Thanks everybody, Vish, I think you've got it, but here are some more details about the setup just to be sure we're on the same level:
my private network is defined as 172.0.0.0/21 my floating network is defined as 10.129.44.0/22 physical cloud machines (10.129.40.0/24) outside of the cloud, all machine are in the 10 (10.140.x.x for example) Again the problem is that when I ping FROM 10.140.32.235 (outside the cloud) TO 10.129.44.6 (a VM INSIDE the cloud), tcpdump on the VM will show the source address as 10.129.40.12 (nova-network controller) and NOT 10.140.32.235 (the real pinger). I'm not setting up fixed_range and floating_range because I always thought they were just unneeded duplicate config flags for the network config I do with nova-manage (network create and floating create), obviously they are setup on their own at runtime and here are the values taken from the logfiles: fixed_range = 10.0.0.0/8 floating_range = 4.4.4.0/24 So, Vish's theory makes sense, since my external machine (10.140.32.235) included in the filter for SNAT, the packet is modified and nova-network's IP is set as the source... Vish, should I set fixed_range to 10.129.44.0/22 (this is my floating range) so that this SNATTING takes place only when the communication is 100% intra-VMs? I'm just confused because it's called fixed_range and I'm setting it to a floating range... Please advise, thank you Boris De : Vishvananda Ishaya [mailto:vishvana...@gmail.com] Envoyé : 18 juillet 2012 12:04 À : Boris-Michel Deschenes Cc : openstack@lists.launchpad.net Objet : Re: [Openstack] SNAT question Hi Boris, There must be something misconfigured in your setup. Nova network shouldn't be snatting for other vms. Are your machines outside the cloud also in the 10/8 range? if so you should change the setting for fixed_range to something smaller so it doesn't snat for your other machines. For example, in your conf file, you could use: fixed_range = 10.0.0.0/16 and then make sure that your external machines are in the 10.1.0.0/16 range so they don't conflict. Vish On Jul 18, 2012, at 8:25 AM, Boris-Michel Deschenes wrote: Hi guys, I have a question regarding NAT in openstack I have an openstack cloud (FlatDHCP, multi_host=false) with one nova-network node doing the nating. I have noticed that when I ping an external machine from within a VM, on the receiving end I see the IP of the VM (so the outgoing SNAT works properly). I have also noticed that when I ping a VM inside the cloud from a machine outside, the VM sees the external IP of the nova-network node as the source of the ping and not the real IP of the "pinger"... (this is the problem for me). I looked at the nova-network machine's iptables and I see this: -A nova-network-snat -s 10.0.0.0/8 -j SNAT --to-source 10.129.40.12 So it's basically setting the nova-network node as the source IP for all incoming traffic, in my situation, this prevents an application running inside the cloud to properly identifies the server located outside, currently, the only peer it sees is the nova-network node and not the IP of the server (located outside the cloud) so my application tries to connect to nova-network instead of the server that initiated the connection. Would it be possible to have SNAT work in a way where, when connecting to a VM from outside the cloud, the VM sees the source IP as the real source IP and not the nova-network controller's ip ? Thank you very much Boris _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net<mailto:openstack@lists.launchpad.net> Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
