On Wed, 02 Aug 2017, KatolaZ wrote:

> The second reason is more fundamental. I had the impression that we
> wanted to have a dmz where to put vms for external services, so that
> all the public IPs could be routed by a VM acting as a
> firewall. However, Centurion_Dan now seems convinced that the physical
> machine should do the routing (and the firewalling).
>
> I think this is not a good idea, and I am not sure about how this
> plays with ganeti failover procedures. I guess that having two
> identical fw VMs (one on each ganeti node) would be the best option,
> since upon failover we would simply need to route the external IPs to
> the mac of the new master, and everything will be already working. If
> instead we go for managing routing on the physical machine, we need to
> setup all the fw rules on the new master node, which might be a bit of
> a burden.
>
> Since we are now again blocked on this point, I think we must clarify
> these issues and proceed as soon as possible.

thanks for making this issue more clear

nextime: can you chip into this and let us know how you think is best?
         I'd rather keep up with the same ganeti setup we have now.

ciao