Just say no to SNAT

asked 2016-06-16 19:27:18 -0600

eyeofthebeholder gravatar image

Let say I assign a public address directly to an instance and then assign the .1 address from that same subnet to said instances associated DVR router. Great, fine and dandy. Then I also assign a flat external network on the outside of that DVR router that gets it to the internet. No problem. Traffic will go out from the VM, get SNATed on to the internet just fine.

But, these are my design requirements:

1 - Public ip on VM

2 - DVR router


So the ip assigned to the VM is the ip the internet would see and respond to. I know this is possible using a direct flat network with no DVR router, but our design requirements are that there is a DVR router... Also, just to be clear, I recognize for this to work, I would need to add a route on the external router outside the DVR router to ensure return traffic gets back to the vm.

Is this idea possible?


edit retag flag offensive close merge delete


if you have a router sitting in between your instance and internet, then you need to create a public ip as your internal network and disable snat on the router. it should be done. i believe i did it before.

senyapsudah gravatar imagesenyapsudah ( 2016-06-17 03:31:51 -0600 )edit

1 answer

Sort by » oldest newest most voted

answered 2016-07-05 21:55:57 -0600

james-denton gravatar image

I realize I'm late to the party, but I'm curious to know why you're considering DVR if one of your requirements is a public IP on the VM/instance and no SNAT/DNAT. Even though you can disable SNAT and route the 'tenant' network to the external IP of the Neutron router, it only really works when the address is consistently the same. With DVR, every compute node will have a FIP namespace attached to a particular provider network, each with its own unique address from the subnet. It would be difficult to create an upstream route for the tenant (public, in your case) network, given that you wouldn't know which router/fip namespace would be the next hop. This isn't so much an issue for legacy or HA routers, since a single router acts as the gateway for the network.

If possible, I would simplify your environment and forgo Neutron routers altogether, especially if you're talking a few networks, no NAT, and can rely on hardware failover (e.g. VRRP/HSRP).

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools



Asked: 2016-06-16 19:27:18 -0600

Seen: 982 times

Last updated: Jul 05 '16