i have done an experiment to create an image of pfSense (www.pfsense.org) that is used like a router in my tenant.
I've installed "virtio" driver on FreeBSD 8.3 for networking & disk support and image work perfectly.
I have a "demo" tenant with this network topology:
- WAN: 192.168.100.0/24 - DHCP Enabled - Gateway 192.168.100.1
- LAN: 10.0.0.0/24 - DHCP Enabled - No Gateway
- Router with 192.168.100.0/24 interface and connected to ext_net
Inside this tenant there are two VM:
- pfSense - An instance of pfSense that I use like a router with two network card (WAN:192.168.100.2 & LAN:10.0.0.2)
- cirros - An instance of Cirros connected with one network card to LAN 10.0.0.4
In cirros I've change default route to point to 10.0.0.2 address so pfSense can route packet to WAN for me.
But routing doesn't work.
After a bit of testing, I realized that it's a problem with a DROP iptables rule, generated by agent on the hypervisor where VM runs, for protect by spoofing attack.
It's possible to disable/remove this rule for a single port with neutron API ?