If SNAT on the router is enabled, then the subnet is reachable
from the outside, but all new sessions created from within the subnet
will be SNAT-ed. So those sessions will use the external IP of the router.
For example whitelisting specific tenant ips would not be possible.
With SNAT disabled, the neutron router will act as a normal gateway, and
sessions created from within a tenant vm will be sent from the real ip.
Closes-Bug: #2052292
Change-Id: Ib97065fb2fcca069195278fea804256370d21816
326ec40230