Thanks Thiago, Did you try to add Port Forwarding iptables' rules directly to the OpenStack router ?
Best Regards, Abbass 2013/12/19 Martinx - ジェームズ <[email protected]> > Cool! You're welcome! =) > > My topology is "Per-Tenant Router with Private Networks", it does looks > like your first example but, a bit different, like this: > > --- > Yours: > > Internet ---- public-network ---- OpenStack-Router ---- > Private-OpenStack-Network ---- NAT-Instance > > | > > -- > Other-Instances > - > Mine: > > Internet ---- public-network ---- OpenStack-Router ---- > Private-OpenStack-Network ---- NAT-Instance > > | > > -- Other-Instances > --- > > The "NAT Instance" is just a regular Instance (plus its Floating IP), > there is nothing "connected behind it" (i.e. no eth0 public / eth1 > private), it is "parallel / side-by-side" to the others Instances, the > network traffic comes in and out the "NAT Instance" trough the same > ethernet interface (another creepy point of this IPv4 topology). > > Best, > Thiago > > On 19 December 2013 15:31, Abbass MAROUNI > <[email protected]>wrote: > >> Dear Thiago, >> >> Thanks a lot for your answer. >> >> One more thing, do your configuration look something like this : >> >> >> Internet ---- public-network ---- OpenStack-Router ---- >> Private-OpenStack-Network ---- NAT-Instance >> >> | >> >> -- >> Other-Instances >> >> I tried setting up a dedicated router/firewall but couldn't make to work, >> it looks something like : >> >> Internet ---- public-network ---- OpenStack-Router ---- >> Private-OpenStack-Network ---- Dedicated-Router (A VM) ---- >> Private-OpenStack-Network-2 ---- Other-Instances >> >> >> For some reason the above configuration fails to deliver the packets to >> the 'Other-Instances', the 'Other-instances' use the Dedicated-Router as >> their gateway. Another drawback is the cloud-init of the 'Other-Instances'. >> >> So I decided to try my luck with the first configuration, but it didn't >> work also. Maybe my iptables for the NAT-Instance were wrong. I'll try >> yours tomorrow ! >> >> Thanks a lot, >> >> Best Regards, >> >> >> >> 2013/12/19 Martinx - ジェームズ <[email protected]> >> >>> Abbass, >>> >>> The only way I figured out to do this, is by creating a "NAT Instance", >>> with a Floating IP attached to it and, the "magic" happens here: >>> >>> Contents of my /etc/network/nat-rules.save >>> >>> --- >>> # Generated by iptables-save v1.4.12 on Fri Oct 18 02:41:35 2013 >>> *filter >>> :INPUT ACCEPT [0:0] >>> :FORWARD ACCEPT [0:0] >>> :OUTPUT ACCEPT [0:0] >>> COMMIT >>> # Completed on Fri Oct 18 02:41:35 2013 >>> # Generated by iptables-save v1.4.12 on Fri Oct 18 02:41:35 2013 >>> *nat >>> :PREROUTING ACCEPT [0:0] >>> :INPUT ACCEPT [0:0] >>> :OUTPUT ACCEPT [0:0] >>> :POSTROUTING ACCEPT [0:0] >>> -A PREROUTING -d 192.168.50.2/32 -p tcp -m tcp --dport 80 -j DNAT >>> --to-destination 192.168.50.11 >>> -A PREROUTING -d 192.168.50.2/32 -p tcp -m tcp --dport 443 -j DNAT >>> --to-destination 192.168.50.11 >>> -A PREROUTING -d 192.168.50.2/32 -p tcp -m tcp --dport 25 -j DNAT >>> --to-destination 192.168.50.20 >>> -A POSTROUTING ! -d 192.168.50.2/32 -j SNAT --to-source 192.168.50.2 >>> COMMIT >>> # Completed on Fri Oct 18 02:41:35 2013 >>> --- >>> >>> Where: >>> >>> 1- The IP 192.168.50.2 is the "Nat Instance" itself, with a "public and >>> valid Floating IP" attached to it; >>> >>> 2- The IP 192.168.50.11 is a Web Server, that the Internet needs to >>> access; >>> >>> 3- The IP 192.168.50.20 is a Mail MX Server, so, the tenant can receive >>> e-mails; >>> >>> 4- The latest line is the creepiest, it is required because the NAT >>> Instance, is not the default gateway of the tenant network, so, you'll >>> require to "MASQ" both source and destination address. >>> >>> >>> This topology is "famous" even when using Amazon EC2 with private VPC, >>> for example. But, honestly, I think it is terrible, mostly because of IPv4. >>> This brings lots of problems, for example: >>> >>> * web server logs will register only the "NAT" Instance internal IP; >>> >>> * if you have a e-mail server instance, you'll need to figure out by >>> yourself, the qrouter- public IP, to register it as an allowed IP (SPF) to >>> send e-mails as your domain + plus register the "Reverse DNS" of the router >>> Floating IP, as your e-mail (horrible).... >>> >>> * And problems go on... >>> >>> >>> BTW, with IPv6 all those things will be left in the past, since NAT is a >>> workaround of IPv4 networks and there is no NAT for IPv6 (when with Ubuntu >>> 12.04). So, when with IPv6, there will be no "NAT Instance" or NAT rules to >>> mange at the router (far much simpler and beauty) and your network will >>> ALWAYS work as expected, we just need to wait a few months to join the >>> future without any NAT! >>> >>> Regards, >>> Thiago >>> >>> >>> >>> On 19 December 2013 14:35, Abbass MAROUNI < >>> [email protected]> wrote: >>> >>>> Could you please elaborate about your temporary solution ? >>>> I couldn't get a VM to act as a router that will do the port forwarding >>>> for other VMs in a private network. For some reason the VM cannot act as a >>>> router. >>>> Is it due to neutron networking ? >>>> >>>> Best regards, >>>> >>>> >>>> >>>> 2013/12/19 Martinx - ジェームズ <[email protected]> >>>> >>>>> I'm wondering about this too... I think that would be very nice to >>>>> give the FWaaS, the ability to manage the NAT table of tenant router. >>>>> >>>>> This way, there is no need for a "NAT Instance" with a second Floating >>>>> IP attached to it plus creepy NAT rules there (far away from the tenant >>>>> router). >>>>> >>>>> Also, the IPv4 tenant router already have "by nature", 1 Floating IP >>>>> for it, so, because there is no way to configure the NAT rules of the >>>>> qrouter, we need to give at least 2 public IPs (one for the router itself, >>>>> another for the "NAT Instance") for each tenant, with in IPv4 world, is a >>>>> waste. >>>>> >>>>> Please Stackers! FWaaS needs to be able to handle NAT rules (I >>>>> think)... ;-) >>>>> >>>>> Cheers! >>>>> Thiago >>>>> >>>>> >>>>> On 19 December 2013 12:23, Abbass MAROUNI < >>>>> [email protected]> wrote: >>>>> >>>>>> Hello, >>>>>> >>>>>> Why is it not possible to do port forwarding with neutron L3 ? >>>>>> Any alternative to manually adding to iptables of each virtual router >>>>>> ? >>>>>> >>>>>> Best regards, >>>>>> >>>>>> _______________________________________________ >>>>>> Mailing list: >>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >>>>>> Post to : [email protected] >>>>>> Unsubscribe : >>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
