no outbound access with separate public_interface

asked 2015-05-19 16:24:01 -0500

sgenchev gravatar image

updated 2015-05-20 18:51:33 -0500

Hi, I am running juno and using nova networking. I am not ready yet to deploy Newtron. I am bumping into a problem that I am not sure how best to solve.

My nova nodes have several network interfaces:

  • eth0 is management and general access to nova. This is the interface where default gateway configured.
  • eth1 is vlan_interface. Tagged VLANs for separate projects live there.
  • eth2 is public_interface. This interface is on VLAN different from eth0 in different IP space.

Inbound access to instances via associated public IP works fine. Floating IP is bound to eth2, NAT works. Outbound access from instances is broken. Outbound connections from instances go out via eth0 and do not get SNATed to their floating IPs.

When I look at the iptables rules, I see that there are lines for my instances in nova-network-float-snat chain:

SNAT all -- * eth2 172.16.6.6 0.0.0.0/0 to:10.3.4.9

which translates to: "All traffic from my instance self IP (172.16.6.6) leaving via eth2 interface please SNAT to associated floating IP (10.3.4.9). The problem is that the routing table on the nova node has default gateway on eth0; so the iptables rule above never matches. This would have worked fine if my management interface and floating_interface were the same but I would like to avoid it for many reasons.

Is there a proper way to make it work? I could start creating routing rules and separate routing tables outside of OpenStack but I am not sure this is the correct way. Did anyone else see this problem or knows how to solve it? Thank you.

edit retag flag offensive close merge delete