VMware Cloud Community
oneben007
Contributor
Contributor

VIO public IPs and NOT use NAT

Hello

My very first post...Yay!!

We have been running VIO for 12 months and are very happy. We use NSX and currently all our VMs are using NAT. However, we want to be able to NOT use NAT and assign public IPs directly on the VMs interface. IS this possible? We use NAT and security groups and it is working very well....SO happy we chose VIO.

Can someone point me in the direction on how we go about assigning public IPs directly on VMs interface?

We think it should be as easy as setting up another router and add external interface...Hmmmm.

Any guidance would be appreciated

Tags (2)
17 Replies
xgao3
VMware Employee
VMware Employee

you can. 

No-NAT Topologies (works with Centralized and Distributed Routers):

To disable NAT in a Neutron router, just issue the following CLI:

#neutron router-update Tenant1-LR-Central-Exclusive1 --external_gateway_info type=dict network_id=ccee6823-360d-43d7-99b0-a7e22b82433f,enable_snat=False
Updated router: Tenant1-LR-Central-Exclusive1
Reply
0 Kudos
oneben007
Contributor
Contributor

Hello SIr and thank you for your reply. I have been waiting for someone with more knowledge than I to give some insight.

I will create a new router as if I update it may break the networking on our existing VMs. What is the impact on current VM's using NAT when updating the router as opposed to creating a new one?

Reply
0 Kudos
oneben007
Contributor
Contributor

Also as I will need to create a new router to specifically use with No NAT I am wondering if when creating the router do I need to also create a subnet? I know that if I do not create a subnet I will not be able to attack it to instances but I am just a little lost as to the correct settings for a router that is not using NAT. Do I also need to create a gateway?

We have 3 IP blocks so we already have 3 subnets for our Public IPs. I have created a new network specifically use with those external IPs and No-NAT.

Any help would be appreciated.

Reply
0 Kudos
xgao3
VMware Employee
VMware Employee

I would agree that you should test this out before implementing on your production.  Simply because (Without knowing all details) routing has dependency to external network configuration, even if your openstack config is perfect, you network admin still have to somehow route the traffic to your project.

Since networks in question are tenant networks and you are already doing NAT (no chance of duplicates IP external to OpenStack), why not

  • create a new project
  • create router with no nat
  • create new network & subnet
  • attach proposed subnet to router

once you hash out the implementation, you can then apply the changes to your production project.

benjamin000
Enthusiast
Enthusiast

Hello and thanks for the reply.

One of the things that makes it difficult to create and new project and new subnet is we already have instances running and are using all our RIPE subnets so moving those to a new project would ( i assume ) break our existing implementation.

We did try last week to create another router with a new network and attach one existing subnet and this works and it provisions that public IP with no NAT perfectly how we want BUT there is no external access to that IP. I am assuming that an static route needs to be setup which is why there is no external access.

I am surprised that OpenStack has not implemented a simple feature to disable NAT when creating networks as this would make life much easier but maybe it will happen in the future.

If you have some advice for the static route or why there is no external access I would love to hear it but in any event I am going to give it another go this evening.

Regards Ben McGuire
Reply
0 Kudos
benjamin000
Enthusiast
Enthusiast

Hello Again

We have almost done it however we are using Mitaka and the command you provided does not work.

We have tried

openstack router set --external-gateway --disable-snat  <external-network> < router-id>

We just need to correct syntax and we have googled and looked on the openstack docs .

The neutron command is unavailable in Mitaka so we need to use command such as

openstack router list

and all others.

If you could provide an updated syntax for Mitaka I would be most appreciative

Regards Ben McGuire
Reply
0 Kudos
xgao3
VMware Employee
VMware Employee

can you try this, i just tested it, and it works.

viouser@openstack-client:~/heat-autoscaling$ neutron router-gateway-set --disable-snat cbeaf20a-e6d4-4333-b89a-968911b2299f 42f8b1b5-0caa-44bd-ad7e-0fce64d8e94a

Set gateway for router cbeaf20a-e6d4-4333-b89a-968911b2299f

syntax:

neutron router-gateway-set --disable-snat <router id> < external network ID>

Reply
0 Kudos
xgao3
VMware Employee
VMware Employee

original command works also:

viouser@openstack-client:~/heat-autoscaling$ neutron router-update cbeaf20a-e6d4-4333-b89a-968911b2299f --external_gateway_info type=dict network_id=42f8b1b5-0caa-44bd-ad7e-0fce64d8e94a,enable_snat=False

