VMware Cloud Community
jantteri
Contributor
Contributor

Cloud Director - Edge SNAT rules missing protocol selection

Hi,

We're running Cloud Dir. 10.2.0 and NSX-V 6.4.8. We know it's not the latest and greatest combo at the moment.

 

We can't configure SNAT rules with a port (TCP, UDP etc.) defined from the Cloud Dir. GUI. When we type a port number (eg. 123) to the SNAT rule dialog and try to apply the Edge config we get the following error message in Cloud Dir:

 

Networking Operation Failed with reason: Configuration failed on NSX Edge VM vm-12345. Kindly refer Edge and NSX Manager logs for more details. Root Cause: [512] failed to update iptables : iptables-restore v1.6.1: multiport needs `-p tcp', `-p udp', `-p udplite', `-p sctp' or `-p dccp'

 

If we discard the port number (eg. 123) from the SNAT rule the Edge config applies successfully. The Cloud Dir. GUI doesn't show a protocol selection dropdown in the SNAT rule edit dialog. Only a port number field is shown in the edit rule dialog. The port and protocol selection is however possible from the NSX-V (vCenter - Networking and Security) GUI edit rule dialog. This makes us believe this a UI/API bug in Cloud Director.

 

We can't find any mentions of this issue in the release notes of the CD version we a running or in the newer ones.

Are we missing something obvious or aren't other Service Providers customers (tenants) using Edge SNAT rules with specific port+protocol configurations? Seems like an obvious issue that other people should've reported before us...

 

Br,

Jantteri

Reply
0 Kudos
2 Replies
jantteri
Contributor
Contributor

Just checked another environment which is running CD 10.2.1 and NSX-T 3.1 combo.

There we can't even specify a port number anymore in the Cloud Dir. Edge SNAT rule dialog... 

 

Seriously... is everybody else using plain IP addressess without any port+protocol info in their SNAT rules? Or is this for some reason configurable only through the API and if so why make it so difficult (haven't checked the API yet)?

 

- Jantteri

Reply
0 Kudos
jantteri
Contributor
Contributor

Just to clarify the issue a bit further.

 

SNAT rule that can't be applied from the GUI:

Original Source IP/Range: A.A.A.A

Translated Source IP/Range: B.B.B.B

Destination IP Address: C.C.C.C

Destination Port: 123

 

SNAT rule that can be applied:

Original Source IP/Range: A.A.A.A

Translated Source IP/Range: B.B.B.B

Destination IP Address: C.C.C.C

Destination Port: any

 

There is no dropdown for selecting the protocol type (tcp, udp, icmp etc.).

 

- Jantteri

Reply
0 Kudos