NAT in VMWare vSphere/ESX – In a nut shell
This post is about NATing an ESX VM, but first, why do I need NAT:
The SIP protocol is not NAT oblivious. To traverse NAT our application has to replace the DNS in the SIP message contact header to the external FQDN that the message receiver will be sending responses to (A NAT with static routing configured).
Therefore I needed to test our software in a NAT topology.
In the past, when we used VMWare player/workstation, it had a build-in NAT network. But, unfortunately, the ESX hypervisor does not provide a NATed network option.
Seeking alternatives at VMWare’s appliance marketplace, I found and downloaded the Vyatta’s community edition (VC5) router appliance (also downladble from sourceforge), and comes under the GPL license.
After 3-4 hours – guided by the official quick start guide - I had a working NAT configuration in the ESX. Hurray!
Overall, not a hard nut to crack , though I wish VMWare will wise up and just add an build-in NAT option to vSphere.
Left to do:
Obtain some static IPs, so the config won’t break each time the vm reboots and the DHCP lease expires.
If you want want to access your NATed VM by RDP/VNC, without setting up extra NAT routing rules, consider adding the VM an additional un-NATed NIC, but when doing so, make sure that the OS routing tables are set to route through the NIC that is NATed.
This short vyatta user installation report also helped me a bit.
Here’s the complete configuration script I ended up feeding to the appliance console (network topology is similar to the one presented in the Vyatta’s getting stated guide):
220.127.116.11 is your department’s DNS server
192.168.1.199 is the VMs NATed private IP address (provided by the DHCP).
The script contains a NAT forward rule for VNC (port 5900)
configure set system host-name vyatta-nat set interfaces ethernet eth0 address dhcp set service ssh set service https commit; save; # restart the appliance to switch from console remote desktop to SSH: #login with user and password configure show interfaces set interfaces ethernet eth1 address 192.168.1.254/24 commit; delete service dhcp-server set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 start 192.168.1.100 stop 192.168.1.199 set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 default-router 192.168.1.254 set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 dns-server 18.104.22.168 commit; show service dhcp-server set service nat rule 1 source address 192.168.1.0/24 set service nat rule 1 outbound-interface eth0 set service nat rule 1 type masquerade commit; show service nat save; exit show nat rules configure set service nat rule 20 type destination set service nat rule 20 inbound-interface eth0 # use a negative fake address to so that all incoming communication will be nated #set service nat rule 20 destination address !192.168.50.0 #Forward traffic to address 192.168.1.199 set service nat rule 20 inside-address address 192.168.1.199 set service nat rule 20 protocol tcp set service nat rule 20 destination port 5900 commit; save; exit
This entry was posted by Gili Nachum on February 1, 2010 at 21:00, and is filed under network, virtualization. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site.
No comments yet.
No trackbacks yet.
about 2 years ago - 5 comments
One upon a time (Jan 2009) I’ve written this post, basically saying that you’re not likely to be able to spoof IP address over the Internet. Turns out I was dead wrong! It happened so the very experienced Mr Filipe, from Brazil, came across the post and left me a comment saying that Spoofing over…
about 3 years ago - 2 comments
WebSphere have announced WAS hypervisor edition. You get an OVF package with a ready to use WAS profile running on Linux. The OVF package can be deployed on VMWare ESX/ESXi and IBM’s cludeburst appliance. Websphere also say that they carried out WAS best-practice tuning for the OS. Not sure how mattering this tuning is considering…
about 3 years ago - 2 comments
Avi Ribchinsky, a friend and a college of mien, is transitioning from C++ to the Java world. He had been playing with Thread.sleep(), when he noticed that the sleep method might oversleep more than ordered, and moreover, it could also under sleep (see Fig 1). Coming from the C++ world, that surely caught him surprised…
about 4 years ago - No comments
I have two windows servers that shouldn’t talk to each other. How do I make sure they don’t? Right, why not use some firewall? well, because I can’t just install any software on these servers, company regulations, and windows’ built-in firewall suck big time (only inbound, have to configure ALL exceptions). On Linux this is…
about 4 years ago - 15 comments
Why did I wanted to spoof source IP addresses? and why did I failed? Here’s the story before you: ———— UPDATE Sep/2010: Dear Filipe (see comments below) had proven to me that spoofing over the internet is indeed possible, read all about it on the continuation post: My attempts with IP Spoofing – Revisited. Now…
about 4 years ago - 3 comments
I just read through most of O’Reilly’s Linux Server Hacks book. I expected another dull Linux how-to book, which goes over the man/info of the most obvious commands, but instead I found an interesting, original, advanced hardcore book, full of Linux goodies to brag about in front of my colleagues. Some note worthy items: A…
about 4 years ago - No comments
When using the VMWare convertor utility to convert between VmWare player/Workstation/server VM images to an ESX image, if the VM you are converting is Linux you might run into boot problems (“kernel panic” message) due to SCSI drivers problems. I found a couple of resources about the problem but none fully worked for me, here…
about 4 years ago - 2 comments
Lately, I’ve been crossing paths with too many enterprise-level server products that, once installed, can’t tolerate any change to the local machine’s hostname. Don’t get me wrong, I’m not spoiled to dare wishing that a hostname change will be handle in run-time, without a restart. I’m not even suggesting that the change would be automatically…