← Back to team overview

openstack team mailing list archive

Re: [Open stack-operators] nova-network NAT question

 

Hi:

I don´t want to use NAT in order to keep track of connectivity, I want to be clear about  the source IP of every connection in my environment.

Igor, sorry if I didn´t explain well my point, sorry ☹

I´m gonna try to explain it again.

This is part of the output of the command ip addr in one of my nodes (remember that nodes are physical servers that have installed nova-compute, nova-network and nova-api):

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000

4: vlan2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
    inet 192.168.2.2/24 brd 192.168.2.255 scope global vlan2

7: vlan10@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br10 state UP

8: br10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
    inet 192.168.10.6/24 brd 192.168.10.255 scope global br10

26: vnet1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br10 state UNKNOWN qlen 500

Facts:

-         vnet1 is the representation of the vNIC of the virtual machine (there is only one virtual machine).

-         The virtual machine has IP 192.168.10.8 (this IP was assigned automatically by nova-network when I created the virtual machine).

-         The virtual machine belongs to vlan10 (192.168.10.0/24).

-         The gateway of the virtual machine is 192.168.10.6 (IP of br10). It was assigned automatically by nova-network when I created the virtual machine.

-         eth1 has configured vlan2@eth1(manually by me)  and its IP is 192.168.2.2, this vlan do not belong to the OpenStack cloud environment, this vlan is foreign to OpenStack

-         ip_forward is set to 1 in the node


What happens when I make ping to IP 192.168.100.34 from my virtual machine?

-         My virtual machine has IP 192.168.10.8, so the gateway is required to get 192.168.100.34

-         The gateway of the virtual machine is 192.168.10.6 (br10)

-         Packets go from virtual machine to 192.168.10.6 (br10). This interface is in eth1.

-         Physical server (node) gets the packets from br10 and try to resend them (ip_forward = 1). For this purpose, it uses its own default gateway.

-         The default gateway defined in the node is accessed by vlan2@eth1

-         So, the way to get 192.168.2.34 is:  virtual machine  -> br10 (192.168.10.8, gateway of virtual machine) -> vlan2@eth1 -> default gateway of the node

-         To get back is required that external routers have configured correctly.

Regards….


[Descripción: Descripción: C:\Users\ssac\Documents\Firma Digital\linea.gif]

[Descripción: Descripción: C:\Users\ssac\Documents\Firma Digital\logo_gmv.gif]

Sergio Ariel de la Campa Saiz
Ingeniero de Infraestructuras /
Infrastucture Engineer /

GMV
Isaac Newton, 11
P.T.M. Tres Cantos
E-28760 Madrid
Tel. +34 91 807 21 00
Fax +34 91 807 21 99
www.gmv.com <http://www.innovation2011.es/index.php?id=86>
[Descripción: Descripción: C:\Users\ssac\Documents\Firma Digital\icon_blog.gif]<http://www.gmv.com/b2_gmv>



[Descripción: Descripción: C:\Users\ssac\Documents\Firma Digital\icon_facebook.gif]<http://www.facebook.com/infoGMV>



[Descripción: Descripción: C:\Users\ssac\Documents\Firma Digital\icon_twitter.gif]<http://www.twitter.com/infoGMV_es>



[Descripción: Descripción: C:\Users\ssac\Documents\Firma Digital\icon_youtube.gif]<http://www.youtube.com/infoGMV>


<http://www.innovation2011.es/index.php?id=86>




De: Andabas [mailto:andi.abes@xxxxxxxxx]<mailto:[mailto:andi.abes@xxxxxxxxx]>
Enviado el: sábado, 01 de septiembre de 2012 0:09
Para: Igor Laskovy
CC: Sergio Ariel de la Campa Saiz; openstack-operators@xxxxxxxxxxxxxxxxxxx<mailto:openstack-operators@xxxxxxxxxxxxxxxxxxx>; openstack@xxxxxxxxxxxxxxxxxxx<mailto:openstack@xxxxxxxxxxxxxxxxxxx>
Asunto: Re: [Openstack-operators] nova-network NAT question

Nova assumes that the cloud operator will want to separate the VMs from the physical infrastructure.... So the address range on the physical nodes and VM are 'Foreign' to each other. For VMs to be able to communicate with the outside world in this environment, snat is required.
There's no real way in Essex to disable that.

