Numan, thanks for clarification, I didn't know that both approaches use OVS
conntrack the same way
Now I think we'll do that.
On Wed, Jul 24, 2024 at 6:28 PM Numan Siddique <num...@ovn.org> wrote:
> On Wed, Jul 24, 2024 at 11:15 AM Ildar Isangulov via discuss
> <ovs-discuss@openvswitch.org> wrote:
> >
> > Hi, Justin! Sorry, didn't notice your reply
> >
> > I will review this
> >
> > Regards,
> > Ildar, network engineer
> >
> > On Wed, Jul 24, 2024 at 6:07 PM Ildar Isangulov <
> ildarvildanovich...@gmail.com> wrote:
> >>
> >> Hi Numan, thanks for your reply, here more details as you requested
> >>
> >> This is a structure of NAT table in the OVN NB Database in my
> production environment
> >>
> >> # ovn-nbctl --no-l list nat <some rule>
> >> _uuid :
> >> allowed_ext_ips :
> >> exempted_ext_ips : []
> >> external_ids :
> >> external_ip :
> >> external_mac : []
> >> external_port_range : ""
> >> gateway_port : []
> >> logical_ip :
> >> logical_port : []
> >> options : {}
> >> type :
> >>
> >> OVN version
> >>
> >> # ovn-nbctl -V
> >> ovn-nbctl 24.03.2
> >> Open vSwitch Library 3.3.0
> >> DB Schema 7.3.0
> >>
> >> So, my use case is to be able to create DNAT rules like this (example):
> >>
> >> A user connects via public IP and some port, let's say 22222, and the
> gateway does DNAT translation and modifies headers:
> >> public IP -> private IP of VM
> >> external port (22222) -> ssh tcp port (22)
> >>
> >> But OVN can do only 1:1 DNAT translations, in other words port 22222 to
> port 22222, and this way we can expose only one VM using one public IP
> address
> >>
> >> Solution, as shown in a guide I shared demonstrates how to solve this
> using load balancers, but I want to try a more lightweight solution for
> comparison.
> >>
>
> OK. Thanks for the details.
>
> OVN DNAT (i.e NAT of type "dnat" or "dnat_and_snat") maps one public
> IP to one internal VM IP. Seems to me using OVN load balancers is
> the right way
> for your use case.
> i.e PUBLIC IP : 22222 = [VM1 : 22, VM2 : 22, VM3 : 22, ...]
>
> As I said previously, there is no real difference in the
> implementation of OVN NAT and OVN Load balancers. We use OVS
> conntrack internally and it should
> not have any impact in terms of performance. Both are of the same weight.
>
> Thanks
> Numan
>
>
> >> Regards,
> >> Ildar, network engineer
> >>
> >> On Wed, Jul 24, 2024 at 5:33 PM Numan Siddique <num...@ovn.org> wrote:
> >>>
> >>> On Wed, Jul 24, 2024 at 9:41 AM Justin Lamp via discuss
> >>> <ovs-discuss@openvswitch.org> wrote:
> >>> >
> >>> > Hey,
> >>> >
> >>> > we would be in favor of that as well. It was actually possible to do
> >>> > such a thing in the past, but only due to a bug, and we unfortunately
> >>> > rely on that as many customers need to have ports from the routers
> >>> > public ip forwarded to their VPN appliance.
> >>> >
> >>> > https://github.com/ovn-org/ovn/issues/233
> >>> >
> >>> > Thanks and best regards,
> >>> > Justin Lamp
> >>> >
> >>> > Am 24.07.24 um 13:18 schrieb Ildar Isangulov via discuss:
> >>> > > Hi everyone!
> >>> > >
> >>> > > I would like to ask the community about the implementation of DNAT
> in
> >>> > > OVN. A few months ago, I read this topic
> >>> > > (
> https://www.flaviof.com/blog2/post/main/openstack-port-forwarding/).
> >>> > > Author shows how to configure DNAT translations using
> implementation
> >>> > > with Load-balancer.
> >>> > >
> >>> > > My question is: is it the only one way to do DNAT in OVN? Maybe
> there
> >>> > > is some way to configure it using either native nat rules on
> >>> > > logical-router or OVS logical-flows?
> >>>
> >>> Hi,
> >>>
> >>> I'm a little confused here. OVN does support DNAT in the logical
> router.
> >>> Please see the NAT table in the OVN NB Database.
> >>>
> >>> Also note that OVN implements NAT and load balancer features using OVS
> >>> conntrack.
> >>> So its essentially the same underneath.
> >>>
> >>> Can you please explain your use case in more detail?
> >>>
> >>> Thanks
> >>> Numan
> >>>
> >>> > >
> >>> > > Regards,
> >>> > > Ildar, network engineer
> >>> > >
> >>> > > _______________________________________________
> >>> > > discuss mailing list
> >>> > > disc...@openvswitch.org
> >>> > > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
> >>> >
> >>> >
> >>> >
> >>> > --
> >>> > Justin Lamp
> >>> > Systems Engineer
> >>> >
> >>> > NETWAYS Managed Services GmbH | Deutschherrnstr. 15-19 | D-90429
> Nuernberg
> >>> > Tel: +49 911 92885-0 | Fax: +49 911 92885-77
> >>> > CEO: Julian Hein, Bernd Erk, Sebastian Saemann | AG Nuernberg
> HRB25207
> >>> > https://www.netways.de | justin.l...@netways.de
> >>> >
> >>> > ** Meet us at it-sa - https://www.netways.de/it-sa-2024/ **
> >>> > ** OSMC 2024 - November | Nuremberg - https://osmc.de **
> >>> > ** stackconf 2025 - Stay Tuned for 2025 - https://stackconf.eu **
> >>> > ** NETWAYS Web Services - https://nws.netways.de **
> >>> > ** NETWAYS Trainings - https://netways.de/trainings **
> >>> > _______________________________________________
> >>> > discuss mailing list
> >>> > disc...@openvswitch.org
> >>> > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
> >
> > _______________________________________________
> > discuss mailing list
> > disc...@openvswitch.org
> > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>
_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
