= Route all VM network traffic to a designated host and IP on the cluster = * The z2-6 ganeti host located at OVH has IP 91.121.33.240 * The z2-9 ganeti host located at tetaneutral runs the VM 10.10.1.66 * There is an openvpn tunnel between z2-6 and z2-9 (the tunnel already exists) * The goal is route all incoming / outgoing traffic to / from 10.10.1.66 on 91.121.33.240 and never use the z2-9 default route * On z2-6 * /etc/shorewall/rules {{{ ACCEPT net loc:10.10.1.66 tcp - - 91.121.33.240 }}} * /etc/shorewall/nat {{{ 91.121.33.240 eth0:240 10.10.1.66 Yes }}} * On z2-9 * /etc/openvpn/client-9-to-6.conf {{{ remote z2-61.pokersource.info proto udp6 dev tun6 port 6009 management 127.0.0.1 9506 ifconfig 10.1.9.6 10.1.6.9 secret /etc/openvpn/keys/shared.key comp-lzo keepalive 10 60 ping-timer-rem persist-tun persist-key script-security 2 up ./tun6-up }}} Note the '''script-security 2''' and '''up ./tun6-up''' at the end, which are the two lines added to the pre-existing file. * /etc/openvpn/tun6-up {{{ #!/bin/bash ip route add default via 10.1.6.9 dev tun6 table 6 # 10.10.1.66 default route is z2-6 which is reachable thru tun6 ip rule delete from 10.10.1.66 table 6 > /dev/null || true ip rule add from 10.10.1.66 table 6 }}} The '''ip route add''' creates a '''table 6''' routing table in which the default route is the tunel just established. The numbering uses the same numbers as the remote ganeti host. When the tunel goes down the route will be automatically removed. The '''ip rule''' says that all outgoing traffic originating from 10.10.1.66 must be routed using the routing table 6 as defined in the previous line. It needs to be deleted, if any, because it won't be automatically removed when the tunnel goes down. * Ideas & problems * Rewrite {{{ ip route add default via 10.1.6.9 dev tun6 table 6 }}} so that it does not contain 10.1.6.9. * What if 10.10.1.66 wants to access 10.10.1.200 which is on z2-9 ? It will go thru z2-6 which is fairly useless.