OVN NAT只能配置到Gateway Router或Distributed Gateway Port上。
一个Router只能有一个Distributed Gateway Port.
install vm
在两台机器上各安装两个虚拟机
rhel_version=rhel$(rpm -E %rhel)
# libvirt && kvm
yum -y install virt-install
yum -y install libvirt
yum install -y python3-lxml.x86_64
rpm -qa | grep qemu-kvm >/dev/null || yum -y install qemu-kvm
if (($rhel_version < 7)); then
service libvirtd restart
else
systemctl restart libvirtd
systemctl start virtlogd.socket
fi
# work around for failure of virt-install
chmod 666 /dev/kvm
# define default vnet
virsh net-define /usr/share/libvirt/networks/default.xml
virsh net-start default
virsh net-autostart default
# define vm name and mac
vm_name=v0
mac4vm=a4:a4:a4:a4:a4:a0
# download image
wget http://netqe-bj.usersys.redhat.com/share/vms/rhel8.4.qcow2 -O /var/lib/libvirt/images/$vm_name.qcow2
# install vm
virt-install \
--name $vm_name \
--vcpus=2 \
--ram=2048 \
--disk path=/var/lib/libvirt/images/$vm_name.qcow2,device=disk,bus=virtio,format=qcow2 \
--network bridge=virbr0,model=virtio,mac=$mac4vm \
--boot hd \
--accelerate \
--graphics vnc,listen=0.0.0.0 \
--force \
--os-type=linux \
--noautoconsol
nat on distributed gateway port
setup on central node
systemctl start openvswitch
systemctl start ovn-northd
ovn-sbctl set-connection ptcp:6642
ovn-nbctl set-connection ptcp:6641
ovs-vsctl set Open_vSwitch . external-ids:system-id=hv0
ovs-vsctl set Open_vSwitch . external-ids:ovn-remote=tcp:177.1.1.1:6642
ovs-vsctl set Open_vSwitch . external-ids:ovn-encap-type=geneve
ovs-vsctl set Open_vSwitch . external-ids:ovn-encap-ip=177.1.1.1
systemctl restart ovn-controller
mac_v0_vnet1=04:ac:10:ff:01:94
mac_v0_vnet2=04:ac:10:ff:01:95
mac_v1_vnet1=04:ac:10:ff:01:96
mac_v1_vnet2=04:ac:10:ff:01:97
cat <<-EOF > v0-vnet1.xml
<interface type='bridge'>
<target dev='h0_v0_vnet1'/>
<mac address='${mac_v0_vnet1}'/>
<source bridge='br-int'/>
<virtualport type='openvswitch'/>
<model type='virtio'/>
</interface>
EOF
cat <<-EOF > v0-vnet2.xml
<interface type='bridge'>
<target dev='h0_v0_vnet2'/>
<mac address='${mac_v0_vnet2}'/>
<source bridge='br-int'/>
<virtualport type='openvswitch'/>
<model type='virtio'/>
</interface>
EOF
cat <<-EOF > v1-vnet1.xml
<interface type='bridge'>
<target dev='h0_v1_vnet1'/>
<mac address='${mac_v1_vnet1}'/>
<source bridge='br-int'/>
<virtualport type='openvswitch'/>
<model type='virtio'/>
</interface>
EOF
cat <<-EOF > v1-vnet2.xml
<interface type='bridge'>
<target dev='h0_v1_vnet2'/>
<mac address='${mac_v1_vnet2}'/>
<source bridge='br-int'/>
<virtualport type='openvswitch'/>
<model type='virtio'/>
</interface>
EOF
virsh attach-device v0 v0-vnet1.xml
virsh attach-device v1 v1-vnet1.xml
sleep 2
ovs-vsctl set interface h0_v0_vnet1 external-ids:iface-id=h0_v0_vnet1
ovs-vsctl set interface h0_v1_vnet1 external-ids:iface-id=h0_v1_vnet1
setup on computing node
systemctl start openvswitch
ovs-vsctl set Open_vSwitch . external-ids:system-id=hv1
ovs-vsctl set Open_vSwitch . external-ids:ovn-remote=tcp:177.1.1.1:6642
