We run a single box with OpenStack Grizzly including Quantum ... sorry ... Neutron networking.

There is one shared, external network which has some floating IPs defined and each tenant has her own internal network to which instances are connected.

Inside the tenant we defined a router with the external network as a gateway and to which we connect the instances of the tenant.

No error messages, though also no connectivity either.

I have debugged the l3agent a bit and seen that it seems to generate reasonable iptables rules to nat between the floating IP and the internal IP of the instance in question. Just those rules live in the network namespace of that tenant while the br-ex where the traffic comes in lives in the root network namespace.

So I wonder how that is supposed to work at all. Did anyone ever make such a config to work?