cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adrian Lewis <>
Subject RE: VPC Router without NAT (IPv4 or IPv6)
Date Fri, 13 Feb 2015 15:29:19 GMT
As a slightly different approach, would it be easier to allow us to delete
the 'public' shared network connected to the VPC VR and therefore allow us
to set the default route to a private gateway instead then? This would solve
my problem whilst leaving the current default 'public' connectivity alone. I
think that the concept of a 'public' network being defined as both the
destination for the default route as well as being a publicly routable IP
network (hence needing NAT) needs more flexibility. Both are not necessarily
the case.

I'm pretty sure this is not possible now (please tell me if I'm wrong) but
I'm trying to formulate a better thought out feature request for Jira.

We want to use the Cloudstack VPC concept to allow customers to create
whatever tiers they want to but for all of their WAN traffic to go via a
hardware gateway that performs a much richer set of features than can be
expected from a software VR (AV, IDS/IDP, Authentication, IPSec & SSL VPNs,
MPLS connections etc). This hardware gateway would be controlled
independently from ACS. The current workaround is for us to abandon the VPC
construct and create a bunch of shared networks assigned to the customer,
create all of the VLAN interfaces manually on the hardware gateway, and to
route between each network on the hardware gateway. The downside to this
approach is that a system VR is needed for every shared network created and
we have to do far more manual work on the hardware gateway on behalf of the
customer. Basically waaaaay more complicated than it needs to be simply
because we can't turn off NAT on the VPC VR (or set the default route for
the VR to a private gateway).

I'm simply trying to emulate the way that 95% of simple corporate networks
are structured (L3 core routing between VLANs with a transit network
connected to their firewalls) but it seems that I'm being forced into
working with concepts from home networks. There also does not seem to be a
way to use route summarisation in the VPC VR. If the tiers use a CIDR of, I should still be able to add a summarised static route to a
private gateway using a destination of The CloudStack
'intelligence' blocks me from doing this as it thinks it knows networking
better than I do. Currently if there are multiple subnets connected via a
private gateway, I have to either add in every single one manually or else
make multiple summarised subnets with various masks just to avoid the VPC

Does anyone have any insight (Wilder, Daan?) into how the VPC VRs currently
work so that we could potentially focus on either:
1. Allowing source NAT to be turned off from the public network connection
to the VPC VR or
2. Allowing the public connection to be deleted so that we can set the
default route to a private gateway (without source nat)?

As I mentioned in my original post, when working on IPv6, NAT should not be
used anyway so this issue is likely to come up again regardless of whether
anyone thinks my use case is worth investigation.

Thanks in advance,


-----Original Message-----
From: Sanjeev Neelarapu []
Sent: 13 February 2015 06:12
Subject: RE: VPC Router without NAT (IPv4 or IPv6)

As of now there is no way to disable NAT on VPC router.


-----Original Message-----
From: Adrian Lewis []
Sent: Thursday, February 12, 2015 4:58 PM
Subject: VPC Router without NAT (IPv4 or IPv6)


It’s been asked before but does anyone know of a way to completely disable
NAT (specifically source NAT) on a VPC router on 4.4 or 4.5? There doesn’t
sem to be an easy way to do this via the web interface. I’d like to use the
VPC router for multi-subnet L3 routing but the ‘public’ network would be a
transit network to a hardware firewall which does NAT for internet access.

With IPv6 NAT is generally considered as a no-no so I was wondering if
anyone knows if there are plans to let users be more in control of the
pre-defined networking scenarios that CS seems to try to enforce.

Perhaps a suggestion for GSOC?



View raw message