From issues-return-92794-archive-asf-public=cust-asf.ponee.io@cloudstack.apache.org Tue May 29 21:27:07 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 4E3D8180648 for ; Tue, 29 May 2018 21:27:06 +0200 (CEST) Received: (qmail 8848 invoked by uid 500); 29 May 2018 19:27:05 -0000 Mailing-List: contact issues-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list issues@cloudstack.apache.org Received: (qmail 8839 invoked by uid 500); 29 May 2018 19:27:05 -0000 Delivered-To: apmail-incubator-cloudstack-issues@incubator.apache.org Received: (qmail 8836 invoked by uid 99); 29 May 2018 19:27:05 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 29 May 2018 19:27:05 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id E40FC180169 for ; Tue, 29 May 2018 19:27:04 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -109.511 X-Spam-Level: X-Spam-Status: No, score=-109.511 tagged_above=-999 required=6.31 tests=[ENV_AND_HDR_SPF_MATCH=-0.5, KAM_ASCII_DIVIDERS=0.8, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_SPF_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id 4RzPichf9m2U for ; Tue, 29 May 2018 19:27:02 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 4004B5F11F for ; Tue, 29 May 2018 19:27:01 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 698DEE01C0 for ; Tue, 29 May 2018 19:27:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 0E5CD21092 for ; Tue, 29 May 2018 19:27:00 +0000 (UTC) Date: Tue, 29 May 2018 19:27:00 +0000 (UTC) From: "Sean Lair (JIRA)" To: cloudstack-issues@incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (CLOUDSTACK-10379) Using Source NAT option on Private Gateway does not work MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CLOUDSTACK-10379?page=3Dcom.at= lassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sean Lair updated CLOUDSTACK-10379: ----------------------------------- Description:=20 There is a=C2=A0bug in the Private Gateway functionality, when Source NAT i= s enabled for the Private Gateway.=C2=A0 When the SNAT is added to iptables= , it has the source CIDR of the private gateway subnet.=C2=A0 Since no VMs = live in that private gateway subnet, the SNAT doesn=E2=80=99t work.=C2=A0 B= elow is an example: =C2=A0 * VMs have IP addresses in the 10.0.0.0/24 subnet. * The Private Gateway address is 10.101.141.2/30 =C2=A0 See the outputs below, see how the SOURCE field for the new SNAT (eth3) onl= y matches if the source is 10.101.141.0/30?=C2=A0 Since the VM has an IP ad= dress in 10.0.0.0/24, the VMs don=E2=80=99t get SNAT=E2=80=99d as they shou= ld when talking across the private gateway.=C2=A0 The SOURCE should be set = to ANYWHERE. =C2=A0 BEFORE ADDING PRIVATE GATEWAY ----------------------------------------------- {code:java} Chain POSTROUTING (policy ACCEPT 1 packets, 52 bytes) pkts bytes target=C2=A0=C2=A0=C2=A0=C2=A0 prot opt in=C2=A0=C2=A0=C2=A0=C2= =A0 out=C2=A0=C2=A0=C2=A0=C2=A0 source=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 destination =C2=A0=C2=A0=C2=A0 2=C2=A0=C2=A0 736 SNAT=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 all=C2=A0 --=C2=A0 any=C2=A0=C2=A0=C2=A0 eth2=C2=A0=C2=A0=C2=A0 10.0.0.= 0/24=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 anywhere=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 to:10.0.