So I ran into an issue after loading up a vSRX and virtual F5 Big IP in OpenStack. I setup the virtual appliances as the gateway for my other instances but their packets were not traversing across the other networks if they were routed by my vSRX or vBigIP.
To eliminate all other factors, I went ahead and enable ping on the all interfaces and moved them all into the trusted zone of the SRX. Then I attempted to pings the other interfaces of the firewall that were in the other subnets. They all failed, but the SRX showed that it received the packets and sent the replies. I experience the same thing on the virtual instance of Big IP. That lead me to believe it was failing on the virtual switch in Openstack.
It seems port security is enable by default and needs to be disabled in neutron. To do this, perform the following.
Delete any virtual objects that you have created that will need packets routed across your virtual firewall and remove any security groups you have applied to the instance.
Modify the file in /etc/neutron/plugins/ml2/ml2_conf.ini
Right below [ml2] – you will need to add extension_drivers = port_security
# An ordered list of extension driver entrypoints to be loaded from the
# neutron.ml2.extension_drivers namespace. For example: extension_drivers =
# port_security,qos (list value)
extension_drivers = port_security
After this is completed, restart neutron
systemctl restart neutron-server
Start creating the new tenant networks and attaching the interfaces to your virtual firewall and other instances. Find out what port ID they have been assigned, this will be easy to locate using the GUI
Once you get the port ID execute the following to turn off port security
neutron port-update 2bf6b77b-627e-4fd0-8cd9-69dc0b27d65e --port-security-enabled=False
You can check to see if it too with the following command
neutron port-show 1ee02bbe-4f87-4cb4-91e0-ced0ef691e1c
Once completed on all interfaces required, that should resolve the routing issue.
Disabling port security will prevent you from using security groups. Firewalls don't really need security groups enabled but if you want more restriction you can use allowed address pairs instead.
neutron port-update 'Port UUID' --allowed_address_pairs list=true type=dict ip_address='ip or CIDR'
Apply this on all ports that will be use to route traffic.
No comments:
Post a Comment