Source NAT, or SNAT for short, is the method of changing the source address of a packet as it leaves the interface of a router. When a Neutron router is allocated an IP address from an external network using the router-gateway-set
command, the IP is used in source NAT operations. The source IP of traffic from virtual machine instances to external networks will be translated as the router's address when the instances do not have 1-to-1 floating IPs configured. All routers in Neutron, whether they are standalone, HA, or distributed, support SNAT.
In this demonstration, the following provider and tenant networks are created:
Using the --distributed=true
option, a distributed virtual router is created:
In this environment, the L3 agent on the controller is in dvr_snat
mode and serves as the centralized SNAT node. Attaching the router to the TENANT_NET
tenant network results in the router being scheduled to the controller node:
When an instance is spun up in the tenant network, the router is also scheduled to the respective compute node:
At this point, both the controller node and compute node each have a qrouter
namespace that corresponds to the MyRouter-DVR
router. Attaching the router to the external network using the router-gateway-set
command results in the creation of a snat
namespace on the controller node. Now, on the controller node, two namespaces exist for the same router—snat
and qrouter
:
This configuration can be represented by the following diagram:
The qrouter
namespace on the controller node is identical to the qrouter
namespace on the compute node and is used to service DHCP, load balancer, and other traffic that traverses this host. The snat
namespace is for the centralized SNAT service.
Within the qrouter
namespace, observe the following interfaces—lo
(loopback) and qr
:
Unlike the qrouter
namespace of a legacy router, there is no qg
interface even though the router is attached to the external network.
However, take a look inside the snat
namespace:
Inside the snat
namespace, you will find the qg
interface that is used to handle outgoing traffic from virtual machine instances. In addition to the qg
interface, there is now a new interface with the prefix sg
. A virtual router will have a qr
interface and new sg
interface for every internal network it is connected to. The sg
interfaces are used as an extra hop when traffic is source NAT'd, and this will be explained in further detail in the following sections.
When a virtual machine instance without a floating IP sends traffic destined to an external network, such as the Internet, it hits the local qrouter
namespace on the compute node and is routed to the snat
namespace on the centralized network node. To accomplish this task, special routing rules are put in place within the qrouter
namespaces.
Linux offers a routing policy database made up of multiple routing tables and rules that allow for intelligent routing based on destination and source addresses, IP protocols, ports, and more. There are source routing rules for every subnet that a virtual router is attached to.
In this demonstration, the router is attached to a single tenant network: 10.30.0.0/24. Take a look at the main routing table within the qrouter
namespace on compute01:
Note that there is no default route in the main routing table.
On the compute node, use the ip rule
command from within the qrouter
namespace to list additional routing tables and rules created by the Neutron agent:
The table numbered 169738241
is created by Neutron. The additional routing table is consulted and a default route is found:
From this output, we can see that 10.30.0.4
is the default gateway address and corresponds to the sq
interface within the snat
namespace on the centralized node. When traffic reaches the snat
namespace, the source NAT is performed and the traffic is routed out of the qg
interface.
In the following example, the green VM sends traffic to 8.8.8.8
, a Google DNS server, as shown in the following diagram:
Source MAC |
Destination MAC |
Source IP |
Destination IP |
---|---|---|---|
Green VM |
Green router interface ( |
Green VM |
(Google DNS) |
When traffic arrives at the local qrouter
namespace, the main routing table is consulted. The destination IP, 8.8.8.8, does not match any directly connected subnet and a default route does not exist. Secondary routing tables are then consulted, where a match is found based on the source interface. The router then routes the traffic from the green VM to the green interface of the SNAT namespace, sg1
, through the east-west routing mechanisms covered earlier in this chapter:
Source MAC |
Destination MAC |
Source IP |
Destination IP |
---|---|---|---|
Green router interface ( |
Green SNAT interface ( |
Green VM |
(Google DNS) |
When traffic enters the snat
namespace, it is routed out the qg
interface. The iptables rules within the namespace change the source IP and MAC addresses to that of the qg
interface to ensure that the traffic is routed back properly:
Source MAC |
Destination MAC |
Source IP |
Destination IP |
---|---|---|---|
External SNAT interface ( |
Physical default gateway |
External SNAT interface ( |
(Google DNS) |
When the remote destination responds, a combination of flow rules on the centralized network node and compute node ensures that the response is routed back to the green VM with the proper IP and MAC addresses in place.