openstack team mailing list archive

Thread
Date

Re: [Quantum] Anybody implemented DMZ?

To: David Kang <dkang@xxxxxxx>
From: Aaron Rosen <arosen@xxxxxxxxxx>
Date: Thu, 4 Apr 2013 11:01:50 -0700
Cc: "openstack@xxxxxxxxxxxxxxxxxxx \(openstack@xxxxxxxxxxxxxxxxxxx\)" <openstack@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <1362887251.521391.1365097910624.JavaMail.root@zm.isi.edu>

In my reply I suggested you to create two quantum routers which I believe
should solve this for you.


quantum net-create DMZ-net --external=True
quantum subnet-create --name DMZ-Subnet1 DMZ-net  <dmz_cidr>   # Public ip
pool
quantum net-create non-DMZ  --external=True
quantum subnet-create --name nonDMZ-Subnet1 non-DMZ <non_dmz_cidr>     #
Public ip pool


quantum router-create DMZ-router
quantum router-create non-DMZ-router
quantum router-interface-add DMZ-router DMZ DMZ-Subnet1
quantum router-interface-add non-DMZ-router  nonDMZ-Subnet1

quantum router-gateway-set  DMZ-router DMZ-net
quantum router-gateway-set   non-DMZ-router  non-DMZ


On Thu, Apr 4, 2013 at 10:51 AM, David Kang <dkang@xxxxxxx> wrote:

>
>
>  Hi Aron,
>
>  Thank you for your reply.
>
>  We deploy one (quantum) subnet as a DMZ network and the other (quantum)
> subnet
> as a non-DMZ network.
> They are routed to the network node where quantum services (dhcp, l3,
> linuxbridge)
> are running.
> They can talk each other through network node, now.
>
>  However, we do not want to the network node to route the traffic between
> them directly.
> Instead we want them to be routed to different (external) routers such that
> we can apply filtering/firewall/etc. on the traffic from DMZ network.
>
>  Do you think is it possible using two l3-agents or any other way?
> Currently, I manually set up routings for those two subnets.
>
>  Thanks,
>  David
>
> ----- Original Message -----
> > Hi David,
> >
> >
> > The quantum network node would route traffic between the non-DMZ-DMZ
> > network if both of those subnets are uplinked to the same quantum
> > router. I believe if you create another router for your dmz hosts then
> > traffic in/out of that network should route our to your physical
> > infrastructure which will go through your router to do filtering.
> >
> >
> > Thanks,
> >
> >
> > Aaron
> >
> >
> >
> > On Wed, Apr 3, 2013 at 8:26 AM, David Kang < dkang@xxxxxxx > wrote:
> >
> >
> >
> > Hi,
> >
> > We are trying to set up Quantum network for non-DMZ and DMZ networks.
> > The cloud has both non-DMZ networks and a DMZ network.
> > We need to route traffic from DMZ network to a specific router before
> > it reaches
> > anywhere else in non-DMZ networks.
> > However, Quantum Network Node routes the traffic between DMZ network
> > and
> > non-DMZ network within itself by default.
> > Have anybody configured Quantum for this case?
> > Any help will be appreciated.
> > We are using Quantum linuxbridge-agent.
> >
> > Thanks,
> > David
> >
> > --
> > ----------------------
> > Dr. Dong-In "David" Kang
> > Computer Scientist
> > USC/ISI
> >
> > _______________________________________________
> > Mailing list: https://launchpad.net/~openstack
> > Post to : openstack@xxxxxxxxxxxxxxxxxxx
> > Unsubscribe : https://launchpad.net/~openstack
> > More help : https://help.launchpad.net/ListHelp
>
> --
> ----------------------
> Dr. Dong-In "David" Kang
> Computer Scientist
> USC/ISI
>

Follow ups

Re: [Quantum] Anybody implemented DMZ?
From: David Kang, 2013-04-12

References

Re: [Quantum] Anybody implemented DMZ?
From: Aaron Rosen, 2013-04-04
Re: [Quantum] Anybody implemented DMZ?
From: David Kang, 2013-04-04