ovs-vsctl set Open_vSwitch . external-ids:ovn-encap-type=geneve
ovs-vsctl set Open_vSwitch . external-ids:ovn-encap-ip=177.1.1.2
systemctl start ovn-controller
mac_v0_vnet1=02:ac:10:ff:01:94
mac_v0_vnet2=02:ac:10:ff:01:95
mac_v1_vnet1=02:ac:10:ff:01:96
mac_v1_vnet2=02:ac:10:ff:01:97
cat <<-EOF > v0-vnet1.xml
<interface type='bridge'>
<target dev='h1_v0_vnet1'/>
<mac address='${mac_v0_vnet1}'/>
<source bridge='br-int'/>
<virtualport type='openvswitch'/>
<model type='virtio'/>
</interface>
EOF
cat <<-EOF > v0-vnet2.xml
<interface type='bridge'>
<target dev='h1_v0_vnet2'/>
<mac address='${mac_v0_vnet2}'/>
<source bridge='br-int'/>
<virtualport type='openvswitch'/>
<model type='virtio'/>
</interface>
EOF
cat <<-EOF > v1-vnet1.xml
<interface type='bridge'>
<target dev='h1_v1_vnet1'/>
<mac address='${mac_v1_vnet1}'/>
<source bridge='br-int'/>
<virtualport type='openvswitch'/>
<model type='virtio'/>
</interface>
EOF
cat <<-EOF > v1-vnet2.xml
<interface type='bridge'>
<target dev='h1_v1_vnet2'/>
<mac address='${mac_v1_vnet2}'/>
<source bridge='br-int'/>
<virtualport type='openvswitch'/>
<model type='virtio'/>
</interface>
EOF
virsh attach-device v0 v0-vnet2.xml
virsh attach-device v1 v1-vnet2.xml
sleep 2
ovs-vsctl set interface h1_v0_vnet2 external-ids:iface-id=h1_v0_vnet2
ovs-vsctl set interface h1_v1_vnet2 external-ids:iface-id=h1_v1_vnet2
create topo on central node
mac_h0_v0_vnet1=04:ac:10:ff:01:94
mac_h0_v0_vnet2=04:ac:10:ff:01:95
mac_h0_v1_vnet1=04:ac:10:ff:01:96
mac_h0_v1_vnet2=04:ac:10:ff:01:97
mac_h1_v0_vnet1=02:ac:10:ff:01:94
mac_h1_v0_vnet2=02:ac:10:ff:01:95
mac_h1_v1_vnet1=02:ac:10:ff:01:96
mac_h1_v1_vnet2=02:ac:10:ff:01:97
# add logical switch
ovn-nbctl ls-add ls1 -- add Logical_Switch ls1 other_config subnet=172.16.1.0/24
ovn-nbctl ls-add ls2 -- add Logical_Switch ls2 other_config subnet=172.16.2.0/24
# setup ls ipv6_prefix
ovn-nbctl set Logical-switch ls1 other_config:ipv6_prefix=2001:db8:1::0
ovn-nbctl set Logical-switch ls2 other_config:ipv6_prefix=2001:db8:2::0
# create dhcp_options
dhcp_options1=$(ovn-nbctl create DHCP_Options cidr=172.16.1.0/24 \
options="\"server_id\"=\"172.16.1.254\" \"server_mac\"=\"00:00:00:00:01:00\" \
\"lease_time\"=\"$((36000 + RANDOM % 3600))\" \"router\"=\"172.16.1.254\" \"dns_server\"=\"172.16.1.254\"")
dhcp_options2=$(ovn-nbctl create DHCP_Options cidr=172.16.2.0/24 \
options="\"server_id\"=\"172.16.2.254\" \"server_mac\"=\"00:00:00:00:02:00\" \
\"lease_time\"=\"$((36000 + RANDOM % 3600))\" \"router\"=\"172.16.2.254\" \"dns_server\"=\"172.16.2.254\"")
dhcpv6_options1=$(ovn-nbctl create DHCP_Options cidr="2001\:db8\:1\:\:0/64" \
options="\"server_id\"=\"00:00:00:00:01:00\" \"dns_server\"=\"2001:db8:1::254\"")
dhcpv6_options2=$(ovn-nbctl create DHCP_Options cidr="2001\:db8\:2\:\:0/64" \
options="\"server_id\"=\"00:00:00:00:02:00\" \"dns_server\"=\"2001:db8:2::254\"")
# create logical switch port and setup dhcp_option
lsp_name=h0_v0_vnet1
mac=$mac_h0_v0_vnet1