= 0.1 =C2=A0=C2=A0 16=C2=A0 1039 SNAT=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 all=C2= =A0 --=C2=A0 any=C2=A0=C2=A0=C2=A0 eth1=C2=A0=C2=A0=C2=A0 anywhere=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 anywhere=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0to:46= .99.52.18{code} =C2=A0 AFTER ADDING PRIVATE GATEWAY W/ SNAT ----------------------------------------------- {code:java} Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target=C2=A0=C2=A0=C2=A0=C2=A0 prot opt in=C2=A0=C2=A0=C2=A0=C2= =A0 out=C2=A0=C2=A0=C2=A0=C2=A0 source=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 destination =C2=A0=C2=A0=C2=A0 0=C2=A0=C2=A0=C2=A0=C2=A0 0 SNAT=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 all=C2=A0 --=C2=A0 any=C2=A0=C2=A0=C2=A0 eth3=C2=A0=C2=A0=C2= =A0 10.101.141.0/30=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 anywhere=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0=C2=A0to:10.101.141.2 =C2=A0=C2=A0=C2=A0 2=C2=A0=C2=A0 736 SNAT=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 all=C2=A0 --=C2=A0 any=C2=A0=C2=A0=C2=A0 eth2=C2=A0=C2=A0=C2=A0 10.0.0.= 0/24=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 anywhere=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 to:10.0.= 0.1 =C2=A0=C2=A0 23=C2=A0 1515 SNAT=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 all=C2= =A0 --=C2=A0 any=C2=A0=C2=A0=C2=A0 eth1=C2=A0=C2=A0=C2=A0 anywhere=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 anywhere=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 to:46= .99.52.18 {code} =C2=A0 =C2=A0It looks like CsAddress.py treats the creation of the Private Gateway= SNAT as if it is a GUEST network, which works fine, except for the SNAT pr= oblem shown above.=C2=A0 Here is the code from MASTER (line 479 is SNAT rul= e): =C2=A0=C2=A0 {code:java} if self.get_type() in ["guest"]: ... ... =C2=A0=C2=A0=C2=A0 self.fw.append(["nat", "front", =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "-A POSTROUTING -s %s -o %s -j S= NAT --to-source %s" % =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (guestNetworkCidr, self.dev, sel= f.address['public_ip'])]) {code} =C2=A0 I am thinking we just change that to the following.=C2=A0 I can=E2=80=99t t= hink of any reason we need the source/guest CIDR specified: =C2=A0 {code:java} if self.get_type() in ["guest"]: ... ... =C2=A0=C2=A0=C2=A0 self.fw.append(["nat", "front", =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "-A POSTROUTING -o %s -j SNAT --= to-source %s" % =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (self.dev, self.address['public_= ip'])]) {code} =C2=A0 THE NAT TABLE IF THE ABOVE CODE CHANGE IS MADE ----------------------------------------------- {code:java} Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target=C2=A0=C2=A0=C2=A0=C2=A0 prot opt in=C2=A0=C2=A0=C2=A0=C2= =A0 out=C2=A0=C2=A0=C2=A0=C2=A0 source=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 destination =C2=A0=C2=A0=C2=A0 0=C2=A0=C2=A0=C2=A0=C2=A0 0 SNAT=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 all=C2=A0 --=C2=A0 any=C2=A0=C2=A0=C2=A0 eth3=C2=A0=C2=A0=C2= =A0 anywhere=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 anywhere=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0= =C2=A0=C2=A0=C2=A0to:10.101.141.2 =C2=A0=C2=A0=C2=A0 2=C2=A0=C2=A0 736 SNAT=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 all=C2=A0 --=C2=A0 any=C2=A0=C2=A0=C2=A0 eth2=C2=A0=C2=A0=C2=A0 anywher= e=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 a= nywhere=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 to:10.0.0.1 =C2=A0=C2=A0 23=C2=A0 1515 SNAT=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 all=C2= =A0 --=C2=A0 any=C2=A0=C2=A0=C2=A0 eth1=C2=A0=C2=A0=C2=A0 anywhere=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 anywhere=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 to:46= .99.52.18 {code} =C2=A0 was: There is a=C2=A0bug in the Private Gateway functionality, when Source NAT i= s enabled for the Private Gateway.=C2=A0 When the SNAT is added to iptables= , it has the source CIDR of the private gateway subnet.