From note to the mailing list: http://markmail.org/message/2ehabewgw6gwql2q
The problem is that the SNAT rule to make the traffic look like it is coming from the floating ip happens in POSTROUTING, which is after the filter rules for the security group are checked. The upshot is that when the filter rules are checked, the traffic still looks like it is coming from the fixed ip, so it doesn't match the security group rule and gets blocked.
...
Note that this means that operators have to be careful to make sure that traffic that is going to other vms does not get snatted. Traffic from vm -> vm accross the fixed network should be fine, as snat rules are skipped in this case, but traffic going to the floating range may still get snatted. The way to ensure traffic doesn't get snatted to the floating range is to explicitly set a
dmz_cidr=x.x.x.x/y
where x.x.x.x/y is the range of floating ips for each pool of floating ips you define. Note that this configuration is also necessary to make source_groups work if the vms in the source group have floating ips.
Fix proposed to branch: master
Review: https:/