Allowing an additional subnet to talk to or via a port

Overview

Allowing e.g. VPN Network communication in and out via the VPN Gateway port requires adjustment of the port security.

Prerequisites

• You know the basics of using the OpenStack CLI-Tools.
• Environment variables are set, like shown in the API-Access-Tutorial.

Step One: List available ports

$ openstack port list
+--------------+------------------+-------------------+-----------------------------------------------------+--------+
| ID           | Name             | MAC Address       | Fixed IP Addresses                                  | Status |
+--------------+------------------+-------------------+-----------------------------------------------------+--------+
| 5fc7ed94-... | vpngateway1 port | fa:16:3e:6a:24:b3 | ip_address='192.168.2.14', subnet_id='f776dcf3-...' | ACTIVE |
+--------------+------------------+-------------------+-----------------------------------------------------+--------+

Step Two: Update port security for target port and allow additional subnet

openstack port set <PORT ID> --allowed-address ip-address=<ip-address>,mac-address=<mac-address>

openstack port set 5fc7ed94-754e-427a-a6d2-9b0f67f9eebd --allowed-address ip-address=10.0.0.0/24,mac-address=fa:16:3e:6a:24:b3

Step Three: Check if packets can be sent/received

ssh user@10.0.0.2

ping 192.168.2.14

64 bytes from 192.168.2.14: icmp_seq=348 ttl=64 time=2.19 ms
64 bytes from 192.168.2.14: icmp_seq=349 ttl=64 time=1.83 ms

Conclusion

You allowed your VPN subnet to talk via the host port.