ovn-nbctl lsp-add ls1 $lsp_name
ovn-nbctl lsp-set-addresses $lsp_name "$mac 172.16.1.2"
ovn-nbctl lsp-set-dhcpv4-options $lsp_name ${dhcp_options1}
ovn-nbctl add Logical_Switch_Port $lsp_name dhcpv6_options ${dhcpv6_options1}
lsp_name=h0_v1_vnet1
mac=$mac_h0_v1_vnet1
ovn-nbctl lsp-add ls1 $lsp_name
ovn-nbctl lsp-set-addresses $lsp_name "$mac 172.16.1.3"
ovn-nbctl lsp-set-dhcpv4-options $lsp_name ${dhcp_options1}
ovn-nbctl add Logical_Switch_Port $lsp_name dhcpv6_options ${dhcpv6_options1}
lsp_name=h1_v0_vnet2
mac=$mac_h1_v0_vnet2
ovn-nbctl lsp-add ls2 $lsp_name
ovn-nbctl lsp-set-addresses $lsp_name "$mac 172.16.2.2"
ovn-nbctl lsp-set-dhcpv4-options $lsp_name ${dhcp_options2}
ovn-nbctl add Logical_Switch_Port $lsp_name dhcpv6_options ${dhcpv6_options2}
lsp_name=h1_v1_vnet2
mac=$mac_h1_v1_vnet2
ovn-nbctl lsp-add ls2 $lsp_name
ovn-nbctl lsp-set-addresses $lsp_name "$mac 172.16.2.3"
ovn-nbctl lsp-set-dhcpv4-options $lsp_name ${dhcp_options2}
ovn-nbctl add Logical_Switch_Port $lsp_name dhcpv6_options ${dhcpv6_options2}
# create logical router lr1
ovn-nbctl lr-add lr1
ovn-nbctl lrp-add lr1 lr1-ls1 00:00:00:00:01:00 172.16.1.254/24
ovn-nbctl lrp-add lr1 lr1-ls2 00:00:00:00:02:00 172.16.2.254/24
# connect lr1 and ls1
ovn-nbctl lsp-add ls1 ls1-lr1
ovn-nbctl lsp-set-type ls1-lr1 router
ovn-nbctl lsp-set-addresses ls1-lr1 "00:00:00:00:01:00 172.16.1.254"
ovn-nbctl lsp-set-options ls1-lr1 router-port=lr1-ls1
# connect lr1 and ls2
ovn-nbctl lsp-add ls2 ls2-lr1
ovn-nbctl lsp-set-type ls2-lr1 router
ovn-nbctl lsp-set-addresses ls2-lr1 "00:00:00:00:02:00 172.16.2.254"
ovn-nbctl lsp-set-options ls2-lr1 router-port=lr1-ls2
create snat on central node
# let lr1-ls1 become distribute gateway port
ovn-nbctl lrp-set-gateway-chassis lr1-ls1 hv0
# setup dnat on lr1-ls1
ovn-nbctl lr-nat-add lr1 dnat 172.16.1.10 172.16.2.2
因为nat配置在了lr1-ls1上面,所以从ls1-lr1发到lr1-ls1的报文会执行dnat动作,
从lr1-ls1发到ls1-lr1的报文会执行snat动作。
所以此时从链接到ls1的虚拟机ping 172.16.1.10会重定向到172.16.2.2
[root@localhost ~]# ping 172.16.1.10
PING 172.16.1.10 (172.16.1.10) 56(84) bytes of data.
64 bytes from 172.16.1.10: icmp_seq=1 ttl=63 time=3.20 ms
64 bytes from 172.16.1.10: icmp_seq=2 ttl=63 time=0.590 ms
64 bytes from 172.16.1.10: icmp_seq=3 ttl=63 time=0.639 ms
[root@hp-dl388g8-22 ~]# tcpdump -i h1_v0_vnet2 -enn
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on h1_v0_vnet2, link-type EN10MB (Ethernet), capture size 262144 bytes
21:11:49.056676 00:00:00:00:02:00 > 02:ac:10:ff:01:95, ethertype IPv4 (0x0800), length 98: 172.16.1.2 > 172.16.2.2: ICMP echo request, id 5712, seq 15, length 64
21:11:49.056890 02:ac:10:ff:01:95 > 00:00:00:00:02:00, ethertype IPv4 (0x0800), length 98: 172.16.2.2 > 172.16.1.2: ICMP echo reply, id 5712, seq 15, length 64
create dnat_and_snat on central node
ovn-nbctl lr-nat-del lr1
ovn-nbctl lr-nat-add lr1 dnat 172.16.1.10 172.16.2.2
此时从172.16.2.2向ls1的主机ping,源ip会变成172.16.1.10
[root@localhost ~]# ping 172.16.1.2
PING 172.16.1.2 (172.16.1.2) 56(84) bytes of data.
