[ovs-discuss] OpenVswitch and iptables DNAT : problems

Benoit ML ben42ml at gmail.com
Thu Apr 14 08:01:01 UTC 2011


Hi,

Same bridge but different vlan. Thank for your answer.

Well I've done some others tests with interesting result.

First, in fact my network topologie is a quite bite complexe :
I've got an x86 server (call it Vswtich BrCentral) where all vswitch of
hypervisor are connected through GRE tunnel.


                                   WAN
                                                                    |
                                                                    |
access port vlan 2 - connected to a physical switch
                                                                    |
Openvswitch have a dedicated eth for this.
                                                             [x86 -
brcentral]

/              \
                         GRE Tunnel   ===>      /                      \
                     hysical vlan 40               /
  \

/                                 \
                                               [hyperV - br0]
[hyperV - br0]
                                                /            \
                                              /                \
                                           /                     \
                                        /                          \
                                 [VM FW]           [VM WEB]


The VMs have the network topoligy  I present before :
                        For the VM FW, two interface on two different Vlan.
                        For th VM WEB, only one interface

The GRE tunnel carry all network trafic, on OpenVswitch there configured as
trunk=[0].

So the crappy connection with the DNAT is present in this network
onfiguration.


But, and this is the interesting point : If I move one of the vm on an other
hypervisor (and vswitch br0) the DNAT works very well. Very good response
time.

                                                              WAN
                                                                    |
                                                                    |
access port vlan 2 - connected to a physical switch
                                                                    |
Openvswitch have a dedicated eth for this.
                                                             [x86 -
brcentral]

/              \
                         GRE Tunnel   ===>      /                      \
                          trunk=[0]                    /
      \

/                                 \
                                               [hyperV - br0]
[hyperV - br0]
                multiple if                 /
               \
                multiple vlan
/                                                  \
                                            /
                     \
                                           /
                      \

/                                                           \
                                 [VM WEB]
     [VM WEB]


I hope it's relativly clear ;)

Of course I have more hypervisor and VM than in the ascii art schema ;)

Regards,


2011/4/13 Jesse Gross <jesse at nicira.com>

> On Wed, Apr 13, 2011 at 7:16 AM, Benoit ML <ben42ml at gmail.com> wrote:
> > Hello,
> >
> > I've got a problème with openVswitch and iptables/DNAT
> >
> > On an hypervisor with openvswitch, I have two VM.  One of this VM is a
> linux
> > firewall and the other a web server.
> > The network topology is simble :
> >                  == LAN ==
> >                          |
> >                          |
> >                          |  LAN IP : 10.x.x.x
> >                  [VM Firewall]
> >                          |  Pv IP : 192.168.7.1
> >                          |
> >                          |
> >                          | Pv IP : 192.168.7.10
> >               [VM WebServer]
>
> The interfaces on the LAN side and private sides are divided into two
> different Open vSwitch bridges or vlans, correct?  Assuming that is
> the case, there should be no interactions between Open vSwitch and
> iptables since they are running in different VMs.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20110414/5aef4dd1/attachment-0001.html>


More information about the discuss mailing list