0

Im using centos 8.3 and Usurri. Made the installation following the official tutorial. Everything is working, except the SNAT. From a new instance, when I try to access any external address, it doesn't work. Ive made a tcpdump on the destination, and saw that the SNAT is not working.

Any suggestion?

Vinicius Coelho
  • 1
  • I forgot to mention that I'm using self-service networks (vxlan) – Vinicius Coelho Apr 13 '21 at 12:29
  • Is SNAT enabled in the first place? What do you mean by "external address"? What happens on the instance when you access an external address? What does tcpdump report? Can you reach instances via floating IP? I would check if the router's namespace has SNAT netfilter rules (`iptables` command) and run tcpdumpin that namespace for more clarity. – berndbausch Apr 13 '21 at 17:04
  • Sorry for the lack of information. Yes, SNAT is enabled, and when I say external address, is any address that need to be routed. Inside the router namespace I can see the packets being routed to my destination. In my destination I see the packtes comingm but with the internal ip, so the masquarade is not working. If I attach an floating IP, everything works. Can't find anything wrong with iptables, but I trylly believe that the problem is there – Vinicius Coelho Apr 13 '21 at 18:00
  • I believe that this rule would be doing the masquerade, right? Chain neutron-l3-agent-float-snat (1 references) pkts bytes target prot opt in out source destination 0 0 SNAT all -- any any 172.16.0.112 anywhere to:X.X.X.X random-fully – Vinicius Coelho Apr 13 '21 at 18:06
  • I checked my Devstack. The external router network namespace has two tables for SNAT, named `neutron-l3-agent-float-snat` and `neutron-l3-agent-snat`. If the Neutron port has a floating IP, the former is used. The rule is `-s 10.0.0.34/32 -j SNAT --to-source 192.168.1.253`, where 10.0.0.34 is the port's IP address, and 192.168.1.253 is the floating IP. I.e. this rule is for one port only. The other table for Neutron ports without floating IP contains `-o qg-7678aec3-62 -j SNAT --to-source 192.168.1.249`, which performs SNAT to the gateway's IP for all traffic that goes out. – berndbausch Apr 16 '21 at 03:37
  • I have both chains. It's strange because I have this rule with the interface, but snat still do not work :/ – Vinicius Coelho Apr 20 '21 at 12:10

0 Answers0