Thursday, May 27, 2010

Simple NAT router for ESX

SkyHi @ Thursday, May 27, 2010

Questions:

Hi Guys,



I'm looking for a simple virtual appliance that I can deploy to my ESX environment to use as a virtual NAT router / firewall to create an isolated network that I can easily give internet access too.



Basic setup: ESX Host, has 2 vswitches configured: 1 is connected to the physical LAN, the other is isolated. I need an appliance that I can add 2 vNICs to, and attach one to the isolated vSwitch, the other to the LAN, to give the isolated network outbound access (so it can reach the internet).



Anyone have an appliance that I can setup quickly to do so?



Thanks.


Solutions:


I like PFSense www.pfsense.org, they have a VMWare appliance:



http://doc.pfsense.org/index.php/VMwareAppliance



Any VM with routing capabilities will do:



  • Linux with some IPTABLES configuration.
  • FreeBSD with its PF (or IPTABLES again).
  • Windows Server with the built-in RRAS.
  • Even Windows client (XP, Vista, 7) with its built-in Internet Connection Sharing can do that.


If you know some Linux and IPTABLES, it's quite easy to set this up; if you're more Windows-oriented, the Routing and Remote Access Service (built-in in Windows Server since 2000) it's very easy to set up and configure on a (virtual) server with two NICs.




REFERENCES
http://serverfault.com/questions/143440/simple-nat-router-for-esx

=====================================================


NAT in VMWare vSphere/ESX – In a nut shell




This post is about NATing an ESX VM, but first, why do I need NAT:


The SIP protocol is not NAT oblivious. To traverse NAT our application has to replace the DNS in the SIP message contact header to the external FQDN that the message receiver will be sending responses to (A NAT with static routing configured).

Therefore I needed to test our software in a NAT topology.


In the past, when we used VMWare player/workstation, it had a build-in NAT network. But, unfortunately, the ESX hypervisor does not provide a NATed network option.

Seeking alternatives at VMWare’s appliance marketplace, I found and downloaded the Vyatta’s community edition (VC5) router appliance (also downladble from sourceforge), and comes under the GPL license.

After 3-4 hours – guided by the official quick start guide - I had a working NAT configuration in the ESX. Hurray!

Overall, not a hard nut to crack ;) , though I wish VMWare will wise up and just add an build-in NAT option to vSphere.


Left to do:

Obtain some static IPs, so the config won’t break each time the vm reboots and the DHCP lease expires.

Tip #1:

If you want want to access your NATed VM by RDP/VNC, without setting up extra NAT routing rules, consider adding the VM an additional un-NATed NIC, but when doing so, make sure that the OS routing tables are set to route through the NIC that is NATed.

Tip #2:

This short vyatta user installation report also helped me a bit.


Here’s the complete configuration script I ended up feeding to the appliance console (network topology is similar to the one presented in the Vyatta’s getting stated guide):

Where:

1.2.3.4 is your department’s DNS server

192.168.1.199 is the VMs NATed private IP address (provided by the DHCP).

The script contains a NAT forward rule for VNC (port 5900)


<code>
configure
set system host-name vyatta-nat
set interfaces ethernet eth0 address dhcp
set service ssh
set service https
commit;
save;
# restart the appliance to switch from console remote desktop to SSH:

#login with user and password
configure
show interfaces

set interfaces ethernet eth1 address 192.168.1.254/24

commit;

delete service dhcp-server
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 start 192.168.1.100 stop 192.168.1.199
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 default-router 192.168.1.254
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 dns-server 1.2.3.4
commit;
show service dhcp-server

set service nat rule 1 source address 192.168.1.0/24
set service nat rule 1 outbound-interface eth0
set service nat rule 1 type masquerade
commit;
show service nat
save;
exit
show nat rules
configure
set service nat rule 20 type destination
set service nat rule 20 inbound-interface eth0
# use a negative fake address to so that all incoming communication will be nated
#set service nat rule 20 destination address !192.168.50.0
#Forward traffic to address 192.168.1.199
set service nat rule 20 inside-address address 192.168.1.199
set service nat rule 20 protocol tcp
set service nat rule 20 destination port 5900
commit;
save;
exit
</code>


REFERENCES
http://www.javatuning.com/nat-in-vmware-vsphereesx-in-a-nut-shell/







=====================================================

SmoothWall Express as NAT on ESXi




It’s odd that ESXi doesn’t come with an NAT implementation. Even more strange is that it’s not easy to find a simple-to-use virtual appliance to fit the gap.


