cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Murali Reddy <>
Subject Re: Creating advanced network
Date Fri, 18 Oct 2013 13:21:55 GMT

Sorry that commit, only fixes part of the problem. Still there are two more issues (source
NAT and SG + source NAT combination is not permitted and public traffic type is not allowed
in security group based shared network). I opened a feature enhancement CLOUDSTACK-4891 bug
for this issue.

You may want to try basic zone model of CloudStack which provides security group based L3
isolation with EIP(1:1 NAT) & ELB services with NetScaler.


From: Bjoern Teipel <<>>
Reply-To: "<>" <<>>
Date: Thursday, 17 October 2013 10:29 AM
To: "<>" <<>>
Subject: Re: Creating advanced network

Hi Murali,

I saw your git commits. I want to compile now your changes into our  source code. Do i need
just the one for 4.2 or also the master commits:

Commit 4d07493a5e6e13462b80ba09c3535fa4af0ebdc7 in branch refs/heads/4.2 from Murali Reddy<>

[]ASF subversion and git services<>
added a comment - Today 06:18

Commit df3b09944968718111d9b6b29d4c7f5a5cfaf630 in branch refs/heads/master from Murali Reddy<>

[]ASF subversion and git services<>
added a comment - Today 14:45

Commit df3b09944968718111d9b6b29d4c7f5a5cfaf630 in branch refs/heads/ui-restyle from Murali


On 10/16/2013 2:35 AM, Murali Reddy wrote:

On 16/10/13 12:23 PM, "Bjoern Teipel" <><>


That would be great if you're right. But I'm now in a dead lock:

Adding new network offering including LB:

2013-10-15 23:34:50,920 WARN [network.element.VirtualRouterElement]
(catalina-exec-19:null) Virtual router can't enable services [Dns Dhcp
UserData Lb ] without source NAT service
2013-10-15 23:34:50,924 ERROR [cloud.api.ApiServer]
(catalina-exec-19:null) unhandled exception executing api command:
createNetworkOffering Provider VirtualRouter
doesn't support services combination: [Dns, Dhcp, UserData, Lb]

That forces me to add source nat, but once I want add a guest network in
the zone I get the opposite error. I can't mix SG + sourceNat

013-10-15 23:46:30,896 INFO  [cloud.api.ApiServer]
(catalina-exec-22:null) Service SourceNat is not allowed in security
group enabled zone

First issue is know issue (CLOUDSTACK-4717) is getting addressed in 4.2.1.
Not sure why source NAT should not be allowed in SG network. Sorry, this
is indeed a dead lock situation. It does not look like you can use LB with
in shared network with SG in advanced zone.

So no internal lb ?


On 10/15/2013 11:28 PM, Murali Reddy wrote:

On 16/10/13 7:17 AM, "Bjoern Teipel" <><>

Wow, all user@cloudstack mails got catched in my spam filter, so sorry
for the late response.

After tinkering the whole day I gave up using a tagged VLAN for the
storage traffic, seems not to work. It ignores the VID and doesn't
create the VLAN on the hypervisor.
I added the vlan to the hypervisor now and bound cloudbr1 to it and
using it untagged in cloudstack.
Finally all is up. :-)

Now I was looking how to use a load balancer like the internal
cloudstack one or even the F5 and it seems it's not supported.
No cloudstack support for internal LB (the VR one) or F5 ? Really !!!
According to the advanced network and security groups specification (
AddF5LoadBalancerCmd api commands will just fail in SG enabled zone.
That's just a joke.

4.1 did not support PF/NAT/LB services in shared network. From 4.2, all
network services are supported in shared network with or without SG so
should be able to use F5/VR/Netscaler for LB.

I'm really close to end the cloudstack adventure and move on with open
Having a shared network with SG and loadbalancer is not really a
uncommon solution

  • Unnamed multipart/mixed (inline, None, 0 bytes)
View raw message