Jump to: navigation, search


< Heat
Revision as of 23:29, 17 February 2013 by Ryan Lane (talk | contribs) (Text replace - "__NOTOC__" to "")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Floating IPS


Amazon Elastic IPs (resources `AWS::EC2::EIP` and `AWS::EC2::EIPAssociation`) under Heat use OpenStack's Floating IPs.

Initially, there aren't any IP addresses available so using a template that depends on Elastic IPs will fail. This guide shows how to set them up.

Security Group Policy

Allow ICMP, SSH and HTTP connections on the instances:

Add the following to the template: [[[SecurityGroup]]](https://github.com/openstack/heat/commit/0ee8db445941f24e07a3a93b91adc87c192b1c1f#diff-2)

Configuring OpenStack for floating IPs

OpenStack expects a default interface of eth0. If running Fedora or another operating system that renames the physical interface, it is necessary to reconfigure OpenStack.

sudo openstack-config --set /etc/nova/nova.conf DEFAULT public_interface em1 or wlan0
sudo systemctl restart openstack-nova-network.service

Allocate Address Space

Pick a pool of addresses you want to allocate to OpenStack. The following allocates the `` subnet:

sudo nova-manage floating create --interface=<public_interface>

sudo nova-manage floating list

This tool will print out something similar to the following:

None	None	nova	eth0
None	None	nova	eth0
None	None	nova	eth0
None	None	nova	eth0
None	None	nova	eth0
None	None	nova	eth0
None	None	nova	eth0
None	None	nova	eth0
None	None	nova	eth0
None	None	nova	eth0
None	None	nova	eth0
None	None	nova	eth0
None	None	nova	eth0
None	None	nova	eth0

Deallocate the floating IPs

sudo nova-manage floating delete

Troubleshooting floating IPs in a NAT environment

In a typical laptop, wireless runs on wlan0. Typically the wireless router takes care of NAT from external addresses and assigns the host an address of 192.168.1.x. Unfortunately openstack floating IPs are designed to run on routed networks, not NAT networks.

In a real deployment, ingress traffic would look like this:


In a laptop, ingress traffic looks like this:


Since the Wireless NAT can't NAT IPs it hasn't assigned, the Linux kernel must do NAT translation for the HOST's wlan0. Unfortunately this is not possible because the floating IP has to be NAT translated first. From iptables man page:

This target is only valid in the nat table, in the POSTROUTING chain. It specifies that the source address of the packet should be modified (and all future packets in this connection will also be mangled, and rules **should cease being examined**.

Because the rules are not examined further, it is not possible to have back-to-back NATs. To work around this problem on Laptops, the following rule should do the trick:

iptables -t nat -I POSTROUTING 1 -s -j MASQUERADE -o wlan0

If your nova-manage network is created on and your floating is on, this rule will force masquerading over wlan0 for the 10.x.x.x network. Note if your internal network is already on, you will want to use a different network that isn't already being used in your routing tables (such as 11.x.x.x).

A **BIG** thank you to Fabio Di Nitto for helping sort out this issue.