=C2=A0 Since no VMs = live in that private gateway subnet, the SNAT doesn=E2=80=99t work.=C2=A0 B= elow is an example: =C2=A0 * VMs have IP addresses in the 10.0.0.0/24 subnet. * The Private Gateway address is 10.101.141.2/30 =C2=A0 See the outputs below, see how the SOURCE field for the new SNAT (eth3) onl= y matches if the source is 10.101.141.0/30?=C2=A0 Since the VM has an IP ad= dress in 10.0.0.0/24, the VMs don=E2=80=99t get SNAT=E2=80=99d as they shou= ld when talking across the private gateway.=C2=A0 The SOURCE should be set = to ANYWHERE. =C2=A0 BEFORE ADDING PRIVATE GATEWAY ----------------------------------------------- {code:java} Chain POSTROUTING (policy ACCEPT 1 packets, 52 bytes) pkts bytes target=C2=A0=C2=A0=C2=A0=C2=A0 prot opt in=C2=A0=C2=A0=C2=A0=C2= =A0 out=C2=A0=C2=A0=C2=A0=C2=A0 source=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 destination =C2=A0=C2=A0=C2=A0 2=C2=A0=C2=A0 736 SNAT=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 all=C2=A0 --=C2=A0 any=C2=A0=C2=A0=C2=A0 eth2=C2=A0=C2=A0=C2=A0 10.0.0.= 0/24=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 anywhere=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 to:10.0.= 0.1 =C2=A0=C2=A0 16=C2=A0 1039 SNAT=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 all=C2= =A0 --=C2=A0 any=C2=A0=C2=A0=C2=A0 eth1=C2=A0=C2=A0=C2=A0 anywhere=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 anywhere=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0to:46= .99.52.18{code} =C2=A0 AFTER ADDING PRIVATE GATEWAY W/ SNAT ----------------------------------------------- {code:java} Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target=C2=A0=C2=A0=C2=A0=C2=A0 prot opt in=C2=A0=C2=A0=C2=A0=C2= =A0 out=C2=A0=C2=A0=C2=A0=C2=A0 source=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 destination =C2=A0=C2=A0=C2=A0 0=C2=A0=C2=A0=C2=A0=C2=A0 0 SNAT=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 all=C2=A0 --=C2=A0 any=C2=A0=C2=A0=C2=A0 eth3=C2=A0=C2=A0=C2= =A0 10.101.141.0/30=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 anywhere=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0=C2=A0to:10.101.141.2 =C2=A0=C2=A0=C2=A0 2=C2=A0=C2=A0 736 SNAT=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 all=C2=A0 --=C2=A0 any=C2=A0=C2=A0=C2=A0 eth2=C2=A0=C2=A0=C2=A0 10.0.0.= 0/24=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 anywhere=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 to:10.0.= 0.1 =C2=A0=C2=A0 23=C2=A0 1515 SNAT=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 all=C2= =A0 --=C2=A0 any=C2=A0=C2=A0=C2=A0 eth1=C2=A0=C2=A0=C2=A0 anywhere=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 anywhere=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 to:46= .99.52.18 {code} =C2=A0 =C2=A0It looks like CsAddress.py treats the creation of the Private Gateway= SNAT as if it is a GUEST network, which works fine, except for the SNAT pr= oblem shown above.=C2=A0 Here is the code from MASTER (line 479 is SNAT rul= e): =C2=A0=C2=A0 {code:java} if self.get_type() in ["guest"]: ... ... =C2=A0=C2=A0=C2=A0 self.fw.append(["nat", "front", =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "-A POSTROUTING -s %s -o %s -j S= NAT --to-source %s" % =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (guestNetworkCidr, self.dev, sel= f.address['public_ip'])]) {code} =C2=A0 I am thinking we just change that to the following.