64 bytes from 172.16.1.2: icmp_seq=1 ttl=63 time=2.33 ms
64 bytes from 172.16.1.2: icmp_seq=2 ttl=63 time=1.27 ms
64 bytes from 172.16.1.2: icmp_seq=3 ttl=63 time=0.541 ms
64 bytes from 172.16.1.2: icmp_seq=4 ttl=63 time=0.570 ms
[root@hp-dl380pg8-15 ~]# tcpdump -i h0_v0_vnet1 -enn
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on h0_v0_vnet1, link-type EN10MB (Ethernet), capture size 262144 bytes
21:17:55.868060 00:00:00:00:01:00 > 04:ac:10:ff:01:94, ethertype IPv4 (0x0800), length 98: 172.16.1.10 > 172.16.1.2: ICMP echo request, id 5691, seq 13, length 64
21:17:55.868266 04:ac:10:ff:01:94 > 00:00:00:00:01:00, ethertype IPv4 (0x0800), length 98: 172.16.1.2 > 172.16.1.10: ICMP echo reply, id 5691, seq 13, length 64
nat on L3 gateway router
接着上面的环境做下面的配置
# connect to outside
ovn-nbctl ls-add ls3
ovn-nbctl lrp-add lr1 lr1-ls3 00:00:00:00:03:00 172.16.3.254/24
ovn-nbctl lsp-add ls3 ls3-lr1
ovn-nbctl lsp-set-type ls3-lr1 router
ovn-nbctl lsp-set-addresses ls3-lr1 00:00:00:00:03:00
ovn-nbctl lsp-set-options ls3-lr1 router-port=lr1-ls3
ovn-nbctl lsp-add ls3 ls3-localnet
ovn-nbctl lsp-set-type ls3-localnet localnet
ovn-nbctl lsp-set-addresses ls3-localnet unknown
ovn-nbctl lsp-set-options ls3-localnet network_name=outNet
ovs-vsctl add-br br-out
ovs-vsctl add-port br-out ens2f1
ovs-vsctl set Open_vSwitch . external-ids:ovn-bridge-mappings=outNet:br-out
# let lr1 become L3 gateway router
ovn-nbctl lrp-del-gateway-chassis lr1-ls1 hv0
ovn-nbctl lrp-set-gateway-chassis lr1-ls3 hv0
ovn-nbctl lr-nat-del lr1
# create nat
# 注意此时nat实际上是应用到lr1-ls3上面
ovn-nbctl lr-nat-add lr1 dnat_and_snat 172.16.3.200 172.16.1.2
ovn-nbctl lr-nat-add lr1 dnat_and_snat 172.16.3.201 172.16.2.2
# 此时不论是从ls1还是ls2的主机ping 172.16.3.200,172.16.3.201都会执行dnat and snat
[root@localhost ~]# ping 172.16.3.200
PING 172.16.3.200 (172.16.3.200) 56(84) bytes of data.
64 bytes from 172.16.3.200: icmp_seq=1 ttl=62 time=1.83 ms
64 bytes from 172.16.3.200: icmp_seq=2 ttl=62 time=0.651 ms
64 bytes from 172.16.3.200: icmp_seq=3 ttl=62 time=0.625 ms
64 bytes from 172.16.3.200: icmp_seq=4 ttl=62 time=0.619 ms
64 bytes from 172.16.3.200: icmp_seq=5 ttl=62 time=0.673 ms
64 bytes from 172.16.3.200: icmp_seq=6 ttl=62 time=0.444 ms
[root@hp-dl380pg8-15 ~]# tcpdump -i h0_v0_vnet1 -enn
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on h0_v0_vnet1, link-type EN10MB (Ethernet), capture size 262144 bytes
21:28:12.385457 00:00:00:00:01:00 > 04:ac:10:ff:01:94, ethertype IPv4 (0x0800), length 98: 172.16.3.201 > 172.16.1.2: ICMP echo request, id 5699, seq 5, length 64
21:28:12.385642 04:ac:10:ff:01:94 > 00:00:00:00:01:00, ethertype IPv4 (0x0800), length 98: 172.16.1.2 > 172.16.3.201: ICMP echo reply, id 5699, seq 5, length 64
# 而且从物理网络ping也是如此
[root@hp-dl388g8-22 ~]# ip addr add 172.16.3.111/24 dev ens3f1np1
[root@hp-dl388g8-22 ~]# ip link set ens3f1np1 up
[root@hp-dl388g8-22 ~]# ping 172.16.3.200
PING 172.16.3.200 (172.16.3.200) 56(84) bytes of data.
