I have the following setup:
VM1---NET1---VM2---NET2---VM3
VM2 can ping both VM1 and VM3. However, when pinging from VM1 to VM3, the packets are forwarded by VM2 but never reach VM3 (i.e., they are dropped by NET2 since tcpdump shows that packets are sent out from the NET2 interface of VM2).
The same when pinging from VM3 to VM1. The packets reach VM2, then VM2 forwards them to V1 but they never reach VM1.
It looks like NET2 does not allow packets with srcIP of NET1 to go through. The same with NET1 filtering packets with srcIP of NET2.
This is how we create each network in our heat template.
net1:
type: OS::Neutron::Net
properties:
name: net1_name
net1_subnet:
type: OS::Neutron::Subnet
properties:
network_id: { get_resource: net1 }
cidr: { get_param: net1_cidr }
Is there a way to make packets flow from NET1 to NET2 via VM2 that acts as a router?
Thanks!
========== Update ====
It looks like I found a solution: adding IPs of VM1 and VM3 to the "allowed_address_pairs" of the ports (Neutron:Port) of VM2.
VM2_left_port:
type: OS::Neutron::Port
properties:
allowed_address_pairs: [{"ip_address": { get_param: VM3_IP}}]
network: ...
fixed_ips: ...
VM2_right_port:
type: OS::Neutron::Port
properties:
allowed_address_pairs: [{"ip_address": { get_param: VM1_IP }}]
network: ...
fixed_ips: ...
The question whether it is the correct way to allow routing (using VM2 as a router) between the to networks.
So the problem was actually the "port_security" feature of Openstack that blocks traffic from one subnet to another. In order to allow packets flow between the subnets, the following options can be used as an alternative to the approach I proposed in the question ("allowed_address_pairs").
VM2_left_port:
type: OS::Neutron::Port
properties:
security_groups: []
port_security_enabled: False
network: ...
fixed_ips: ...
VM2_right_port:
type: OS::Neutron::Port
properties:
security_groups: []
port_security_enabled: False
network: ...
fixed_ips: ...