Updated router: cbeaf20a-e6d4-4333-b89a-968911b2299f

viouser@openstack-client:~/heat-autoscaling$

viouser@openstack-client:~/heat-autoscaling$ neutron router-show cbeaf20a-e6d4-4333-b89a-968911b2299f

+-------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

| Field                   | Value                                                                                                                                                                                      |

+-------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

| admin_state_up          | True                                                                                                                                                                                       |

| availability_zone_hints |                                                                                                                                                                                            |

| availability_zones      | default                                                                                                                                                                                    |

| description             |                                                                                                                                                                                            |

| distributed             | False                                                                                                                                                                                      |

| external_gateway_info   | {"network_id": "42f8b1b5-0caa-44bd-ad7e-0fce64d8e94a", "enable_snat": false, "external_fixed_ips": [{"subnet_id": "9c72fa3a-6fb4-4522-96c9-63d9cf6345c9", "ip_address": "10.115.97.180"}]} |

| id                      | cbeaf20a-e6d4-4333-b89a-968911b2299f                                                                                                                                                       |

| name                    | no_nat_router                                                                                                                                                                              |

| router_size             | compact                                                                                                                                                                                    |

| router_type             | exclusive                                                                                                                                                                                  |

| routes                  |                                                                                                                                                                                            |

| status                  | ACTIVE                                                                                                                                                                                     |

| tenant_id               | dc2bcfeb974d402eb8669c6e80d4145c                                                                                                                                                           |

+-------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

viouser@openstack-client:~/heat-autoscaling$

Reply
0 Kudos
xgao3
VMware Employee
VMware Employee

make sure you don't have a space between the comma and enable_snat

Reply
0 Kudos
benjamin000
Enthusiast
Enthusiast

Much appreciate for you testing and guidance. I will give it a go this evening but I dont think the neutron commands work in Mitiaka however Ill test it using your syntax and report back !!!

Regards Ben McGuire
Reply
0 Kudos
xgao3
VMware Employee
VMware Employee

It should work, I tested this against Mitaka.

Reply
0 Kudos
benjamin000
Enthusiast
Enthusiast

Hello

Just tried it and looking at why we did before the command is exactly the same.

When using the neutron command we receive the authentication error but when using commands such as glance image-create the source rc file we are using works just fine with no authentication errors.

It is only when trying to change router settings in the command line do we receive errors.

I have attached the error and also attached the rc source file I am using.

I have naturally removed the user name from the rc source file for security.

Regards Ben McGuire
Reply
0 Kudos
xgao3
VMware Employee
VMware Employee

Does your account have admin permissions?  In your second screenshot, did you set OS_PASSWORD?

--xhg

Reply
0 Kudos
benjamin000
Enthusiast
Enthusiast

I have never put OS_Password=   in the source file. Usually I get a password prompt and it was fine when we were adding vSphere VMs.

Anyway after adding OS_Password to the source rc file it worked so now just need to test the NAT.

Fingers crossed Smiley Happy

Regards Ben McGuire
Reply
0 Kudos
benjamin000
Enthusiast
Enthusiast

Ok now we are getting somewhere your tips and advise has helped a great deal.

I have launched an instance and it provisions an IP from our external pool and that IP get assigned without any NAT, however when the VM boots the Raise network interfaces displays in the boot screen and it takes 5 minutes for the VM to boot.

I am sure this is not usual and would have thought that a static route would be needed somewhere as there is no external access.

Regards Ben McGuire
Reply
0 Kudos
benjamin000
Enthusiast
Enthusiast

OK the boot issue is gone by adding dhcp to the subnet.

Still now external access. ANy tips on routing that would need to be added?

Regards Ben McGuire
Reply
0 Kudos
sholliday_aus
VMware Employee
VMware Employee

Your initial command was mostly correct your just need the right order.

Incorrect

01. openstack router set --external-gateway <external-network> --disable-snat  <router-id> 

Correct order

openstack router set --disable-snat --external-gateway <external-network> <router-id>

Regards,
Scott

If you found this comment useful or an answer to your question, please mark as 'Solved' and/or click the 'Kudos' button, please ask follow-up questions if you have any
Reply
0 Kudos