Public bug reported: I am trying to achieve the following scenario:
I have a VM attached to a router w/o external gateway (called project- router) but with a default route which send all the traffic to another router (transit router) which has an external gateway with snat enabled and it is connected to a transit network 192.168.100.0/24 My VM is on 172.16.100.0/24, traffic hits the project-router thanks to the default route gets redirected to the transit-router correctly, here it gets into the external gateway but w/o being snat. This is because in ovn I see that SNAT on this router is only enabled for logical ip in 192.168.100.0/24 which is the subnet directly connected to the router # ovn-nbctl lr-nat-list neutron-6d1e6bb7-3949-43d1-8dac-dc55155b9ad8 TYPE EXTERNAL_IP EXTERNAL_PORT LOGICAL_IP EXTERNAL_MAC LOGICAL_PORT snat 147.22.16.207 192.168.100.0/24 But I would like that this router snat all the traffic that hits it, even when coming from a subnet not directly connected to it. I can achieve this by setting in ovn the snat for 0.0.0.0/0 # ovn-nbctl lr-nat-add neutron-6d1e6bb7-3949-43d1-8dac-dc55155b9ad8 snat 147.22.16.207 0.0.0.0/0 # ovn-nbctl lr-nat-list neutron-6d1e6bb7-3949-43d1-8dac-dc55155b9ad8 TYPE EXTERNAL_IP EXTERNAL_PORT LOGICAL_IP EXTERNAL_MAC LOGICAL_PORT snat 147.22.16.207 0.0.0.0/0 snat 147.22.16.207 192.168.100.0/24 But this workaround can be wiped if I run the neutron-ovn-db-sync-util on any of the neutron-api unit. Is there a way to achieve this via OpenStack? If not does it make sense to have this as a new feature? ** Affects: neutron Importance: Undecided Status: New ** Affects: neutron (Ubuntu) Importance: Undecided Status: New ** Description changed: I am trying to achieve the following scenario: I have a VM attached to a router w/o external gateway (called project- router) but with a default route which send all the traffic to another router (transit router) which has an external gateway with snat enabled and it is connected to a transit network 192.168.100.0/24 My VM is on 172.16.100.0/24, traffic hits the project-router thanks to the default route gets redirected to the transit-router correctly, here it gets into the external gateway but w/o being snat. - This is because in ovn since in ovn I see that in SNAT on that router is - only enabled for logical ip in 192.168.100.0/24 which is the subnet - directly connected to the router + This is because in ovn I see that SNAT on this router is only enabled + for logical ip in 192.168.100.0/24 which is the subnet directly + connected to the router # ovn-nbctl lr-nat-list neutron-6d1e6bb7-3949-43d1-8dac-dc55155b9ad8 TYPE EXTERNAL_IP EXTERNAL_PORT LOGICAL_IP EXTERNAL_MAC LOGICAL_PORT snat 147.22.16.207 192.168.100.0/24 But I would like that this router snat all the traffic that hits it, even when coming from a subnet not directly connected to it. I can achieve this by setting in ovn the snat for 0.0.0.0/0 # ovn-nbctl lr-nat-add neutron-6d1e6bb7-3949-43d1-8dac-dc55155b9ad8 snat 147.22.16.207 0.0.0.0/0 # ovn-nbctl lr-nat-list neutron-6d1e6bb7-3949-43d1-8dac-dc55155b9ad8 TYPE EXTERNAL_IP EXTERNAL_PORT LOGICAL_IP EXTERNAL_MAC LOGICAL_PORT snat 147.22.16.207 0.0.0.0/0 snat 147.22.16.207 192.168.100.0/24 - - But this workaround can be wiped if I run the neutron-ovn-db-sync-util on any of the neutron-api unit. + But this workaround can be wiped if I run the neutron-ovn-db-sync-util + on any of the neutron-api unit. Is there a way to achieve this via OpenStack? If not does it make sense to have this as a new feature? ** Summary changed: - [OVN] SNAT only happens for subnets directly connected to the router + [OVN] SNAT only happens for subnets directly connected to a router ** Also affects: neutron Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/2051935 Title: [OVN] SNAT only happens for subnets directly connected to a router Status in neutron: New Status in neutron package in Ubuntu: New Bug description: I am trying to achieve the following scenario: I have a VM attached to a router w/o external gateway (called project- router) but with a default route which send all the traffic to another router (transit router) which has an external gateway with snat enabled and it is connected to a transit network 192.168.100.0/24 My VM is on 172.16.100.0/24, traffic hits the project-router thanks to the default route gets redirected to the transit-router correctly, here it gets into the external gateway but w/o being snat. This is because in ovn I see that SNAT on this router is only enabled for logical ip in 192.168.100.0/24 which is the subnet directly connected to the router # ovn-nbctl lr-nat-list neutron-6d1e6bb7-3949-43d1-8dac-dc55155b9ad8 TYPE EXTERNAL_IP EXTERNAL_PORT LOGICAL_IP EXTERNAL_MAC LOGICAL_PORT snat 147.22.16.207 192.168.100.0/24 But I would like that this router snat all the traffic that hits it, even when coming from a subnet not directly connected to it. I can achieve this by setting in ovn the snat for 0.0.0.0/0 # ovn-nbctl lr-nat-add neutron-6d1e6bb7-3949-43d1-8dac-dc55155b9ad8 snat 147.22.16.207 0.0.0.0/0 # ovn-nbctl lr-nat-list neutron-6d1e6bb7-3949-43d1-8dac-dc55155b9ad8 TYPE EXTERNAL_IP EXTERNAL_PORT LOGICAL_IP EXTERNAL_MAC LOGICAL_PORT snat 147.22.16.207 0.0.0.0/0 snat 147.22.16.207 192.168.100.0/24 But this workaround can be wiped if I run the neutron-ovn-db-sync-util on any of the neutron-api unit. Is there a way to achieve this via OpenStack? If not does it make sense to have this as a new feature? To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/2051935/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp