yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2123848] Re: [ovn-octavia-provider] Octavia LB not reachable with custom firewall appliance

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Bence Romsics <2123848@xxxxxxxxxxxxxxxxxx>
Date: Tue, 23 Sep 2025 13:23:22 -0000
Reply-to: Bug 2123848 <2123848@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

** Changed in: neutron
       Status: Opinion => Incomplete

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2123848

Title:
  [ovn-octavia-provider] Octavia LB not reachable with custom firewall
  appliance

Status in neutron:
  Incomplete

Bug description:
  Hi Everyone!

  Recently we are facing an issue with octavia-ovn-provider due to our
  specific setup, to give more context we are using the following:

  Customer A wants to use a dedicated appliance inside his network to forward traffic to the outside world (e.g. 192.168.10.1 instead of Openstack virtual router), so they set the default gateway of the subnet to 192.168.10.1 (which is the dedicated appliance device)
  The customer wants to use Octavia LBs with private VIP (192.168.10.x)

  Openstack version: Caracal and Antelope (code seems the same also in master)
  Can be replicated with Devstack

  What we saw is that when ever we create the subnet with a specific
  port here below the commands to replicate it:

  ```
  openstack subnet create --network "shared network" --subnet-range "192.168.10.0/24" --allocation-pool start=192.168.10.10,end=192.168.10.200 --dhcp subnet 

  openstack port create --fixed-ip subnet=subnet,ip-address=192.168.10.2
  --network "shared network" internal_port_router_workaround

  openstack router add port router-terraform internal_port_router_workaround
  ```

  
  The created loadbalancer would not be reachable due to a specific condition on the codebase which requires that the port IP is equivalent to the subnet gateway IP, here below the reference of it:

  https://github.com/openstack/ovn-octavia-
  provider/commit/feb5ac89af684f724ccda0c74a908438ce1f48e7#diff-e533b994f9a708045fefd5ef3b897fa16acc209a460572c3b9af80d712ce9433R799

  
  Thus creating a load balancer we get the following:
  ```
  openstack loadbalancer create --provider ovn  --name lb1 --vip-subnet-id subnet

  ovn-nbctl find logical_router  "name=neutron-2d35e699-6fd0-428d-a0d1-b15fd8c4828f" | grep load_balancer
  load_balancer       : []
  load_balancer_group : []
  ```


  The field load_balancer is empty on the nb database making unreachable
  the loadbalancer, in order to fix that potential work arounds are:

  Set default static route on the virtual router 192.168.10.2 to point to the firewall 192.168.10.1, and use 192.168.10.2 as default gateway for the subnet
  Set static routes on each VM inside the shared network so VMs can reach directly the firewall (requires automation or cloud-init integration)

  
  Later on to make the loadbalancer creation work again we did the following:
  ```
  openstack subnet set --gateway 192.168.10.2 subnet

  openstack loadbalancer create --provider ovn  --name lb2 --vip-subnet-
  id subnet

  ovn-nbctl find logical_router  "name=neutron-2d35e699-6fd0-428d-a0d1-b15fd8c4828f" | grep load_balancer
  load_balancer       : [a6fd8537-eff3-4def-a5e3-e6dacb8bb901]
  load_balancer_group : [] 
  ```

  We were discussing internally if that is the expected behaviour of
  Openstack or if this can be potentially improved to allow this
  specific use-case

  Thank you for your time!

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2123848/+subscriptions

References

[Bug 2123848] [NEW] [ovn-octavia-provider] Octavia LB not reachable with custom firewall appliance
From: Sami Yessou, 2025-09-15