2. Virtual external network should has two or more subnets: 172.16.0.0/30 and another (one or more) /29 public subnet. One IP of this public subnet could used as a virtual router SNAT interface and another ones should used as floating IPs.

edit retag flag offensive close merge delete

2 answers

Sort by » oldest newest most voted
1

answered 2014-05-22 08:25:09 -0500

SamYaple gravatar image

External networks with neutron are a large source of pain right now. There are very few (if any!) very large enviroments running neutrons l3 agents for this very reason. The best answer I can think of for you would be a double nat situation.

There is no current way to add or join another network without a second l3 agent. It is a real source of pain for us curently. But we have a large public block so we have been able to get around the issue at least temporarily.

Another answer doesn't really help you with the immediate problem, but a good answer for higly aviable multiple neutron l3 agents can be found here in jaypipes answer. We use it in a current deployment and it _seems_ to be working as designed. We are not ready to fully roll it out yet.

edit flag offensive delete link more

Comments

Thank you very much for your answer! I saw the article about double nat during my Google investigation but was hoping that this time something changed.

heathen gravatar imageheathen ( 2014-05-22 12:06:28 -0500 )edit

If something does change, please let me know!

SamYaple gravatar imageSamYaple ( 2014-05-22 12:22:48 -0500 )edit

SamYaple, I'm slightly changed double nat solution to make it a little bit simplier. Hope it can be useful.

heathen gravatar imageheathen ( 2014-05-26 17:42:49 -0500 )edit
0

answered 2014-05-26 17:39:20 -0500

heathen gravatar image

updated 2014-05-26 17:41:08 -0500

So, I made the following solution. Double nat solution was overcomplicated for my taste, so I tried to make it simpler. And for my case I did it. It works for the http://docs.openstack.org/havana/install-guide/install/apt/content/section_networking-provider-router_with-provate-networks.html (provider router network solution). It will also allow to add another public subnets later - the only requirement is that this subnet should be routed to the hardware node IP address. The problem is with single IPs, but in some cases it could be solved by using greate that /32 mask and setting pool with one IP only.

What do we need to do:

0. In my case network node works in virtual machine, so br-ex interface is linked with virtual interface on the host machine. In case of hardware network node I would recommend do not connect br-ex to any physical interfaces.

  1. As admin create external network:

    neutron net-create ext_net --router:external=True

  2. Add routing subnet into created network:

    neutron subnet-create ext_net \
    --allocation-pool start=172.16.0.2,end=172.16.0.2 \
    --gateway 172.16.0.1 172.16.0.0/30 \
    --disable-dhcp --name routing-subnet

  3. Create main router:

    neutron router-create ext_router

  4. Set router gateway. After that step router should get IP address 172.16.0.2:

    neutron router-gateway-set ext_router ext_net

  5. On hardware network node set 172.16.0.1 as IP for br-ex. Now you should be able to ping router interface:

    ping 172.16.0.2

  6. At this moment it's a good time to set routing of the public subnet to 172.16.0.2.

  7. Set S-NAT on the network node (assume eth0 is an external NIC and has public IP):

    iptables -t nat -A POSTROUTING -o eth0 -s 172.16.0.0/15 -j MASQUERADE

  8. Add a public subnet as a subnet to ext_net network. Let's try to imagine that we have x.y.z.0/29 subnet. Don't forget to set 172.16.0.1 as a gateway for these subnets. I believe that you can add unlimited amount of subnets.

    neutron subnet-create ext_net \
    --allocation-pool start=x.y.z.1,end=x.y.z.6 \
    --gateway 172.16.0.1 x.y.z.0/29 \
    --disable-dhcp --name public1-subnet

  9. Add interfaces to the other tenants' private networks to the router:

    neutron router-interface-add main_router OTHER_TENANT_SUBNET_ID_OR_NAME

  10. Now you can assign floating IPs to VMs and it should works. VMs without floating IPs will go to the Internet with hardware network node public IP.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-05-22 08:10:12 -0500

Seen: 1,738 times

Last updated: May 26 '14