=C2=A0 I can=E2=80=99t t= hink of any reason we need the source/guest CIDR specified: =C2=A0 {code:java} if self.get_type() in ["guest"]: ... ... =C2=A0=C2=A0=C2=A0 self.fw.append(["nat", "front", =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "-A POSTROUTING -o %s -j SNAT --= to-source %s" % =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (self.dev, self.address['public_= ip'])]) {code} =C2=A0 THE NAT TABLE IF THE ABOVE CODE CHANGE IS MADE ----------------------------------------------- {code:java} Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target=C2=A0=C2=A0=C2=A0=C2=A0 prot opt in=C2=A0=C2=A0=C2=A0=C2= =A0 out=C2=A0=C2=A0=C2=A0=C2=A0 source=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 destination =C2=A0=C2=A0=C2=A0 0=C2=A0=C2=A0=C2=A0=C2=A0 0 SNAT=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 all=C2=A0 --=C2=A0 any=C2=A0=C2=A0=C2=A0 eth3=C2=A0=C2=A0=C2= =A0 anywhere=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 anywhere=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0= =C2=A0=C2=A0=C2=A0to:10.101.141.2 =C2=A0=C2=A0=C2=A0 2=C2=A0=C2=A0 736 SNAT=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 all=C2=A0 --=C2=A0 any=C2=A0=C2=A0=C2=A0 eth2=C2=A0=C2=A0=C2=A0 anywher= e=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 a= nywhere=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 to:10.0.0.1 =C2=A0=C2=A0 23=C2=A0 1515 SNAT=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 all=C2= =A0 --=C2=A0 any=C2=A0=C2=A0=C2=A0 eth1=C2=A0=C2=A0=C2=A0 anywhere=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 {code} =C2=A0 > Using Source NAT option on Private Gateway does not work > -------------------------------------------------------- > > Key: CLOUDSTACK-10379 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-103= 79 > Project: CloudStack > Issue Type: Improvement > Security Level: Public(Anyone can view this level - this is the defa= ult.)=20 > Components: VPC > Affects Versions: 4.9.0, 4.10.0.0 > Environment: KVM > Reporter: Sean Lair > Priority: Minor > Labels: patch > Original Estimate: 24h > Remaining Estimate: 24h > > There is a=C2=A0bug in the Private Gateway functionality, when Source NAT= is enabled for the Private Gateway.=C2=A0 When the SNAT is added to iptabl= es, it has the source CIDR of the private gateway subnet.=C2=A0 Since no VM= s live in that private gateway subnet, the SNAT doesn=E2=80=99t work.=C2=A0= Below is an example: > =C2=A0 > * VMs have IP addresses in the 10.0.0.0/24 subnet. > * The Private Gateway address is 10.101.141.2/30 > =C2=A0 > See the outputs below, see how the SOURCE field for the new SNAT (eth3) o= nly matches if the source is 10.101.141.0/30?=C2=A0 Since the VM has an IP = address in 10.0.0.0/24, the VMs don=E2=80=99t get SNAT=E2=80=99d as they sh= ould when talking across the private gateway.=C2=A0 The SOURCE should be se= t to ANYWHERE. > =C2=A0 > BEFORE ADDING PRIVATE GATEWAY > ----------------------------------------------- > {code:java} > Chain POSTROUTING (policy ACCEPT 1 packets, 52 bytes) > pkts bytes target=C2=A0=C2=A0=C2=A0=C2=A0 prot opt in=C2=A0=C2=A0=C2=A0= =C2=A0 out=C2=A0=C2=A0=C2=A0=C2=A0 source=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 destination > =C2=A0=C2=A0=C2=A0 2=C2=A0=C2=A0 736 SNAT=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 all=C2=A0 --=C2=A0 any=C2=A0=C2=A0=C2=A0 eth2=C2=A0=C2=A0=C2=A0 10.0= .0.0/24=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 anywhere=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 to:10= .0.0.1 > =C2=A0=C2=A0 16=C2=A0 1039 SNAT=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 all= =C2=A0 --=C2=A0 any=C2=A0=C2=A0=C2=A0 eth1=C2=A0=C2=A0=C2=A0 anywhere=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 anywhere= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0to= :46.99.52.18{code} > =C2=A0 > AFTER ADDING PRIVATE GATEWAY W/ SNAT > ----------------------------------------------- > {code:java} > Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target=C2=A0=C2=A0=C2=A0=C2=A0 prot opt in=C2=A0=C2=A0=C2=A0= =C2=A0 out=C2=A0=C2=A0=C2=A0=C2=A0 source=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 destination > =C2=A0=C2=A0=C2=A0 0=C2=A0=C2=A0=C2=A0=C2=A0 0 SNAT=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0 all=C2=A0 --=C2=A0 any=C2=A0=C2=A0=C2=A0 eth3=C2=A0=C2=A0= =C2=A0 10.101.141.0/30=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 anywhere=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0=C2=A0to:10.101.141.= 2 > =C2=A0=C2=A0=C2=A0 2=C2=A0=C2=A0 736 SNAT=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 all=C2=A0 --=C2=A0 any=C2=A0=C2=A0=C2=A0 eth2=C2=A0=C2=A0=C2=A0 10.0= .0.0/24=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 anywhere=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 to:10= .0.0.1 > =C2=A0=C2=A0 23=C2=A0 1515 SNAT=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 all= =C2=A0 --=C2=A0 any=C2=A0=C2=A0=C2=A0 eth1=C2=A0=C2=A0=C2=A0 anywhere=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 anywhere= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 to= :46.99.52.18 > {code} > =C2=A0 > =C2=A0It looks like CsAddress.py treats the creation of the Private Gatew= ay SNAT as if it is a GUEST network, which works fine, except for the SNAT = problem shown above.=C2=A0 Here is the code from MASTER (line 479 is SNAT r= ule): > =C2=A0=C2=A0 > {code:java} > if self.get_type() in ["guest"]: > ... > ... > =C2=A0=C2=A0=C2=A0 self.fw.append(["nat", "front", > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "-A POSTROUTING -s %s -o %s -j= SNAT --to-source %s" % > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (guestNetworkCidr, self.dev, s= elf.address['public_ip'])]) > {code} > =C2=A0 > I am thinking we just change that to the following.=C2=A0 I can=E2=80=99t= think of any reason we need the source/guest CIDR specified: > =C2=A0 > {code:java} > if self.get_type() in ["guest"]: > ... > ... > =C2=A0=C2=A0=C2=A0 self.fw.append(["nat", "front", > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "-A POSTROUTING -o %s -j SNAT = --to-source %s" % > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (self.dev, self.address['publi= c_ip'])]) > {code} > =C2=A0 > THE NAT TABLE IF THE ABOVE CODE CHANGE IS MADE > ----------------------------------------------- > {code:java} > Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target=C2=A0=C2=A0=C2=A0=C2=A0 prot opt in=C2=A0=C2=A0=C2=A0= =C2=A0 out=C2=A0=C2=A0=C2=A0=C2=A0 source=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 destination > =C2=A0=C2=A0=C2=A0 0=C2=A0=C2=A0=C2=A0=C2=A0 0 SNAT=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0 all=C2=A0 --=C2=A0 any=C2=A0=C2=A0=C2=A0 eth3=C2=A0=C2=A0= =C2=A0 anywhere=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 anywhere=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =C2= =A0=C2=A0=C2=A0=C2=A0to:10.101.141.2 > =C2=A0=C2=A0=C2=A0 2=C2=A0=C2=A0 736 SNAT=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 all=C2=A0 --=C2=A0 any=C2=A0=C2=A0=C2=A0 eth2=C2=A0=C2=A0=C2=A0 anyw= here=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 anywhere=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 to:10.0.0.1 > =C2=A0=C2=A0 23=C2=A0 1515 SNAT=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 all= =C2=A0 --=C2=A0 any=C2=A0=C2=A0=C2=A0 eth1=C2=A0=C2=A0=C2=A0 anywhere=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 anywhere= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 to= :46.99.52.18 > {code} > =C2=A0 -- This message was sent by Atlassian JIRA (v7.6.3#76005)