Why do you want to avoid NAT?

On Aug 31, 2012, at 2:37, Igor Laskovy <igor.laskovy@xxxxxxxxx<mailto:igor.laskovy@xxxxxxxxx>> wrote:

Hey.

Well, what the type of network manager used?
For example with FlatManager virtual nic can only put in the according bridge on the node and that's it. Anything you should do manually.

Igor Laskovy
facebook.com/igor.laskovy<http://facebook.com/igor.laskovy>
Kiev, Ukraine
On Aug 30, 2012 2:24 PM, "Sergio Ariel de la Campa Saiz" <sacampa@xxxxxxx<mailto:sacampa@xxxxxxx>> wrote:
Hi:

I have a doubt about nova-network and NAT:
UVirtual machines (that only have privates IPs and no floating IP) always use NAT to communicate with machines out of OpenStack cloud?

Regards…

<image008.png>

<image003.gif>

Sergio Ariel de la Campa Saiz
Ingeniero de Infraestructuras /
Infrastucture Engineer /

GMV
Isaac Newton, 11
P.T.M. Tres Cantos
E-28760 Madrid
Tel. +34 91 807 21 00<tel:%2B34%2091%20807%2021%2000>
Fax +34 91 807 21 99<tel:%2B34%2091%20807%2021%2099>
www.gmv.com <http://www.innovation2011.es/index.php?id=86>
<image004.gif><http://www.gmv.com/b2_gmv>



<image005.gif><http://www.facebook.com/infoGMV>



<image006.gif><http://www.twitter.com/infoGMV_es>



<image007.gif><http://www.youtube.com/infoGMV>


<http://www.innovation2011.es/index.php?id=86>





P Please consider the environment before printing this e-mail.
________________________________
This message including any attachments may contain confidential information, according to our Information Security Management System, and intended solely for a specific individual to whom they are addressed. Any unauthorised copy, disclosure or distribution of this message is strictly forbidden. If you have received this transmission in error, please notify the sender immediately and delete it.
________________________________
Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede contener información clasificada por su emisor como confidencial en el marco de su Sistema de Gestión de Seguridad de la Información siendo para uso exclusivo del destinatario, quedando prohibida su divulgación copia o distribución a terceros sin la autorización expresa del remitente. Si Vd. ha recibido este mensaje erróneamente, se ruega lo notifique al remitente y proceda a su borrado. Gracias por su colaboración.
________________________________
Esta mensagem, incluindo qualquer ficheiro anexo, pode conter informação confidencial, de acordo com nosso Sistema de Gestão de Segurança da Informação, sendo para uso exclusivo do destinatário e estando proibida a sua divulgação, cópia ou distribuição a terceiros sem autorização expressa do remetente da mesma. Se recebeu esta mensagem por engano, por favor avise de imediato o remetente e apague-a. Obrigado pela sua colaboração.
________________________________

_______________________________________________
OpenStack-operators mailing list
OpenStack-operators@xxxxxxxxxxxxxxxxxxx<mailto:OpenStack-operators@xxxxxxxxxxxxxxxxxxx>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
_______________________________________________
OpenStack-operators mailing list
OpenStack-operators@xxxxxxxxxxxxxxxxxxx<mailto:OpenStack-operators@xxxxxxxxxxxxxxxxxxx>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

P Please consider the environment before printing this e-mail.

______________________
This message including any attachments may contain confidential 
information, according to our Information Security Management System,
 and intended solely for a specific individual to whom they are addressed.
 Any unauthorised copy, disclosure or distribution of this message
 is strictly forbidden. If you have received this transmission in error,
 please notify the sender immediately and delete it.

______________________
Este mensaje, y en su caso, cualquier fichero anexo al mismo,
 puede contener informacion clasificada por su emisor como confidencial
 en el marco de su Sistema de Gestion de Seguridad de la 
Informacion siendo para uso exclusivo del destinatario, quedando 
prohibida su divulgacion copia o distribucion a terceros sin la 
autorizacion expresa del remitente. Si Vd. ha recibido este mensaje 
 erroneamente, se ruega lo notifique al remitente y proceda a su borrado. 
Gracias por su colaboracion.

______________________

GIF image

GIF image

GIF image

GIF image

GIF image

PNG image


Follow ups