Hello all, El Martes 19/01/2016, Kevin Bringard (kevinbri) escribió: > To expand on Joseph's explanation: when SNAT is enabled, an IP is pulled > from the floating pool and assigned as a "default SNAT" for the router when > its gateway is set. Similar to how your home router has a single external > IP and all your internal devices SNAT out from that IP, all Vms on that > network will have external access which originate from that IP address.
I have disabled snat but my router still gets a public IP: # neutron router-gateway-clear tenant-router Removed gateway from router tenant-router # neutron router-gateway-set --disable-snat tenant-router public Set gateway for router tenant-router # neutron router-show tenant-router +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | admin_state_up | True | | distributed | True | | external_gateway_info | {"network_id": "22531842-aa93-49f1-a2f6-5180164fdf3e", "enable_snat": false, "external_fixed_ips": [{"subnet_id": "d6ad786c-69f1-479a-a455-fd1741a8faa2", "ip_address": "138.XXX.XXX.XXX"}]} | | ha | False | | id | ee344029-6f62-491b-bff7-cfd8a88d2bc7 | | name | tenant-router | | routes | | | status | ACTIVE | | tenant_id | 29ddecf0820348a1b1ae0e06d9ba52bb | +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ > As Joseph pointed out, if you have this option disabled, unless you > explicitly assign a floating IP address to a VM (which sets up a 1:1 > DNAT/SNAT for the internal/floating IP) Vms won't be able to access the > outside world because there will be no default SNAT rule mapping them to an > externally routable IP address. My VM on that router has no internet connection until I add a floating IP to it, so the snat part is working nicely but I'm still wasting a public IP per tenant/project. My setup: 2 controllers 2 network nodes 1 compute node All of them CentOS 7 with liberty from CentOS Cloud SIG, neutron configured with DVR: # rpm -qa | sort | grep neutron openstack-neutron-7.0.0-2.el7.noarch openstack-neutron-common-7.0.0-2.el7.noarch openstack-neutron-ml2-7.0.0-2.el7.noarch python-neutron-7.0.0-2.el7.noarch python-neutronclient-3.1.0-1.el7.noarch My questions: Any hints regarding not assigning a public IP to the router gateway? Should I create a sepparate network for the routers as suggested elsewhere in this thread? If so, disabling snat would be pointless, right? Thanks in advance, -- Ricardo J. Barberis Usuario Linux Nº 250625: http://counter.li.org/ Usuario LFS Nº 5121: http://www.linuxfromscratch.org/ Senior SysAdmin / IT Architect - www.DonWeb.com _______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators