Skip to content

Office Network Provider

Key Steps Overview

  • Admin creates the office network provider (with the 192.168.3.0/24 subnet).
  • Admin creates router, office-router (attached to 192.168.3.0/24). The routers use SNAT to provide internet access and internal office connectivity for the tenant’s VMs.
  • Tenants create private local-net networks for their VMs.
  • Admin attaches the local-net to admin router (office-router)

Step-by-Step Configuration

Step 1: Admin Creates the "Office" Network Provider

One time action (initial Openstack configuration)

The admin creates the office network provider that assigns IPs from the 192.168.2.0/24 range.

Go to Admin > Networks > Create Network:

Field Value
Name: office
Project: admin
Provider Network Type: vlan
Physical Network: vlan (network provider name)
Enable Admin State: Checked
Shared: Checked
External Network: Checked
Create Subnet: Checked
Availability Zone: nova
MTU leave_empty

Warning

vlan has to be defined in the provider_networks section in the openstack_user_config.yml

Field Value
Subnet Name: office-subnet
Network Address: 192.168.3.0/24
IP Version: IPv4
Gateway IP: 192.168.3.1
Disable Gateway: Unchecked
Field Value
Enable DHCP Checked
Allocation Pools: 192.168.3.2,192.168.3.254
DNS Name Servers: leave_empty
Host Routes: leave_empty

Warning

The office network (192.168.3.0/24) is not managed by an external router (e.g., our FortiGate router), thus we need DHCP and IP address management for the devices connected to it. (DHCP should be checked for the office-subnet)

TODO!!!

This network is shared among all tenants, but we don't really need it to be directly accessible from user projects. We shall experiment with making this network private.

Equivalent CLI Command 

openstack network create office \
          --project admin \
          --share \
          --external \
          --provider-network-type vlan \
          --provider-physical-network office \
          --provider-segment 10 


openstack subnet create office-subnet \
        --project admin \
        --network office \
        --subnet-range 192.168.3.0/24 \
        --gateway 192.168.3.1 \
        --allocation-pool start=192.168.3.2,end=192.168.3.254

Note

  • The subnet ensures that the 192.168.3.0/24 range is available for tenant routers.
  • This subnet allocates IPs from the 192.168.3.0/24 range. Floating IPs will be crated from this range.

Step 2: Admin Creates the Shared "Office" Router

One time step (initial Openstack configuration)

Field Value
Router Name: office-router
Project: admin
Enable Admin State: Checked
External Network: public
Enable SNAT: Checked
Availability Zone Hints: nova 
openstack router create office-router \
  --project admin \
  --external-gateway public \
  --enable-snat \
  --availability-zone-hint nova

Step 3: User creates the Tenant's Private Network (local-net)

Need to do every time a new client/user registers

Go to Project > Networks > Create Network:

Field Value
Name: local-net
Project: Jane.Doe-ws
Enable Admin State:
Create Subnet:
Availability Zone: nova
MTU leave_empty
Field Value
Subnet Name: local-subnet
Network Address: 10.0.2.0/24
IP Version: IPv4
Gateway IP: 10.0.2.1
Disable Gateway:
Field Value
Enable DHCP
Allocation Pools: leave_empty
DNS Name Servers: 8.8.8.8
Host Routes: leave_empty 

openstack network create local-net --project Jane.Doe-ws

openstack subnet create local-subnet \
  --project Jane.Doe-ws \
  --network local-net \
  --subnet-range 10.0.2.0/24 \
  --dns-nameserver 8.8.8.8 \
  --gateway 10.0.2.1 \

Make sure network class is unique

Since all networks of this type in all projects are meant to be connected to the same router, it is essential that they do not overlap.

Use the following script to inquiry all existing local networks:

openstack network list --long -c ID -c Name -c Project -f value | grep ' local-net ' | while read net_id net_name project_id; do
    project_name=$(openstack project show "$project_id" -c name -f value 2>/dev/null || echo "Unknown Project")
    subnet_ids=$(openstack network show "$net_id" -c subnets -f json | jq -r '.subnets[]')
    if [[ -z "$subnet_ids" ]]; then
        echo "Project: $project_name | Network: $net_name | Subnet: None"
    else
        for subnet_id in $subnet_ids; do
            subnet_cidr=$(openstack subnet show "$subnet_id" -c cidr -f value 2>/dev/null)
            if [[ -z "$subnet_cidr" ]]; then
                echo "Project: $project_name | Network: $net_name | Subnet: Not found or inaccessible"
            else
                echo "Project: $project_name | Network: $net_name | Subnet: $subnet_cidr"
            fi
        done
    fi
done

Running this script will output something like this:

Project: admin | Network: local-net | Subnet: 10.0.0.0/24
Project: Radu.Moisan-ws | Network: local-net | Subnet: 10.0.1.0/24

In this particular case, 10.0.0.0/24 and 10.0.1.0/24 are taken, the next free /24 class would be 10.0.2.0/24

Step 4: Admin connects the Private Subnet to the Office Router (Admin)

Every time a new client/user registers (and a local-net is created)

  1. Log in to Horizon as the admin user.
  2. Navigate to Admin → Network → Routers.
  3. Find and click on the office-router.
  4. In the router details page, click on the Interfaces tab.
  5. Click Add Interface.
  6. In the Subnet dropdown, select the tenant's local-subnet.
  7. Leave the IP Address field blank (it will be auto-assigned).
  8. Click Submit to attach the local-subnet to the office-router.
Bug in Horizon UI

By default in the Horizon UI, when adding an interface to a router in the Admin project, the Subnet dropdown only shows subnets that belong to the Admin project. You will need to use the CLI as the admin user to attach the tenant's local-subnet to the office-router.

radu@workstation$ openstack subnet list --project Radu.Moisan-ws
+--------------------------------------+--------------+--------------------------------------+-------------+
| ID                                   | Name         | Network                              | Subnet      |
+--------------------------------------+--------------+--------------------------------------+-------------+
| 84d689cb-1d43-4df4-a122-6a131ed10cd2 | local-subnet | 6a93d5be-facd-475e-9519-c4565e5dd97d | 10.0.1.0/24 |
+--------------------------------------+--------------+--------------------------------------+-------------+

openstack router add subnet office-router 84d689cb-1d43-4df4-a122-6a131ed10cd2

Once the local-subnet is attached to the office-router, the user should be able to assign a floating IP from the public subnet.

commands sequence to assign a floating IP (using app credentials)

Because public (external) network provider was not working, I've replicated this using office (external) network provider (192.168.3.0/24) 

radu@workstation$ openstack floating ip list
+-----------------------------+---------------------+------------------+------+-----------------------------+------------------------------+
| ID                          | Floating IP Address | Fixed IP Address | Port | Floating Network            | Project                      |
+-----------------------------+---------------------+------------------+------+-----------------------------+------------------------------+
| c8e1160a-a756-441a-8dfd-    | 192.168.3.229       | None             | None | adb3a5fb-e867-4d6d-b5ee-    | 472c3b1b2c964e5a8320b003611a |
| 60aa3aa58cd2                |                     |                  |      | 3118d77a87aa                | 067a                         |
+-----------------------------+---------------------+------------------+------+-----------------------------+------------------------------+

06:41 PM ~/.openstack
radu@workstation$ openstack network list
+--------------------------------------+-----------+--------------------------------------+
| ID                                   | Name      | Subnets                              |
+--------------------------------------+-----------+--------------------------------------+
| 6a93d5be-facd-475e-9519-c4565e5dd97d | local-net | 84d689cb-1d43-4df4-a122-6a131ed10cd2 |
| adb3a5fb-e867-4d6d-b5ee-3118d77a87aa | office    | 9c1fb81e-41f3-4231-ba79-53dba83ac17e |
+--------------------------------------+-----------+--------------------------------------+

06:41 PM ~/.openstack
radu@workstation$ openstack server list
+--------------------------------------+------+--------+----------------------+-----------------------+-----------+
| ID                                   | Name | Status | Networks             | Image                 | Flavor    |
+--------------------------------------+------+--------+----------------------+-----------------------+-----------+
| 5ba1b403-15e1-4a21-ae03-496bfc73530a | test | ACTIVE | local-net=10.0.1.227 | ubuntu-22.04.4-server | m1.medium |
+--------------------------------------+------+--------+----------------------+-----------------------+-----------+

06:41 PM ~/.openstack
radu@workstation$ openstack port list --server 5ba1b403-15e1-4a21-ae03-496bfc73530a
+--------------------------------------+------+-------------------+---------------------------------------------------+--------+
| ID                                   | Name | MAC Address       | Fixed IP Addresses                                | Status |
+--------------------------------------+------+-------------------+---------------------------------------------------+--------+
| 3e6ae4f0-7451-40ac-9660-89ec487978c2 |      | fa:16:3e:7a:fc:8c | ip_address='10.0.1.227',                          | ACTIVE |
|                                      |      |                   | subnet_id='84d689cb-1d43-4df4-a122-6a131ed10cd2'  |        |
+--------------------------------------+------+-------------------+---------------------------------------------------+--------+

06:41 PM ~/.openstack
radu@workstation$ openstack floating ip set --port 3e6ae4f0-7451-40ac-9660-89ec487978c2 192.168.3.229