NAT functionality inside tenant

asked 2015-06-08 07:49:48 -0500

Jin_Dev gravatar image

I am trying out NAT setup inside openstack tenant. Openstack details -> Icehouse with nova-networking using flatDHCPmanager (no neutron yet)

Setup is very simple -> I have 2 VM instance spawned by openstack. Following are setup details ->

VM - A -> has 1 public interfaces and 1 private ip interface

VM - B -> 1 private ip interface

I want to use VM-A as gateway for VM-B. I am installing routing rules in VM-B to use VM-A as default route for external connectivity. I am configuring SNAT using iptables in VM-A. When I am pinging external node from VM-B I see following behavior ->

  1. VM-B sends ping packet to VM-A
  2. VM-A performs SNAT changes the source address and sends it to external node
  3. External node sends back the response, and VM-A performs reverse NATing
  4. Response never reaches VM-B !

On further investigation I found that possible suspect to be ebtable rules on the compute host which are configured by nova during instance launch.

My questions is, how do I make this setup work? How to make one of the VM as default GW + NAT for other VMs within the tenant ?

edit retag flag offensive close merge delete


What firewall driver is used ? verify whether your setup is working after flushing the iptables from all compute nodes.

If you can move to neutron, then you can use allowed-address-pairs feature to fix this.

Ranjit gravatar imageRanjit ( 2015-06-09 02:21:29 -0500 )edit

Hi Ranjit,

Firewall driver in-use is nova.virt.libvirt.firewall.IptablesFirewallDriver. I haven't tried flushing iptables configuration on compute node but I have tried flushing ebtable rules and it works after flushing. But flushing ebtable rules is not a preferred way of making this thing work.

Jin_Dev gravatar imageJin_Dev ( 2015-06-09 05:42:19 -0500 )edit

I think you can use firewall_driver as nova.virt.firewall.NoopFirewallDriver . this setting will not add any firewall rule for VM.

If you do want to use firewall, then use neutron with allowed-address-pairs feature.

Ranjit gravatar imageRanjit ( 2015-06-09 06:32:42 -0500 )edit