-
Notifications
You must be signed in to change notification settings - Fork 17
vr_sdnat4
This feature enables source NAT, as in the NAT4 module, and maps (1:1) a public IP addresses to a private IP addresses. All the incoming traffic addressed to the public IP is forwarded to the private IP by defining both SNAT and DNAT rules in iptables.
The following figure depicts the basic LAN topology assumed by the module:
public Network (10.2.11.0/24)
┌─────────────────────────────────
┌──┴─┐
┌──┤eth0├──┐ eth0 IPs (10.2.11.1, 10.2.11.201. 10.2.11.202)
│ └────┘ │ 10.2.11.201 --> 172.20.0.128
│ Virtual │ 10.2.11.202 --> 172.20.0.130
│ Router │
│ ┌────┐ │
└──┤eth1├──┘
└─┬──┘ private network (172.20.0.0/24)
└────┬──────────────┬────────────┬────────────
172.20.0.128 172.20.0.67 172.20.0.130
┌──┴──┐ ┌──┴──┐ ┌──┴──┐
│ VM1 │ │ VM1 │ │ VM1 │
└─────┘ └─────┘ └─────┘
Important
You need to assign one IP on the public network to each VM you want to forward the traffic to.
The following attributes control the basic configuration for NAT'ing:
-
ONEAPP_VNF_SDNAT4_ENABLEDto activate the module -
ONEAPP_VNF_SDNAT4_INTERFACESdefines the public and private interfaces where the mapping occurs. Usually this identifies the public and private networks.
For the example above simply add:
CONTEXT = [
...
ONEAPP_VNF_SDNAT4_ENABLED = "YES",
ONEAPP_VNF_SDNAT4_INTERFACES = "eth0 eth1",
...
]For those VMs that you want to forward the incoming traffic to, you need to add a network interface of type NIC_ALIAS, and label it with
And a special NIC_ALIAS section is added to the backend VM's template:
$ onevm nic-attach backend_VM_name_or_ID <<'EOF'
NIC_ALIAS = [
NETWORK_ID = "0", # ID of the 10.2.11.0/24 VNET.
PARENT = "NIC0",
EXTERNAL = "YES" ] # Must be set to "YES" to enable SDNAT4 mapping.
EOFGives:
$ iptables -t nat -vnL DNAT4
Chain DNAT4 (1 references)
pkts bytes target prot opt in out source destination
1 12 DNAT 0 -- * * 0.0.0.0/0 10.2.11.201 to:172.20.0.128
$ iptables -t nat -vnL SNAT4
Chain SNAT4 (1 references)
pkts bytes target prot opt in out source destination
1 34 SNAT 0 -- * * 172.20.0.128 0.0.0.0/0 to:10.2.11.201Where 10.2.11.201 is considered public and is defined on the lo NIC inside the master VR instance:
$ ip addr show lo
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet 10.2.11.201/32 scope global SDNAT4
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft foreverConnecting to 10.2.11.201 should forward all packets for all protocols, both ways:
$ ssh root@10.2.11.201 ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 02:00:ac:14:00:80 brd ff:ff:ff:ff:ff:ff
inet 172.20.0.128/24 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::acff:fe14:80/64 scope link
valid_lft forever preferred_lft forever| Parameter | Default | Description |
|---|---|---|
ONEAPP_VNF_SDNAT4_ENABLED |
NO |
Enable/Disable SNAT/DNAT feature (YES/NO) |
ONEAPP_VNF_SDNAT4_INTERFACES |
none |
Mandatory: List of NICs among which to detect mappings (<[!]ethX> ...) |
ONEAPP_VNF_SDNAT4_REFRESH_RATE |
30 |
Refresh rate between updates of the mapping rules (seconds) |
- OpenNebula Apps Overview
- OS Appliances Update Policy
- OneApps Quick Intro
- Build Instructions
- Linux Contextualization Packages
- Windows Contextualization Packages
- OneKE (OpenNebula Kubernetes Edition)
- Virtual Router
- Overview & Release Notes
- Quick Start
- OpenRC Services
- Virtual Router Modules
- Glossary
- WordPress
- Harbor Container Registry
- MinIO
- Ray AI
- Development