1 2 Previous Next 17 Replies Latest reply on Nov 21, 2018 6:37 PM by sholliday_aus

    VIO public IPs and NOT use NAT

    oneben007 Novice


      My very first post...Yay!!


      We have been running VIO for 12 months and are very happy. We use NSX and currently all our VMs are using NAT. However, we want to be able to NOT use NAT and assign public IPs directly on the VMs interface. IS this possible? We use NAT and security groups and it is working very well....SO happy we chose VIO.


      Can someone point me in the direction on how we go about assigning public IPs directly on VMs interface?


      We think it should be as easy as setting up another router and add external interface...Hmmmm.

      Any guidance would be appreciated

        • 1. Re: VIO public IPs and NOT use NAT
          xgao3 Novice
          VMware Employees

          you can. 


          No-NAT Topologies (works with Centralized and Distributed Routers):

          To disable NAT in a Neutron router, just issue the following CLI:

          #neutron router-update Tenant1-LR-Central-Exclusive1 --external_gateway_info type=dict network_id=ccee6823-360d-43d7-99b0-a7e22b82433f,enable_snat=False
          Updated router: Tenant1-LR-Central-Exclusive1
          • 2. Re: VIO public IPs and NOT use NAT
            oneben007 Novice

            Hello SIr and thank you for your reply. I have been waiting for someone with more knowledge than I to give some insight.


            I will create a new router as if I update it may break the networking on our existing VMs. What is the impact on current VM's using NAT when updating the router as opposed to creating a new one?

            • 3. Re: VIO public IPs and NOT use NAT
              oneben007 Novice

              Also as I will need to create a new router to specifically use with No NAT I am wondering if when creating the router do I need to also create a subnet? I know that if I do not create a subnet I will not be able to attack it to instances but I am just a little lost as to the correct settings for a router that is not using NAT. Do I also need to create a gateway?

              We have 3 IP blocks so we already have 3 subnets for our Public IPs. I have created a new network specifically use with those external IPs and No-NAT.


              Any help would be appreciated.

              • 4. Re: VIO public IPs and NOT use NAT
                xgao3 Novice
                VMware Employees

                I would agree that you should test this out before implementing on your production.  Simply because (Without knowing all details) routing has dependency to external network configuration, even if your openstack config is perfect, you network admin still have to somehow route the traffic to your project.


                Since networks in question are tenant networks and you are already doing NAT (no chance of duplicates IP external to OpenStack), why not

                • create a new project
                • create router with no nat
                • create new network & subnet
                • attach proposed subnet to router

                once you hash out the implementation, you can then apply the changes to your production project.

                • 5. Re: VIO public IPs and NOT use NAT
                  benjamin000 Enthusiast

                  Hello and thanks for the reply.


                  One of the things that makes it difficult to create and new project and new subnet is we already have instances running and are using all our RIPE subnets so moving those to a new project would ( i assume ) break our existing implementation.


                  We did try last week to create another router with a new network and attach one existing subnet and this works and it provisions that public IP with no NAT perfectly how we want BUT there is no external access to that IP. I am assuming that an static route needs to be setup which is why there is no external access.


                  I am surprised that OpenStack has not implemented a simple feature to disable NAT when creating networks as this would make life much easier but maybe it will happen in the future.


                  If you have some advice for the static route or why there is no external access I would love to hear it but in any event I am going to give it another go this evening.

                  • 6. Re: VIO public IPs and NOT use NAT
                    benjamin000 Enthusiast

                    Hello Again


                    We have almost done it however we are using Mitaka and the command you provided does not work.


                    We have tried


                    openstack router set --external-gateway --disable-snat  <external-network> < router-id>


                    We just need to correct syntax and we have googled and looked on the openstack docs .


                    The neutron command is unavailable in Mitaka so we need to use command such as

                    openstack router list

                    and all others.


