I am using Havana release and I need to make a Instance behave like a openvpn server and router, something like cloudpipe but L3. I have following setup external net --- instance(router) --- internal net --- other hosts
The internal network is gre based L2 network in my tenant. The router instance have one interface in the external network and on in the internal. The issue I face is that neutron security groups , have the following rules per port - this is to the internal network:
Chain neutron-openvswi-sbb49f61d-5 (1 references) pkts bytes target prot opt in out source destination 6 504 RETURN all -- * * 10.4.4.1 0.0.0.0/0 MAC FA:16:3E:EA:20:7F 1368K 124M DROP all -- * * 0.0.0.0/0 0.0.0.0/0
This is nice for security, but packets source is not my interface ip 10.4.4.1 when instance forward packets. Do you know better way to work around this limitation than manualy editing the iptables rules ?