[ovirt-users] NAT/internal Networks in ovirt?

Derek Atkins derek at ihtfp.com
Thu Nov 3 11:26:11 EDT 2016

Hi Dan,

On Thu, November 3, 2016 6:14 am, Dan Kenigsberg wrote:
> On Wed, Nov 02, 2016 at 05:22:43PM -0400, Derek Atkins wrote:
>> Hi,
> I'm afraid that we have not advanced this any further.
> Main conceptual problem with the suggested manual process is that VMs
> behind NAT cannot be reliably migrated to another host.

I suppose the only real issue in migration would be open connections.  In
my case, since I only have a single machine, migration isn't an issue. 
But I see the larger problem that seamless migration would cause.

> I hope that our current work, of attaching VMs onto an OVN-defined
> overlay network (see
> https://www.ovirt.org/blog/2016/11/ovirt-provider-ovn/ ) would satisfy
> most of what you need of a NATted network, and more.

I have to better understand OVN, how to configure it, and how it would
work, but it sounds like it might solve the problem.  From a cursory
glance it looks like this would allow me to set up a virtual network that
goes through the OVN service in lieu of the standard bridges that ovirt
networking provides -- so I would provide an ovirt bridge to an OVN
network which could act as a NAT to the "standard" bridge out into the
Internet at large.

(Honestly, I wish there were a good overview of networking in ovirt -- all
the pages seem to assume you already know how it works and are more aimed
at explaining how to configure it -- which doesn't help a n00b like me)

> For HostOnly networks, btw, you can create dummy interfaces
> http://lists.ovirt.org/pipermail/users/2015-December/036897.html
> and then attach them to a network.

Yes, I don't specifically need this, but it would certainly work for those
who want a HostOnly network.

Thank you for your reply!

> Regards,
> Dan.


PS: Is there any particular reason, if I only have a single physical
network/uplink, to create multiple logical networks within ovirt?  Or is
it "safe" to just use the management network for everything?  Everything
is, effectively, already in the same broadcast network.

       Derek Atkins                 617-623-3745
       derek at ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant

More information about the Users mailing list