-
Notifications
You must be signed in to change notification settings - Fork 17
vr_sdnat4
Important
You need to configure OpenNebula Gate (onegate) to use SDNAT4 functionality.
This feature enables source NAT, as in the NAT4 module, and maps (1:1) a public IP addresses to a private IP addresses. All the incoming traffic addressed to the public IP is forwarded to the private IP by defining both SNAT and DNAT rules in iptables
.
The following figure depicts the basic LAN topology assumed by the module:
public Network (10.2.11.0/24)
┌─────────────────────────────────
┌──┴─┐
┌──┤eth0├──┐ eth0 IPs (10.2.11.1, 10.2.11.201. 10.2.11.202)
│ └────┘ │ 10.2.11.201 --> 172.20.0.128
│ Virtual │ 10.2.11.202 --> 172.20.0.130
│ Router │
│ ┌────┐ │
└──┤eth1├──┘
└─┬──┘ private network (172.20.0.0/24)
└────┬──────────────┬────────────┬────────────
172.20.0.128 172.20.0.67 172.20.0.130
┌──┴──┐ ┌──┴──┐ ┌──┴──┐
│ VM1 │ │ VM1 │ │ VM1 │
└─────┘ └─────┘ └─────┘
Important
You need to assign one IP on the public network to each VM you want to forward the traffic to.
The following attributes control the basic configuration for NAT'ing:
-
ONEAPP_VNF_SDNAT4_ENABLED
to activate the module -
ONEAPP_VNF_SDNAT4_INTERFACES
defines the public and private interfaces where the mapping occurs. Usually this identifies the public and private networks.
For the example above simply add:
CONTEXT = [
...
ONEAPP_VNF_SDNAT4_ENABLED = "YES",
ONEAPP_VNF_SDNAT4_INTERFACES = "eth0 eth1",
...
]
For those VMs that you want to forward the incoming traffic to, you need to add a network interface of type NIC_ALIAS
attached to the public network, and label it with the EXTERNAL
attribute.
$ onevm nic-attach backend_VM_name_or_ID <<'EOF'
NIC_ALIAS = [
NETWORK = "public",
PARENT = "NIC0",
EXTERNAL = "YES" ]
EOF
OpenNebula will perform the following actions:
- The VM will get an IP lease from the public network. This IP will not be configured in the VM
- The VR will discover the new
EXTERNAL
IP allocation and it will configure the new external IP in its loopback interface for routing purposes. For example, for the 10.2.11.201 map you will see the following IP addresses in the VR:
$ ip addr show lo
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet 10.2.11.201/32 scope global SDNAT4
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
- It will also install DNAT and SNAT rules for the
EXTERNAL
IP. For example for the 10.2.11.201 map you will see the following iptables rules in the NAT table:
$ iptables -t nat -vnL DNAT4
Chain DNAT4 (1 references)
pkts bytes target prot opt in out source destination
1 12 DNAT 0 -- * * 0.0.0.0/0 10.2.11.201 to:172.20.0.128
$ iptables -t nat -vnL SNAT4
Chain SNAT4 (1 references)
pkts bytes target prot opt in out source destination
1 34 SNAT 0 -- * * 172.20.0.128 0.0.0.0/0 to:10.2.11.201
Connecting to 10.2.11.201
should forward all packets for all protocols, both ways, for example (note, there is no 10.2.11.0/24 ip configured in the VM):
$ ssh root@10.2.11.201 ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 02:00:ac:14:00:80 brd ff:ff:ff:ff:ff:ff
inet 172.20.0.128/24 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::acff:fe14:80/64 scope link
valid_lft forever preferred_lft forever
Parameter | Default | Description |
---|---|---|
ONEAPP_VNF_SDNAT4_ENABLED |
NO |
Enable/Disable SNAT/DNAT feature (YES/NO ) |
ONEAPP_VNF_SDNAT4_INTERFACES |
none |
Mandatory: List of NICs among which to detect mappings (<[!]ethX> ... ) |
ONEAPP_VNF_SDNAT4_REFRESH_RATE |
30 |
Refresh rate between updates of the mapping rules (seconds ) |
- OpenNebula Apps Overview
- OS Appliances Update Policy
- OneApps Quick Intro
- Build Instructions
- Linux Contextualization Packages
- Windows Contextualization Packages
- OneKE (OpenNebula Kubernetes Edition)
- Virtual Router
- Overview & Release Notes
- Quick Start
- OpenRC Services
- Virtual Router Modules
- Glossary
- WordPress
- Harbor Container Registry
- MinIO
- Ray AI
- Development