Crossbow & NAT to share DHCP WiFi interface between zones.

Before crossbow it was not very easy to used zone with network if we only have one DHCP network interface available in the global zone. Now with opensolaris snv105 and later it is very easy. We only have to create one virtual switch between zones and global zone and then use Solaris NAT (Network address Translation) to Translate all private network addresses in zones to the global zones DHCP IP address.
In this simple example we use crossbow and NAT to share one WiFi DHCP network interface between two zones and the global zone.


With ifconfig(1m) we can see that DHCP WiFi network interface use the network 192.168.0.0/24 in the global zone. We have to use another private network defined in RFC 1918 to create a private network between zones and the global zones. For example 192.168.1.0/24.
# ifconfig iwi0
iwi0: flags=201104843<UP,BROADCAST,RUNNING,MULTICAST,DHCP,ROUTER,IPv4,CoS> mtu 1500 index 3
inet 192.168.0.3 netmask ffffff00 broadcast 192.168.0.255


Create a new virtual switch and create virtual network interfaces (vnic) in the new switch:
# dladm create-etherstub etherstub0
# dladm show-etherstub
LINK
etherstub0
# dladm create-vnic -l etherstub0 vnic0
# dladm create-vnic -l etherstub0 vnic1
# dladm create-vnic -l etherstub0 vnic2
# dladm show-vnic
LINK         OVER         SPEED  MACADDRESS           MACADDRTYPE         VID
vnic0        etherstub0   0      2:8:20:45:d9:df      random              0
vnic1        etherstub0   0      2:8:20:c8:45:8a      random              0
vnic2        etherstub0   0      2:8:20:39:8e:47      random              0


Configure the virtual network interface vnic0 in the global Zone. Used static address for vnic0
# echo "192.168.1.254     opsbox" >> /etc/hosts
# ifconfig vnic0 plumb
# ifconfig vnic0 opsbox netmask + broadcast + up
# ifconfig vnic0
vnic0: flags=201100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4,CoS> mtu 9000 index 2
        inet 192.168.1.254 netmask ffffff00 broadcast 192.168.1.255
        ether 2:8:20:45:d9:df


Configure the virtual network interface for zones. For example zone1 use vnic1, setup zone ip-type exclusive, used static address for vnic1 (192.168.1.1), and set defaultrouter to  the ip address of the global zone in the private network (192.168.1.254):          
# zonecfg -z zone1
zonecfg:zone1> set ip-type=exclusive
zonecfg:zone1> add net
zonecfg:zone1:net> set physical=vnic1
zonecfg:zone1:net> end
zonecfg:zone1> commit
# zoneadm -z zone1 reboot
# zlogin zone1
root@zone1 # echo "192.168.1.1     zone1" >> /etc/hosts
root@zone1 # echo "192.168.1.254   opsbox" >> /etc/hosts       
root@zone1 # echo zone1 > /etc/hostname.vnic1
root@zone1 # echo opsbox > /etc/defaultrouter
root@zone1 # reboot


Copy the global zone DNS configuration in all zones. Example for zone1:
# cp /etc/nsswitch.conf /zones/zone1/root/etc
# cp /etc/resolv.conf /zones/zone1/root/etc


Finally setup NAT in global zone. Any TCP/UDP packets that arrive from private network 192.168.1.0/24 must have their IP addresses translated to the address of the global zone before exiting the system. To do this:
Enable ipv4 forwarding in the global zone:
#  routeadm -u -e ipv4-forwarding
Create ipnat.conf file in the global zone:
# vi /etc/ipf/ipnat.conf
map iwi0 192.168.1.0/24 -> 0.0.0.0/32 portmap tcp/udp auto
map iwi0 192.168.1.0/24 -> 0.0.0.0/32

Start ipfilter in global zone and show the list of current NAT table:
# svcadm enable network/ipfilter
# ipnat -l
List of active MAP/Redirect filters:
map iwi0 192.168.1.0/24 -> 0.0.0.0/32 portmap tcp/udp auto
map iwi0 192.168.1.0/24 -> 0.0.0.0/32


Test a simple ping in all zones, example in zone1: 
root@zone1: # ping -s www.google.com
PING www.google.com: 56 data bytes
64 bytes from 209.85.227.147: icmp_seq=0. time=50.864 ms
64 bytes from 209.85.227.147: icmp_seq=1. time=50.184 ms

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

Jerome Blanchet

Search

Categories
Archives
« avril 2014
lun.mar.mer.jeu.ven.sam.dim.
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today