I have a 2 nodes Openstack Grizzly setup running under Ubuntu 12.04.

Both servers have a single nic (eth0). Each server has a public IP address. There's also a vlan (2007) available wich connects to a firewall. For example:

Node 1
public IP: 8.1.1.2 on eth0
gateway IP: 8.1.1.1
private IP: 172.16.1.2 on eth0.vlan2007 (assigned by Nova)

Node 2
public IP: 8.1.1.3 on eth0
gateway IP: 8.1.1.1
private IP: 172.16.1.3 on eth0.vlan2007 (assigned by Nova)

Router
public IP: 16.2.3.4
private IP: 176.16.1.1 on vlan 2007

I did my setup with Nova using VlanManager like this:
nova network-create public --fixed-range-v4=172.16.1.0/24 --vlan=2007 --bridge=br2007 --gateway=172.16.200.1

I can create instances and they get 172.16.1.x addresses and they can ping each other so vlan networking is fine. I can also ping those instances from the router.

However, when I try to nat a public ip of the router to an instance IP, I can't ping it :
router public IP: 16.2.3.5 --natted to--> instance public IP: 172.16.1.5

I did a tcpdump on the compute node and I can see the ping reaching the compute node. However the ping is not passed to the instance.

What am I missing?

Edit. I got it working by disabling the compute node firewall (firewall_driver=nova.virt.firewall.NoopFirewallDriver in nova.conf). Now the question is what's missing in the config to re-enable the fw?