64 bytes from 172.16.3.200: icmp_seq=1 ttl=63 time=1.70 ms
64 bytes from 172.16.3.200: icmp_seq=2 ttl=63 time=0.642 ms
64 bytes from 172.16.3.200: icmp_seq=3 ttl=63 time=0.361 ms
64 bytes from 172.16.3.200: icmp_seq=4 ttl=63 time=0.363 ms
[root@hp-dl380pg8-15 ~]# tcpdump -i h0_v0_vnet1 -enn
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on h0_v0_vnet1, link-type EN10MB (Ethernet), capture size 262144 bytes
21:31:08.154415 00:00:00:00:01:00 > 04:ac:10:ff:01:94, ethertype IPv4 (0x0800), length 98: 172.16.3.111 > 172.16.1.2: ICMP echo request, id 17079, seq 7, length 64
21:31:08.154611 04:ac:10:ff:01:94 > 00:00:00:00:01:00, ethertype IPv4 (0x0800), length 98: 172.16.1.2 > 172.16.3.111: ICMP echo reply, id 17079, seq 7, length 64
21:31:09.178399 00:00:00:00:01:00 > 04:ac:10:ff:01:94, ethertype IPv4 (0x0800), length 98: 172.16.3.111 > 172.16.1.2: ICMP echo request, id 17079, seq 8, length 64
nat on L3 gateway router(ovn-nbctl create Logical_Router name=lr1 options:chassis=hv0)
# clear
ovn-nbctl lr-del lr1
ovn-nbctl ls-del ls1
ovn-nbctl ls-del ls2
ovn-nbctl ls-del ls3
ovs-vsctl del-br br-out
# recrate topo
mac_h0_v0_vnet1=04:ac:10:ff:01:94
mac_h0_v0_vnet2=04:ac:10:ff:01:95
mac_h0_v1_vnet1=04:ac:10:ff:01:96
mac_h0_v1_vnet2=04:ac:10:ff:01:97
mac_h1_v0_vnet1=02:ac:10:ff:01:94
mac_h1_v0_vnet2=02:ac:10:ff:01:95
mac_h1_v1_vnet1=02:ac:10:ff:01:96
mac_h1_v1_vnet2=02:ac:10:ff:01:97
# add logical switch
ovn-nbctl ls-add ls1 -- add Logical_Switch ls1 other_config subnet=172.16.1.0/24
ovn-nbctl ls-add ls2 -- add Logical_Switch ls2 other_config subnet=172.16.2.0/24
# setup ls ipv6_prefix
ovn-nbctl set Logical-switch ls1 other_config:ipv6_prefix=2001:db8:1::0
ovn-nbctl set Logical-switch ls2 other_config:ipv6_prefix=2001:db8:2::0
# create dhcp_options
dhcp_options1=$(ovn-nbctl create DHCP_Options cidr=172.16.1.0/24 \
options="\"server_id\"=\"172.16.1.254\" \"server_mac\"=\"00:00:00:00:01:00\" \
\"lease_time\"=\"$((36000 + RANDOM % 3600))\" \"router\"=\"172.16.1.254\" \"dns_server\"=\"172.16.1.254\"")
dhcp_options2=$(ovn-nbctl create DHCP_Options cidr=172.16.2.0/24 \
options="\"server_id\"=\"172.16.2.254\" \"server_mac\"=\"00:00:00:00:02:00\" \
\"lease_time\"=\"$((36000 + RANDOM % 3600))\" \"router\"=\"172.16.2.254\" \"dns_server\"=\"172.16.2.254\"")
dhcpv6_options1=$(ovn-nbctl create DHCP_Options cidr="2001\:db8\:1\:\:0/64" \
options="\"server_id\"=\"00:00:00:00:01:00\" \"dns_server\"=\"2001:db8:1::254\"")
dhcpv6_options2=$(ovn-nbctl create DHCP_Options cidr="2001\:db8\:2\:\:0/64" \
options="\"server_id\"=\"00:00:00:00:02:00\" \"dns_server\"=\"2001:db8:2::254\"")