From the VMWare community, there are suggestions on using Freesco or m0n0wall. However, both are not as easy to setup as I like. Finally, I found SmoothWall Express 3.0 VMWare image but there lacks doc on using the image.


Here is a quick setup guide to use the appliance as an NAT server,


  • From ESXi server, create a vSwitch and connect it to host NIC. Add a virtual machine network, say external, to it.
  • Create another vSwitch without NIC. Add a virtual machine network, say protected, to it.
  • Download SmoothWall Express 3.0 VMWare.
  • Extract the VM files.
  • Use VMWare Converter to convert the VM and upload to ESXi server:
    • eth0->connect to protected network
    • eth1->connect to external network

  • Login the SmoothWall VM with account root and password happydays.
  • run setup:
    • Keyboard mapping->us
    • Networking
      • Network configuration type->GREEN + RED
      • Drivers and card assignments: Green->eth0 / Red->eth1
      • Address settings: Green->internal IP / Red->external IP
      • DNS and Gateway settings: for external interface

    • DHCP Server Configuartion
      • Enable it. Add internal address range. DNS is the internal IP in address setting.


  • Update the root/admin/user passwords
  • Connect a Windows VM to the protected network to verify DHCP is working properly.
  • From the Windows VM, browse to https://internal_ip:441.
  • Logon with account admin and the new password you set.
  • Click Maintenance->Update->Update to install patches from mySmoothWall. Reboot afterward.


REFERENCES
http://blog.ust.hk/martinl/2009/03/25/smoothwall-express-as-nat-on-esxi/


=====================================================

OpenBSD as a Simple NAT Router



To setup a simple NAT router/firewall using OpenBSD, use these steps as a general guideline. I’m assuming that you have general knowledge of OpenBSD.


First, configure the network interfaces appropriately. Typically, this will involve editing the hostname.<NIC type> file. In a VMware ESX Server environment, OpenBSD uses pcn0 for the first virtual NIC, pcn1 for the second virtual NIC, etc., so the appropriate configuration files would be hostname.pcn0, hostname.pcn1, and so forth.


Next, enable IP forwarding by editing /etc/sysctl.conf and making the following change (the line is present in a default installation, you just need to uncomment it):



net.inet.ip.forwarding=1


Next, we’ll need to enable the OpenBSD packet filter, pf. This is typically done by creating/editing the file /etc/rc.conf.local and making sure the following line is present:



pf=YES


Next, we’ll configure pf for network address translation (NAT) and simple packet filtering. If you’ve never configured pf before, I highly recommend this OpenBSD PF guide; it will introduce you to the functionality of this very powerful packet filtering engine. (Sometimes I wish Mac OS X would switch to using pf.) You configure pf by placing a ruleset into /etc/pf.conf.

Here’s a quick sample ruleset (keep in mind this is based on OpenBSD running as a virtual machine in a VMware environment):

# Set some variables for use later
ext_if=“pcn1”
int_if=“pcn0”
icmp_types=“echoreq”

# Skip all loopback traffic
set skip on lo

# Scrub all traffic
scrub in

# Perform NAT on external interface
nat on $ext_if from $int_if:network -> ($ext_if:0)

# Define default behavior
block in
pass out keep state

# Allow inbound traffic on internal interface
pass quick on $int_if

# Protect against spoofing
antispoof quick for { lo $int_if }

# Allow other traffic
pass in on $ext_if proto tcp to ($ext_if) port ssh flags S/SA keep state
pass in inet proto icmp from $allowed_hosts icmp-type $icmp_types keep state

This is a really, really simple configuration, but it will get the job done. (I did title this “OpenBSD as a Simple NAT Router”, after all.)

For more advanced configurations, I highly recommended reviewing the OpenBSD documentation (which, by the way, is very thorough and very extensive; kudos to the OpenBSD team for their documentation efforts.)



REFERENCES
http://blog.scottlowe.org/2006/10/06/openbsd-as-a-simple-nat-router/