gueswhat2 | is ok to have neutron_external_interface as a wan interface ( public ips ) and at the same time also as a lan interface ( 10.0.0.0/8 newtork reachable only from vpn ) | 09:07 |
---|---|---|
admin1 | gueswhat2, you don't have enough interfaces ? | 10:31 |
admin1 | you can only have 1 interface also .. give the interface (as raw) to neutron for its vlan for flat networking, and with vlan tags, have tagged traffic for api, storage and east-west (guest to guest traffic ) | 10:32 |
admin1 | and the ips itself don't know if they are public or private and behave differently .. they are just ips .. so based on your router and its firewall/routing rules, you can do any traffic management you want | 10:33 |
admin1 | so from the same interface, you can add 2 networks .. one called say public and one called lan .. with 2 diff subnets ( either public or private) and from your router/firewall, make it accessible or unaccessible via vpn | 10:33 |
gueswhat2 | admin1: i have, i just need to do a proper design ... i have single node (1TB ram, 64cores), thats why i am using proxmox and nested virtualization, openstack is behind pfsense and neutron_external_interface is bridged to same bridge as pfsense wan | 10:34 |
admin1 | if its bridged to the ame as wan, you will have no issues running public | 10:36 |
gueswhat2 | wait i sec, ill try to create a diagram | 10:36 |
admin1 | you may be able to pass tagged traffic as well, where the tag ends in pfsense | 10:36 |
gueswhat2 | *a | 10:36 |
gueswhat2 | *draw | 10:37 |
admin1 | my article from 2016 .. instead of pfsense, i used vyos and instead of proxmox, kvm .. https://www.openstackfaq.com/openstack-dev-server-setup-ubuntu/ | 10:37 |
admin1 | but i also have one same setup .. without proxmox, but with pfsense | 10:37 |
admin1 | where my tags end in the pfsense and pfsense takes care of the end routing and nat | 10:37 |
admin1 | gueswhat2, use draw.io :) | 10:40 |
gueswhat2 | too late :( it would take long time, but ill try to recreate it | 10:45 |
gueswhat2 | https://ibb.co/gvXTtzd | 10:45 |
gueswhat2 | this one is probably minimal setup, right ? | 10:46 |
admin1 | minimal setup is a single vm :) | 10:46 |
admin1 | all inside a single server.. with proxmox or anything else | 10:46 |
gueswhat2 | i googled your article few days ago :) | 10:47 |
gueswhat2 | unfortunatelly i started with openstack month ago | 10:47 |
admin1 | add a network and then run tcpdump and check how the traffic is going on | 10:48 |
admin1 | and you will know like whats happening | 10:48 |
gueswhat2 | so its overwhelming for me, but so far its working with public external inteface ( magnum clusters with integrated cinder, keystone, barbican and octavia ) | 10:49 |
gueswhat2 | problem is that what if i want to expose instances also on 10.0.0.0/8 network... | 10:49 |
admin1 | is your external network vlan based or flat ? | 10:49 |
gueswhat2 | flat | 10:49 |
gueswhat2 | still can not understand benefit of using vlans in my use case | 10:49 |
admin1 | those vlans are internal in your usecase .. they originate from os and terminate at pfsense | 10:50 |
admin1 | but then you can add multiple exteernal networks ( 1 for each vlan ) like public, public-vpn, public-wireguard , private etc | 10:50 |
admin1 | without worrying about layer2 conflicts | 10:51 |
gueswhat2 | but vlan would work in lan only in my use case, right ? cuz i believe there is not point to use vlans for wan ? | 10:58 |
gueswhat2 | to have lan-external vlan and lan-management | 10:58 |
admin1 | all your network terminates at the pfsense | 11:00 |
admin1 | so .. did you added the 2nd lan subnet ? | 11:01 |
gueswhat2 | i dont know if this design is correct | 11:01 |
admin1 | many years ago i checked .. you cannot add 2 flat networks in the same network card .. only 1 network as flat and then add multiple subnets in there .. and you have to select the right subnet if you want to force it to an ip | 11:02 |
admin1 | changing to vlan allows you to add as many diff networks as needed in the same interface | 11:02 |
admin1 | so in your case, since you have just 1 network, its better to use vlans and then crate 2 diff external networks called ext-public and ext-vlan | 11:03 |
admin1 | and in the pfsense, you just add the vlan in the bridge and add its corresponding .1 | 11:03 |
admin1 | but if its a different interface in OS ( not used for public but for lan) then you can add the 2nd network in the 2nd card as flat as well | 11:04 |
admin1 | without the need for vlan | 11:04 |
admin1 | as per your diagram, that is what you want ? | 11:04 |
gueswhat2 | i can add as many network cards as i want in proxmox, thats not a problem | 11:08 |
gueswhat2 | but wan, its not possible to use vlans or at least i dont understand them well | 11:09 |
gueswhat2 | admin1 https://viewer.diagrams.net/?tags=%7B%7D&highlight=0000ff&edit=_blank&layers=1&nav=1#G1KM4CzO7RgY8JoRtY4QZu7HPgPlyeB80O | 11:16 |
gueswhat2 | this one is public link https://drive.google.com/file/d/1KM4CzO7RgY8JoRtY4QZu7HPgPlyeB80O/view?usp=sharing | 11:17 |
gueswhat2 | pfsense vpn allows to access whole lan network | 11:18 |
admin1 | map the 2nd interface to a network name, then just add the flat lan network to openstack | 11:22 |
admin1 | treat it just like you added the public one | 11:22 |
gueswhat2 | so adding vlans in os and map them in openstack as flat lans, right ? but this will not work for management, right ? for kolla_internal_vip_address and network_interface | 11:26 |
admin1 | wait .. forget vlans now .. since your os is running | 11:30 |
admin1 | and you have a diff interface for lan traffic | 11:31 |
admin1 | so just add a new network again as flat but on the new interface ( and not the one used for public ) | 11:31 |
gueswhat2 | like this https://drive.google.com/file/d/1KM4CzO7RgY8JoRtY4QZu7HPgPlyeB80O/view?usp=sharing ? | 11:37 |
gueswhat2 | i have nothing production ready yet, and i dont want to overcomplicate things | 11:38 |
gueswhat2 | and there are more question like what interface will i use in case of enabled swift, designate, cuz these are requiring public interfaces too | 11:39 |
gueswhat2 | i just want to be able spin instances in 10.0.0.0/8 reachable only from vpn and then in public network reacheable from internet | 11:40 |
admin1 | openstack will assign ips in random for your instances . how are you making sure that proxmox does not assign the same ips ? | 11:42 |
gueswhat2 | yes, but i can define address pools in openstack, cant i ? ( and i am admin of proxmox ) baremetal has only one NIC ( exept IPMI ofc ) | 11:56 |
gueswhat2 | or do you have any other ideas? networking isnt my strong side.. | 11:57 |
gueswhat2 | and i am using proxmox, cuz its lightweight, kvm and bash scripting isnt not necessary i believe, proxmox is used only for virtualization for pfsense, single vm and opentack iself, everything else is hosted directly in opentack | 11:58 |
admin1 | will work .. | 12:12 |
admin1 | how do you plan to grow it in future ? | 12:12 |
admin1 | instead of all in one, you can create 2 vms .. one for openstack controller and one for compute .. and then it might allow you to grow in future | 12:14 |
gueswhat | single controller and single compute node sounds good, i dont plan to grow, i dont even need persistance, but who knows.. | 12:32 |
gueswhat | its still better than setting docker limits for controller containers | 12:33 |
gueswhat | but like i said before, i am working with openstack only one month so far | 12:33 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!