# create logical switch port and setup dhcp_option
lsp_name=h0_v0_vnet1
mac=$mac_h0_v0_vnet1
ovn-nbctl lsp-add ls1 $lsp_name
ovn-nbctl lsp-set-addresses $lsp_name "$mac 172.16.1.2"
ovn-nbctl lsp-set-dhcpv4-options $lsp_name ${dhcp_options1}
ovn-nbctl add Logical_Switch_Port $lsp_name dhcpv6_options ${dhcpv6_options1}
lsp_name=h0_v1_vnet1
mac=$mac_h0_v1_vnet1
ovn-nbctl lsp-add ls1 $lsp_name
ovn-nbctl lsp-set-addresses $lsp_name "$mac 172.16.1.3"
ovn-nbctl lsp-set-dhcpv4-options $lsp_name ${dhcp_options1}
ovn-nbctl add Logical_Switch_Port $lsp_name dhcpv6_options ${dhcpv6_options1}
lsp_name=h1_v0_vnet2
mac=$mac_h1_v0_vnet2
ovn-nbctl lsp-add ls2 $lsp_name
ovn-nbctl lsp-set-addresses $lsp_name "$mac 172.16.2.2"
ovn-nbctl lsp-set-dhcpv4-options $lsp_name ${dhcp_options2}
ovn-nbctl add Logical_Switch_Port $lsp_name dhcpv6_options ${dhcpv6_options2}
lsp_name=h1_v1_vnet2
mac=$mac_h1_v1_vnet2
ovn-nbctl lsp-add ls2 $lsp_name
ovn-nbctl lsp-set-addresses $lsp_name "$mac 172.16.2.3"
ovn-nbctl lsp-set-dhcpv4-options $lsp_name ${dhcp_options2}
ovn-nbctl add Logical_Switch_Port $lsp_name dhcpv6_options ${dhcpv6_options2}
# create logical router lr1
#ovn-nbctl lr-add lr1
ovn-nbctl create Logical_Router name=lr1 options:chassis=hv0
ovn-nbctl lrp-add lr1 lr1-ls1 00:00:00:00:01:00 172.16.1.254/24
ovn-nbctl lrp-add lr1 lr1-ls2 00:00:00:00:02:00 172.16.2.254/24
# connect lr1 and ls1
ovn-nbctl lsp-add ls1 ls1-lr1
ovn-nbctl lsp-set-type ls1-lr1 router
ovn-nbctl lsp-set-addresses ls1-lr1 "00:00:00:00:01:00 172.16.1.254"
ovn-nbctl lsp-set-options ls1-lr1 router-port=lr1-ls1
# connect lr1 and ls2
ovn-nbctl lsp-add ls2 ls2-lr1
ovn-nbctl lsp-set-type ls2-lr1 router
ovn-nbctl lsp-set-addresses ls2-lr1 "00:00:00:00:02:00 172.16.2.254"
ovn-nbctl lsp-set-options ls2-lr1 router-port=lr1-ls2
# connect to outside
ovn-nbctl ls-add ls3
ovn-nbctl lrp-add lr1 lr1-ls3 00:00:00:00:03:00 172.16.3.254/24
ovn-nbctl lsp-add ls3 ls3-lr1
ovn-nbctl lsp-set-type ls3-lr1 router
ovn-nbctl lsp-set-addresses ls3-lr1 00:00:00:00:03:00
ovn-nbctl lsp-set-options ls3-lr1 router-port=lr1-ls3
ovn-nbctl lsp-add ls3 ls3-localnet
ovn-nbctl lsp-set-type ls3-localnet localnet
ovn-nbctl lsp-set-addresses ls3-localnet unknown
ovn-nbctl lsp-set-options ls3-localnet network_name=outNet
ovs-vsctl add-br br-out
ovs-vsctl add-port br-out ens2f1
ovs-vsctl set Open_vSwitch . external-ids:ovn-bridge-mappings=outNet:br-out
ovn-nbctl lr-nat-add lr1 dnat_and_snat 172.16.3.200 172.16.1.2
ovn-nbctl lr-nat-add lr1 dnat_and_snat 172.16.3.201 172.16.2.2
#最终 效果和上面一个一样,不论从内部访问,还是从外部发起访问,dnat and sant 都生效。