Ask Your Question

Use floating IP of instances in outgoing packages [closed]

asked 2016-01-05 06:52:41 -0500

DanielJ gravatar image

updated 2016-01-05 08:02:51 -0500

Hi all,

in our current cloud setting, we have a separate controller node which serves as a network node, too. The set up is basically done as described in the official installation guide for OpenStack Juno with Open vSwitch, L3, ML2, etc.. The virtual machines (instances) are running on compute nodes with gre tunnels to the network node.

If a TCP connection is established from somewhere in the internet to an VM, its floating IP is used in the IP headers of the sent packages. But when the VM initiates an TCP connection the IP of the network node is used in the IP headers.

Is it possible to always use the floating IP of the VM? If so, how can I configure the services to work as wished?


If I run iptables-save on the network node, I see the following nat rule:

-A POSTROUTING -o external-network-interface -j MASQUERADE

If I understand this rule correctly, the floating IPs of all messages leaving the computer via the external network interface are replaced by the IP of the network node. How can this individual rule be dropped without changing any other rule?

How can I configure neutron or any other service such that this rule does not occur any more?



edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by DanielJ
close date 2016-01-20 04:03:47.707839

2 answers

Sort by ยป oldest newest most voted

answered 2016-01-07 23:17:27 -0500

StevenLi gravatar image

The behavior is as designed.

When the VM is trying to reach external network, no matter there is a floating IP is assigned, it works via SNAT by Neutron in network node. When the VM is reached by an external machine, the floating ip must be assigned and used.

edit flag offensive delete link more

answered 2016-01-07 06:17:20 -0500

DanielJ gravatar image

It seems that the given iptables rule was manually created by a former administrator. With the command

iptables -L -t nat --line-numbers

you can see the number of the MASQUERADE rule. With this number you can execute

iptables -t nat -D POSTROUTING <line_number>

to remove this rule. Thereafter, the messages of outgoing connections from VMs keep their floating IPs.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2016-01-05 06:52:41 -0500

Seen: 210 times

Last updated: Jan 07 '16