Static NAT routing

[Venkat Srinivasan <ve...@cliqr.com>]

Hello All,

I have a cloudstack environment with a advanced zone setup. I have two
bridge networks cloudbr0 and cloudbr1.  cloudbr0 is configured on a Public
network interface using VLAN and cloudbr1 uses GRE on a second interface.

I am using Openvswitch on KVM .

I also created a networking offering with static nat ,port forwarding etc
using 'ovs' as the provider.

After my zone was created sucessfully , I created an isolated network using
the above network offering with a cidr of 10.0.0.0/24.

All this works just fine.  I launched a VM inside this network and it comes
up fine and my 'ovs-vsctl show' shows the appropriate tunnels and bridges
created. The VM gets an IP 10.0.0.31.

Now I want to access this from public network so I acquired a public IP
-172.16.10.103 and created a static nat rule with my VM. The logs also show
everything went through fine
My Virtual router IP is 172.16.10.102 and if I do 'ip addr' I can see that
the acquired public ip is added as a secondary ip to eth2 interface.

My issue is that I cant seem to route to this public IP from say my
desktop. I checked my cisco firewall/dhcp server and it has not received
any ARP requests for new IP/Interface for 172.16.10.103 either . But the
Systemvms and the Virtual Routers have registed themselves on my
firewall/dhcp server.
I am curious how this works . Do I need to setup some routing in my
hardware firewall to use the virtual router as the default gateway ?

Currently my default gateway is 172.16.10.1

Sorry if Iam missing something basic but any suggestions and ideas will
help.

--
Thanks

Re: Static NAT routing

[Venkat Srinivasan <ve...@cliqr.com>]

Thanks Sanjeev. I was able to get it work today.The 172.16.10.1 is my
firewall gateway and the ingress rules seem be allow all.
 I recreated a vpc and a network offering using ovs and the 'Virtual
Networking' and 'Connectivity' provider.  Not really sure what these mean.I
also deleted and recreated my bridges . I wanted to create a network
offering for vpcs with OVS as the static NAT provider but that gets greyed
out as soon as I check the VPC.
Yes, I noticed that about the Virtual Router . It seems to respond to
ARPING with the secondary IP of its public NIC eth2 as 172.16.10.103 and I
assume thats how the routing takes place from my 172.16.10.1 gateway.

Anyhow, it seems to work now , will need to do some more tests.

---
Thanks .
Venkat



On Wed, Sep 24, 2014 at 9:14 PM, Sanjeev Neelarapu <
sanjeev.neelarapu@citrix.com> wrote:

> Hi Venkat,
>
> Couple of questions:
> 1. Are you able to reach the gateway 172.16.10.1 from your desktop?
> 2. Did you create firewall rules on acquired ip 172.16.10.103 to allow the
> ingress traffic?
>
> You would not need to setup the virtual router as the default gateway. All
> the guest vms inside the isolated network you created would have the
> virtual router as the default gateway by default.
>
> Thanks,
> Sanjeev
> -----Original Message-----
> From: Venkat Srinivasan [mailto:venkat@cliqr.com]
> Sent: Wednesday, September 24, 2014 4:56 AM
> To: users@cloudstack.apache.org
> Subject: Static NAT routing
>
> Hello All,
>
> I have a cloudstack environment with a advanced zone setup. I have two
> bridge networks cloudbr0 and cloudbr1.  cloudbr0 is configured on a Public
> network interface using VLAN and cloudbr1 uses GRE on a second interface.
>
> I am using Openvswitch on KVM .
>
> I also created a networking offering with static nat ,port forwarding etc
> using 'ovs' as the provider.
>
> After my zone was created sucessfully , I created an isolated network
> using the above network offering with a cidr of 10.0.0.0/24.
>
> All this works just fine.  I launched a VM inside this network and it
> comes up fine and my 'ovs-vsctl show' shows the appropriate tunnels and
> bridges created. The VM gets an IP 10.0.0.31.
>
> Now I want to access this from public network so I acquired a public IP
> -172.16.10.103 and created a static nat rule with my VM. The logs also
> show everything went through fine My Virtual router IP is 172.16.10.102 and
> if I do 'ip addr' I can see that the acquired public ip is added as a
> secondary ip to eth2 interface.
>
> My issue is that I cant seem to route to this public IP from say my
> desktop. I checked my cisco firewall/dhcp server and it has not received
> any ARP requests for new IP/Interface for 172.16.10.103 either . But the
> Systemvms and the Virtual Routers have registed themselves on my
> firewall/dhcp server.
> I am curious how this works . Do I need to setup some routing in my
> hardware firewall to use the virtual router as the default gateway ?
>
> Currently my default gateway is 172.16.10.1
>
> Sorry if Iam missing something basic but any suggestions and ideas will
> help.
>
> --
> Thanks
>

RE: Static NAT routing

[Sanjeev Neelarapu <sa...@citrix.com>]

Hi Venkat,

Couple of questions:
1. Are you able to reach the gateway 172.16.10.1 from your desktop?
2. Did you create firewall rules on acquired ip 172.16.10.103 to allow the ingress traffic?

You would not need to setup the virtual router as the default gateway. All the guest vms inside the isolated network you created would have the virtual router as the default gateway by default.

Thanks,
Sanjeev
-----Original Message-----
From: Venkat Srinivasan [mailto:venkat@cliqr.com] 
Sent: Wednesday, September 24, 2014 4:56 AM
To: users@cloudstack.apache.org
Subject: Static NAT routing

Hello All,

I have a cloudstack environment with a advanced zone setup. I have two bridge networks cloudbr0 and cloudbr1.  cloudbr0 is configured on a Public network interface using VLAN and cloudbr1 uses GRE on a second interface.

I am using Openvswitch on KVM .

I also created a networking offering with static nat ,port forwarding etc using 'ovs' as the provider.

After my zone was created sucessfully , I created an isolated network using the above network offering with a cidr of 10.0.0.0/24.

All this works just fine.  I launched a VM inside this network and it comes up fine and my 'ovs-vsctl show' shows the appropriate tunnels and bridges created. The VM gets an IP 10.0.0.31.

Now I want to access this from public network so I acquired a public IP
-172.16.10.103 and created a static nat rule with my VM. The logs also show everything went through fine My Virtual router IP is 172.16.10.102 and if I do 'ip addr' I can see that the acquired public ip is added as a secondary ip to eth2 interface.

My issue is that I cant seem to route to this public IP from say my desktop. I checked my cisco firewall/dhcp server and it has not received any ARP requests for new IP/Interface for 172.16.10.103 either . But the Systemvms and the Virtual Routers have registed themselves on my firewall/dhcp server.
I am curious how this works . Do I need to setup some routing in my hardware firewall to use the virtual router as the default gateway ?

Currently my default gateway is 172.16.10.1

Sorry if Iam missing something basic but any suggestions and ideas will help.

--
Thanks