Principle analysis of external network access-5 minutes a day to play OpenStack (105)

In this section, we will connect the ext_net created in the previous section to the router and verify the connectivity of the internal and external networks.

More importantly, we will analyze the principle behind the appearance.

Connect the extranet to the Neutron virtual router so that the instance can access the extranet.

Click menu Project, Network, routers to enter the router list.

Click on the "Set Gateway" button in router_100_101.

Select Ext_net in the "External Network" drop-down list and click "Set Gateway".

The external network settings are successful.

We need to see what has changed in router. Click on the "router_100_101" link to open the "Interfaces" tab

Router A new interface,ip for 10.10.10.2. The interface is used to connect the external network ext_net.

View the network structure of the control node, the router tap device tapb8b32a88-03 is already connected to the extranet bridge.

View tapb8b32a88-03 's Veth pair device in the router namespace.

The veth pair is named qg-b8b32a88-03 with the IP 10.10.10.2 configured above.

Each interface in the router has a corresponding veth in namespace. If Veth is used to connect to a tenant network, the naming format is qr-xxx, such as qr-d568ba1a-74 and qr-e17162c5-00. If Veth is used to connect to an external network, the naming format is qg-xxx, such as qg-b8b32a88-03.

View the routing table information for the router.

You can see that the default gateway is 10.10.10.1. means that router_100_101 will be forwarded to Ext_net's gateway 10.10.10.1 for all traffic outside of the vlan100 and vlan101 tenant networks.

Now Router_100_101 has connected both vlan100, vlan101 and ext_net three networks, as shown in:

Let's test it on the cirros-vm3.

The CIRROS-VM3 is located in the compute node and is now able to Ping to the Ext_net gateway 10.10.10.1. Take a look at the path cirros-vm3 to 10.10.10.1 through traceroute

The packet passes through two hops to reach the 10.10.10.1 gateway. 1. The packet is first sent to the interface (172.16.101.1) of the router_100_101 connection vlan101. 2. The interface (10.10.10.2) is then forwarded through the connection Ext_net and finally arrives at 10.10.10.1.

When the packet is sent from the interface qg-b8b32a88-03 of the router connection, a source NAT is made, and the packet's origin address is modified to router's interface address 10.10.10.2, so that the destination can send the reply packet back to router , and then forward back to the source-side instance.

You can view SNAT's rules through the iptables command.

When CIRROS-VM3 (172.16.101.3) pings 10.10.10.1, it is possible to verify router behavior by observing interface two SNAT ICMP packets by tcpdump respectively.

vlan101 interface qr-e17162c5-00 tcpdump output:

Ext_net interface qg-b8b32a88-03 tcpdump output:

SNAT allows instance to access the extranet directly, but the extranet is not directly accessible to instance.
Because instance does not have an extranet IP. Here "direct access to instance" means that the communication connection is initiated by the extranet, for example, from an external network SSH cirros-vm3.

This problem can be solved by floating IP, and we will discuss floating IP in the next section.

Principle analysis of external network access-5 minutes a day to play OpenStack (105)