                    If you could provide an updated syntax for Mitaka I would be most appreciative

                    • 7. Re: VIO public IPs and NOT use NAT
                      xgao3 Novice
                      VMware Employees

                      can you try this, i just tested it, and it works.


                      viouser@openstack-client:~/heat-autoscaling$ neutron router-gateway-set --disable-snat cbeaf20a-e6d4-4333-b89a-968911b2299f 42f8b1b5-0caa-44bd-ad7e-0fce64d8e94a

                      Set gateway for router cbeaf20a-e6d4-4333-b89a-968911b2299f



                      neutron router-gateway-set --disable-snat <router id> < external network ID>

                      • 8. Re: VIO public IPs and NOT use NAT
                        xgao3 Novice
                        VMware Employees

                        original command works also:


                        viouser@openstack-client:~/heat-autoscaling$ neutron router-update cbeaf20a-e6d4-4333-b89a-968911b2299f --external_gateway_info type=dict network_id=42f8b1b5-0caa-44bd-ad7e-0fce64d8e94a,enable_snat=False

                        Updated router: cbeaf20a-e6d4-4333-b89a-968911b2299f



                        viouser@openstack-client:~/heat-autoscaling$ neutron router-show cbeaf20a-e6d4-4333-b89a-968911b2299f


                        | Field                   | Value                                                                                                                                                                                      |


                        | admin_state_up          | True                                                                                                                                                                                       |

                        | availability_zone_hints |                                                                                                                                                                                            |

                        | availability_zones      | default                                                                                                                                                                                    |

                        | description             |                                                                                                                                                                                            |

                        | distributed             | False                                                                                                                                                                                      |

                        | external_gateway_info   | {"network_id": "42f8b1b5-0caa-44bd-ad7e-0fce64d8e94a", "enable_snat": false, "external_fixed_ips": [{"subnet_id": "9c72fa3a-6fb4-4522-96c9-63d9cf6345c9", "ip_address": ""}]} |

                        | id                      | cbeaf20a-e6d4-4333-b89a-968911b2299f                                                                                                                                                       |

                        | name                    | no_nat_router                                                                                                                                                                              |

                        | router_size             | compact                                                                                                                                                                                    |

                        | router_type             | exclusive                                                                                                                                                                                  |

                        | routes                  |                                                                                                                                                                                            |

                        | status                  | ACTIVE                                                                                                                                                                                     |

                        | tenant_id               | dc2bcfeb974d402eb8669c6e80d4145c                                                                                                                                                           |



                        • 9. Re: VIO public IPs and NOT use NAT
                          xgao3 Novice
                          VMware Employees

                          make sure you don't have a space between the comma and enable_snat

                          • 10. Re: VIO public IPs and NOT use NAT
                            benjamin000 Enthusiast

                            Much appreciate for you testing and guidance. I will give it a go this evening but I dont think the neutron commands work in Mitiaka however Ill test it using your syntax and report back !!!

                            • 11. Re: VIO public IPs and NOT use NAT
                              xgao3 Novice
                              VMware Employees

                              It should work, I tested this against Mitaka.

                              • 12. Re: VIO public IPs and NOT use NAT
                                benjamin000 Enthusiast



                                Just tried it and looking at why we did before the command is exactly the same.


                                When using the neutron command we receive the authentication error but when using commands such as glance image-create the source rc file we are using works just fine with no authentication errors.

                                It is only when trying to change router settings in the command line do we receive errors.


                                I have attached the error and also attached the rc source file I am using.

                                I have naturally removed the user name from the rc source file for security.

                                • 13. Re: VIO public IPs and NOT use NAT
                                  xgao3 Novice
                                  VMware Employees

                                  Does your account have admin permissions?  In your second screenshot, did you set OS_PASSWORD?



                                  • 14. Re: VIO public IPs and NOT use NAT
                                    benjamin000 Enthusiast

                                    I have never put OS_Password=   in the source file. Usually I get a password prompt and it was fine when we were adding vSphere VMs.


                                    Anyway after adding OS_Password to the source rc file it worked so now just need to test the NAT.


                                    Fingers crossed

                                    1 2 Previous Next