A handy recipe for a private NAT'd DHCP server

I have been working a lot recently with kernel zones to test various aspects of the archive library. Most of my work requires connectivity to IPS publishers which I have set up on the zone, and those are usually hosted remotely on my build server. So I found myself needing networking for the test zones in order for them to be useful. However, I didn't want to go through the trouble of allocating static IP addresses for simple throwaway test stands. So I started using a private DHCP server for the zones, and I set up NAT with IP filtering so that the zones could reach the outside world through the private network.

The general idea is as follows. We build an etherstub in the host global zone and hang a virtual NIC off of it. We plumb up the vnic with a private net address and run a DHCP server on that private subnet. We then configure NAT with IP filtering and IP forwarding for that subnet over to the public network, and clients on that private net can get out to the public network.

For a zone to make use of the DHCP server, it needs its net/anet 'lower-link' set to the etherstub, which is one simple zonecfg change from the default. You can put as many zones as you like on the stub, but if you're doing lots of IO intensive stuff, using more than one physical NIC might be a good idea. Your mileage may vary, of course.

The steps to build this up follow.

First, create the etherstub for the private network and create a host vnic on it for the DHCP server. Then set a private net IP address on the vnic and check the configurations are all correct so far.
# dladm create-etherstub stub0
# dladm create-vnic -l stub0 vnic0

# ipadm create-ip vnic0
# ipadm create-addr -T static -a 192.168.0.1/24 vnic0/privaddr

# dladm show-vnic vnic0
LINK OVER SPEED MACADDRESS MACADDRTYPE VIDS
vnic0 stub0 40000 2:8:20:83:3:95 random 0

# ipadm show-addr vnic0
ADDROBJ TYPE STATE ADDR
vnic0/privaddr static ok 192.168.0.1/24
 

Next, configure NAT and enable IP forwarding for the private network. Map your public-facing vanity net name in this step (e.g. net0, as shown below).

# cat /etc/ipf/ipnat.conf
map net0 192.168.0.0/24 -> 0/32 portmap tcp/udp auto

# ipadm set-prop -p forwarding=on ipv4

Configure a simple DHCP server for the private network. Customize settings according to your preferences.
# cat /etc/inet/dhcpd4.conf
option domain-name "domain.com";                # <--- enter your DNS info here
option domain-name-servers 10.8.0.1, 10.8.0.2;  # <--- enter your DNS info here

default-lease-time 86400;

max-lease-time -1;

log-facility local7;

subnet 192.168.0.0 netmask 255.255.255.0 {
    range 192.168.0.100 192.168.0.120;
    option routers 192.168.0.1;
    option broadcast-address 192.168.0.255;
} 

Finally, turn on IP filtering and the DHCP server.
# svcadm enable svc:/network/ipfilter:default
# svcadm enable svc:/network/dhcp/server:ipv4

To make use of the new private DHCP server, just set the etherstub's name as your zone's lower-link via zonecfg and boot the zone.
# zonecfg -z some-zone "select anet id=0;set lower-link=stub0;end"

Zones booted on the etherstub should get private net IP addresses from the DHCP server and should be able to reach the public network.

This works really well for my purposes, feel free to suggest useful updates and I'll add them in.

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

Thoughts on Solaris from Midcoast Maine.

Search

Categories
Archives
« July 2015
SunMonTueWedThuFriSat
   
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 
       
Today