I did some experiment with two subnets - one for DMZ, the other for non-DMZ. But, it looks like that separation of network traffic between them doesn't work with two quantum routers.
We use linux-bridge plugin. Network name space is not supported. When two subnets (e.g. 10.12.83.0/24, 10.12.84.0/24) are created, the Quantum network node has ports to both subnets(10.12.83.1/24, 10.12.84.1/24). Two quantum routers were created for each subnets. Pinging from a VM in 10.12.83.0/24 to a VM in 10.12.84.0/24 is routed by the Quantum network node itself. Before Quantum router routes the packets to the external network, the Quantum network node routes internally because it knows both network. I want the traffic to be routed to the external network through the Quantum router. But it doesn't happen. Am I doing something wrong? Thanks, David ----- Original Message ----- > In my reply I suggested you to create two quantum routers which I > believe should solve this for you. > > > > > quantum net-create DMZ-net --external=True > quantum subnet-create --name DMZ-Subnet1 DMZ-net <dmz_cidr> # Public > ip pool > > quantum net-create non-DMZ --external=True > quantum subnet-create --name nonDMZ-Subnet1 non-DMZ dmz_cidr> # > Public ip pool > > > > > > quantum router-create DMZ-router > quantum router-create non-DMZ-router > quantum router-interface-add DMZ-router DMZ DMZ-Subnet1 > quantum router-interface-add non-DMZ-router nonDMZ-Subnet1 > > > quantum router-gateway-set DMZ-router DMZ-net > quantum router-gateway-set non-DMZ-router non-DMZ > > > > > On Thu, Apr 4, 2013 at 10:51 AM, David Kang < dk...@isi.edu > wrote: > > > > > Hi Aron, > > Thank you for your reply. > > We deploy one (quantum) subnet as a DMZ network and the other > (quantum) subnet > as a non-DMZ network. > They are routed to the network node where quantum services (dhcp, l3, > linuxbridge) > are running. > They can talk each other through network node, now. > > However, we do not want to the network node to route the traffic > between them directly. > Instead we want them to be routed to different (external) routers such > that > we can apply filtering/firewall/etc. on the traffic from DMZ network. > > Do you think is it possible using two l3-agents or any other way? > Currently, I manually set up routings for those two subnets. > > Thanks, > David > > > > ----- Original Message ----- > > Hi David, > > > > > > The quantum network node would route traffic between the non-DMZ-DMZ > > network if both of those subnets are uplinked to the same quantum > > router. I believe if you create another router for your dmz hosts > > then > > traffic in/out of that network should route our to your physical > > infrastructure which will go through your router to do filtering. > > > > > > Thanks, > > > > > > Aaron > > > > > > > > On Wed, Apr 3, 2013 at 8:26 AM, David Kang < dk...@isi.edu > wrote: > > > > > > > > Hi, > > > > We are trying to set up Quantum network for non-DMZ and DMZ > > networks. > > The cloud has both non-DMZ networks and a DMZ network. > > We need to route traffic from DMZ network to a specific router > > before > > it reaches > > anywhere else in non-DMZ networks. > > However, Quantum Network Node routes the traffic between DMZ network > > and > > non-DMZ network within itself by default. > > Have anybody configured Quantum for this case? > > Any help will be appreciated. > > We are using Quantum linuxbridge-agent. > > > > Thanks, > > David > > > > -- > > ---------------------- > > Dr. Dong-In "David" Kang > > Computer Scientist > > USC/ISI > > > > _______________________________________________ > > Mailing list: https://launchpad.net/~openstack > > Post to : openstack@lists.launchpad.net > > Unsubscribe : https://launchpad.net/~openstack > > More help : https://help.launchpad.net/ListHelp > > -- > ---------------------- > Dr. Dong-In "David" Kang > Computer Scientist > USC/ISI -- ---------------------- Dr. Dong-In "David" Kang Computer Scientist USC/ISI _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
