Is it possible to run a tenant router without consuming a floating ip as gateway address?

2015-02-11

Michael Steffens

We are attempting to expose multiple separated tenant networks via an external subnet, having only a very tight pool of floating IPs available. So it's a real pain that every tenant router is allocating its own gateway address from this pool, without this address ever being used in any actual routing configuration.

Tenant routers, configured in a way as described in , have to provide each floating IP individually on their gateway interface anyway, in order to perform NAT to the corresponding instance private addresses.

Assuming we will never expose the tenant networks directly via the routers (which would imply the need for a gateway address), but always perform inbound connections using the instances' floating IPs and NAT, is there any way to configure neutron not to allocate gateway IPs?

2015-02-11

larsks

After writing up an answer, I'm not sure I understand your question exactly. A router does not "allocate a gateway address" from the floating ip pool (the gateway address is whatever you assigned as the gateway when you created the external subnet). However, a router does require an address on the network in order to route properly:

A router namespace must have an address on the floating ip network, otherwise it would be unable to reach the default gateway for outbound traffic. Consider a router that connects a tenant network with address range with an external network with range (and a default gateway of; the interfaces would look something like:

9: qr-416ca0b2-c8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default 
    link/ether fa:16:3e:54:51:50 brd ff:ff:ff:ff:ff:ff
    inet brd scope global qr-416ca0b2-c8
       valid_lft forever preferred_lft forever
12: qg-2cad0370-bb: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default 
link/ether fa:16:3e:f8:f4:c4 brd ff:ff:ff:ff:ff:ff

Where the qr-... interface is on the private tenant network, and the qg-... network is connected to the external network.

This namespace needs to have a default route on the external network in order to properly route outbound traffic. Without an ip address assigned, if we try this inside the namespace:

ip route add default via

We get:

 RTNETLINK answers: Network is unreachable

Without an address on the floating ip network, we can't set up the necessary routes.

My wording was a quite sloppy, sorry, referring to the external router interface as gateway. I understand your answer as the router needs its own floating IP is outbound traffic of instances, which can't provide a floating IP of their own. Otherwise it could theoretically do without, right?

Michael Steffens ( 2015-02-18 )

Asked: 2015-02-11

Seen: 685 times

Last updated: Feb 11 '15