openstack team mailing list archive
  
  - 
     openstack team openstack team
- 
    Mailing list archive
  
- 
    Message #15321
  
Re:  Inbound connectivity and FlatDHCP networking
  
On Aug 1, 2012, at 9:35 AM, Lars Kellogg-Stedman <lars@xxxxxxxxxxxxxxxx> wrote:
> 
> For outbound access, it's not clear why the flat_network_bridge needs
> to be connected to an actual physical interface...since everything
> goes out public_interface, I'm not sure what flat_interface is for.
Traffic from vm to vm on different hosts should be able to go accross flat_interface
> 
> It's also not clear how inbound access is supposed to work.  Guest
> interfaces get addresses, but due to the NAT rule these are mostly
> inaccessible to external systems.  The guests are on a locally
> routeable 10.x.x.x network, but the routing established by OpenStack
> means that any inbound connections from outside the network will
> result in replies going out via the SNAT rule, which means connections
> are never established.
Getting inbound connectivity over fixed_ips can be tricky. It looks like you want to set up a specific range from vms that is not snatted. there is a config option for this called dmz_cidr. Anything in the dmz_cidr range will not be snatted.
For example, if your vms are on:
10.0.0.0/16
and your internal network hosts are on:
10.1.0.0/16
the following config options would work:
fixed_range=10.0.0.0/16
dmz_cidr=10.1.0.0/16
You will have to restart the nova-network workers after making the change. Note that security groups will block outside access as well, so you will have to allow ports like you do for floating ips.
FYI, an alternative plan that some organizations use is to put floating ips on the internal network and get in that way.
Vish
Follow ups
References