As a slightly different approach, would it be easier to allow us to delete the 'public' shared network connected to the VPC VR and therefore allow us to set the default route to a private gateway instead then? This would solve my problem whilst leaving the current default 'public' connectivity alone. I think that the concept of a 'public' network being defined as both the destination for the default route as well as being a publicly routable IP network (hence needing NAT) needs more flexibility. Both are not necessarily the case.
I'm pretty sure this is not possible now (please tell me if I'm wrong) but I'm trying to formulate a better thought out feature request for Jira. We want to use the Cloudstack VPC concept to allow customers to create whatever tiers they want to but for all of their WAN traffic to go via a hardware gateway that performs a much richer set of features than can be expected from a software VR (AV, IDS/IDP, Authentication, IPSec & SSL VPNs, MPLS connections etc). This hardware gateway would be controlled independently from ACS. The current workaround is for us to abandon the VPC construct and create a bunch of shared networks assigned to the customer, create all of the VLAN interfaces manually on the hardware gateway, and to route between each network on the hardware gateway. The downside to this approach is that a system VR is needed for every shared network created and we have to do far more manual work on the hardware gateway on behalf of the customer. Basically waaaaay more complicated than it needs to be simply because we can't turn off NAT on the VPC VR (or set the default route for the VR to a private gateway). I'm simply trying to emulate the way that 95% of simple corporate networks are structured (L3 core routing between VLANs with a transit network connected to their firewalls) but it seems that I'm being forced into working with concepts from home networks. There also does not seem to be a way to use route summarisation in the VPC VR. If the tiers use a CIDR of 10.5.12.0/24, I should still be able to add a summarised static route to a private gateway using a destination of 10.0.0.0/8. The CloudStack 'intelligence' blocks me from doing this as it thinks it knows networking better than I do. Currently if there are multiple subnets connected via a private gateway, I have to either add in every single one manually or else make multiple summarised subnets with various masks just to avoid the VPC CIDR. Does anyone have any insight (Wilder, Daan?) into how the VPC VRs currently work so that we could potentially focus on either: 1. Allowing source NAT to be turned off from the public network connection to the VPC VR or 2. Allowing the public connection to be deleted so that we can set the default route to a private gateway (without source nat)? As I mentioned in my original post, when working on IPv6, NAT should not be used anyway so this issue is likely to come up again regardless of whether anyone thinks my use case is worth investigation. Thanks in advance, Adrian -----Original Message----- From: Sanjeev Neelarapu [mailto:[email protected]] Sent: 13 February 2015 06:12 To: [email protected] Subject: RE: VPC Router without NAT (IPv4 or IPv6) As of now there is no way to disable NAT on VPC router. -Sanjeev -----Original Message----- From: Adrian Lewis [mailto:[email protected]] Sent: Thursday, February 12, 2015 4:58 PM To: [email protected] Subject: VPC Router without NAT (IPv4 or IPv6) Hi, It’s been asked before but does anyone know of a way to completely disable NAT (specifically source NAT) on a VPC router on 4.4 or 4.5? There doesn’t sem to be an easy way to do this via the web interface. I’d like to use the VPC router for multi-subnet L3 routing but the ‘public’ network would be a transit network to a hardware firewall which does NAT for internet access. With IPv6 NAT is generally considered as a no-no so I was wondering if anyone knows if there are plans to let users be more in control of the pre-defined networking scenarios that CS seems to try to enforce. Perhaps a suggestion for GSOC? Cheers, Adrian
