System Administration Guide: Network Interfaces and Network Virtualization

ProcedureHow to Configure Routing and Network Address Translation for the Private Virtual Network

Before You Begin

This procedure assumes that you have created the etherstub, VNICs, and exclusive IP zones or virtual machines for the private network, as described in How to Create Etherstubs and VNICs for the Private Virtual Network.

  1. On the system where you create the private virtual network, become superuser or assume the equivalent root role.

    To create and assign the root role, see How to Make root User Into a Role in System Administration Guide: Security Services.

  2. Check the status of the host's network interface.


    # ifconfig -a
    

    You should receive output similar to the following:


    lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
            inet 127.0.0.1 netmask ff000000
    e1000g0: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 2
            inet 192.168.3.70 netmask ffffff00 broadcast 192.168.3.255
            ether 0:14:4f:94:d0:40

    The interface, e1000g0 in this case, must be configured and plumbed before you can use it as part of the virtual network.

  3. Assign an IP address to the VNIC that you reserved for the global zone.

    Make sure that all IP addresses that you assign to the VNICs on this host are private, reserved for use on this host only. Do not use the IP address prefix of the public network to which the network interface is connected as the network portion of the VNIC's IP address.

    For example, the ifconfig -a command above shows the IP address 192.168.3.70 for interface e1000g0. The output indicates that the interface is on local network 192.168.3.0/24. Therefore, do not assign the IP address 192.168.3.x to the VNIC. A safer choice might be 192.168.0.250, assuming that there is no 192.168.0.0/24 network that is known to the default router.

    For specific instructions on assigning the IP address to the VNIC, refer to Steps 5 through 7 of How to Create a Virtual Network Interface.

  4. Check the status of routing protocols on the system.


    # routeadm
    

    You should receive output similar to the following:


      Configuration   Current              Current
                         Option   Configuration        System State
    ---------------------------------------------------------------
                   IPv4 routing   enabled              enabled
                   IPv6 routing   disabled             disabled
                IPv4 forwarding   disabled             disabled
                IPv6 forwarding   disabled             disabled
    
               Routing services   "route:default ripng:default"

    Note that routing is enabled but packet forwarding is disabled. You need to enable IPv4 forwarding in the global zone before you set up NAT or other rules through the IP Filter firewall.

  5. Enable IP forwarding.


    # routeadm -u -e ipv4-forwarding
    
  6. Create the basic packet filtering file /etc/ipf/ipnat.conf to provide network address translation.

    The next steps use Solaris IP Filter to perform NAT for outgoing packets originated from inside the private network. For an introduction to IP Filter, refer to Chapter 24, Solaris IP Filter (Overview), in System Administration Guide: IP Services


    # cd /etc/ipf
    # vi ipnat.conf
    map e1000g0 192.168.0.0/24 -> 0/32 portmap tcp/udp auto
    map e1000g0 192.168.0.0/24 -> 0/32

    This rule set tells the IP Filter software how to translate the IP addresses of outgoing packets when they arrive at interface e1000g0. Any TCP and UDP packets that arrive from private network 192.168.0.0/24 have their IP addresses translated to the address of the global zone before exiting the system. The global zone has the same IP address as network interface e1000g0, 192.168.3.70. This interface is connected to external network 192.168.3.0/24, which is known to the network's default router.

    The rule set above implements a simple NAT scenario, but you can also add packet filtering rules to /etc/ipf/ipnat.conf, if required. For more information, see Configuring Solaris IP Filter in System Administration Guide: IP Services.

  7. Start IP Filter and verify that the rules in /etc/ipf/ipnat.conf are active.


    # svcadm enable network/ipfilter
    # ipnat -l
    List of active MAP/Redirect filters:
    map e1000g0 192.168.0.0/24 -> 0.0.0.0/32 portmap tcp/udp auto
    map e1000g0 192.168.0.0/24 -> 0.0.0.0/32
    
    List of active sessions:
  8. Boot an already-installed exclusive IP zone.


    # zoneadm -z zone-name boot
    

    Repeat this step for all zones to be part of the private virtual network.

  9. Log in to each exclusive IP zone and plumb its associated VNIC.


    # zlogin zone-name
    # ifconfig vnic-link-name plumb
    #ifconfig vnic-link-name vnic-IP-address
    # ifconfig vnic-link-name up
    
  10. Exit the final zone that you configured and return to the global zone.

  11. Add entries for all VNICs in the /etc/inet/hosts file, as shown in How to Manually Configure the VNIC and Exclusive IP Zone.

  12. Edit the /etc/hostname/vnic-name files, as shown in How to Manually Configure the VNIC and Exclusive IP Zone.


Example 11–7 Private Virtual Network Configuration

The following example shows the commands to implement the private virtual network that is shown in Figure 10–2.

To use the commands, you must first log in to the system's global zone as superuser or equivalent role.


# dladm create-etherstub etherstub0
# dladm show-etherstub
LINK
etherstub0
# dladm create-vnic -l etherstub0 vnic0
# dladm create-vnic -l etherstub0 vnic1
# dladm create-vnic -l etherstub0 vnic2

# dladm show-vnic
LINK        OVER             SPEED  MACADDRESS         MACADDRTYPE
vnic0       etherstub0      0 Mbps  2:8:20:c2:39:38    random
vnic1       etherstub0      0 Mbps  2:8:20:45:8f:c9    random
vnic2       etherstub0      0 Mbps  2:8:20:6b:8:ab     random

# dladm show-link
LINK        CLASS    MTU    STATE    OVER
e1000g0     phys     1500   up       --
vnic0       vnic     9000   up       etherstub0
vnic1       vnic     9000   up       etherstub0
vnic2       vnic     9000   up       etherstub0

At this stage, you configure exclusive IP zones over VNICs, configure them, and assign IP addresses to them, as explained in Configuring a Basic Virtual Network.


# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
        inet 127.0.0.1 netmask ff000000
e1000g0:flags=201100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4,CoS>mtu 1500 index 2
        inet 192.168.3.70 netmask ffffff00 broadcast 192.168.3.255
        ether 0:14:4f:94:d0:40
lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252 index 1
        inet6 ::1/128

# ifconfig vnic0 plumb
# ifconfig vnic0 192.168.0.250
# ifconfig vnic0 up

# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
        inet 127.0.0.1 netmask ff000000
e1000g0:flags=201100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4,CoS>mtu 1500 index 2
        inet 192.168.3.70 netmask ffffff00 broadcast 192.168.3.255
        ether 0:14:4f:94:d0:40
vnic0: flags=201100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4,CoS> mtu 9000 index 5
        inet 192.168.0.250 netmask ffffff00 broadcast 192.168.0.255
        ether 2:8:20:c2:39:38
lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252 index 1
        inet6 ::1/128

# routeadm
              Configuration   Current              Current
                     Option   Configuration        System State
---------------------------------------------------------------
               IPv4 routing   enabled              enabled
               IPv6 routing   disabled             disabled
            IPv4 forwarding   disabled             disabled
            IPv6 forwarding   disabled             disabled

           Routing services   "route:default ripng:default"

# routeadm -u -e ipv4-forwarding

# cd /etc/ipf
# vi ipnat.conf
map e1000g0 192.168.0.0/24 -> 0/32  portmap tcp/udp auto
map e1000g0 192.168.0.0/24 -> 0/32
# svcadm enable network/ipfilter

# zoneadm -z zone1 boot
# zoneadm -z zone2 boot

Next Steps