NAT in opensolaris
Firt, you must enable ip forwarding in your opensolaris box.
Let's suppose thet we have two network adapters, one is elxl0(80.xxx.xxx.xxx), this is connect to the internet, and the second one is e1000g0 connected to the intranet (172.16.16.1)
ipnat.conf file can be located anyware on the system, in /etc/ipnat.rules,
/usr/local/etc/ipnat.rules, or /etc/opt/ipf/ipnat.rules
In opensolaris, /network/ipv4-forwarding service is using /etc/ipf/ipnat.conf file
cd /etc/ipf
echo >> ipnat.conf (if it's missing)
Insert in ipnat.conf file this line map elxl0 172.16.16.0/24 -> 0/32
The easiest way to load a NAT rule set is:
ipnat -CF -f /etc/ipnat.conf
To test if the rules from ipnat.rules are loaded, type from root account:
ipnat -l
The output look like this
root@freya:/etc/ipf# ipnat -l
List of active MAP/Redirect filters:
map elxl0 172.16.16.0/24 -> 0.0.0.0/32
[...]
List of active sessions:
MAP 172.16.16.2 12769 <- -> 80.xxx.xxx.xxx 12769 [86.xxx.21.xxx 53]
Finally, try to ping from your intranet, yahoo.com.If it's ok, you are good to go online :)
To see the ipnat in action type ipmon -o N
You will see a lot of "stuff" scrolling
[...]
15/02/2009 13:32:54.941834 @3 NAT:RDR 172.16.16.2,80 <- -> 80.xxx.xxx.xxx,80 [81.yy.yy.21,61501]
15/02/2009 13:32:55.082321 @3 NAT:RDR 172.16.16.2,80 <- -> 80.xxx.xxx.xxx,80 [87.xx.86.yy,61663]
15/02/2009 13:32:55.085297 @3 NAT:RDR 172.16.16.2,80 <- -> 80.xxx.xxx.xxx,80 [89.vv.vv.20,59811]
15/02/2009 13:32:58.030023 @3 NAT:EXPIRE 172.16.16.2,80 <- -> 80.xxx.xxx.xxx,80 [89.121.210.2,2787] Pkts 8/5 Bytes 1340/1499
!!! Do not forget to enable ip-forwarding and ipfilter if you want your rules to be loaded at startup
Let's suppose thet we have two network adapters, one is elxl0(80.xxx.xxx.xxx), this is connect to the internet, and the second one is e1000g0 connected to the intranet (172.16.16.1)
ipnat.conf file can be located anyware on the system, in /etc/ipnat.rules,
/usr/local/etc/ipnat.rules, or /etc/opt/ipf/ipnat.rules
In opensolaris, /network/ipv4-forwarding service is using /etc/ipf/ipnat.conf file
cd /etc/ipf
echo >> ipnat.conf (if it's missing)
Insert in ipnat.conf file this line map elxl0 172.16.16.0/24 -> 0/32
The easiest way to load a NAT rule set is:
ipnat -CF -f /etc/ipnat.conf
To test if the rules from ipnat.rules are loaded, type from root account:
ipnat -l
The output look like this
root@freya:/etc/ipf# ipnat -l
List of active MAP/Redirect filters:
map elxl0 172.16.16.0/24 -> 0.0.0.0/32
[...]
List of active sessions:
MAP 172.16.16.2 12769 <- -> 80.xxx.xxx.xxx 12769 [86.xxx.21.xxx 53]
Finally, try to ping from your intranet, yahoo.com.If it's ok, you are good to go online :)
To see the ipnat in action type ipmon -o N
You will see a lot of "stuff" scrolling
[...]
15/02/2009 13:32:54.941834 @3 NAT:RDR 172.16.16.2,80 <- -> 80.xxx.xxx.xxx,80 [81.yy.yy.21,61501]
15/02/2009 13:32:55.082321 @3 NAT:RDR 172.16.16.2,80 <- -> 80.xxx.xxx.xxx,80 [87.xx.86.yy,61663]
15/02/2009 13:32:55.085297 @3 NAT:RDR 172.16.16.2,80 <- -> 80.xxx.xxx.xxx,80 [89.vv.vv.20,59811]
15/02/2009 13:32:58.030023 @3 NAT:EXPIRE 172.16.16.2,80 <- -> 80.xxx.xxx.xxx,80 [89.121.210.2,2787] Pkts 8/5 Bytes 1340/1499
!!! Do not forget to enable ip-forwarding and ipfilter if you want your rules to be loaded at startup
Comments
Now I'm just wondering how to configure the interfaces the way I want:
iprb0 -> dhcp ( internet )
iprb1 -> 192.168.0.1 ( static, internal)
The static part was easy enough, echo 192.168.0.1 > /etc/hostname.iprb1 but when trying with touch /etc/dhcp.iprb0 that interface wont come up. During boot I see an error about it. Running ifconfig -a does not list that interface, so it has not been plumbed.
Someone said that it was possible to get nwam to do this in a modern way...
I don't think that will work in this way.
First, DO NOT USE 'nwam'.I did have some problems with it, using multiple interfaces.
You can try 'sys-unconfig' to re-configure your system (you will be asked about network/ip/dhcp/, when prompted to use DHCP to configure network interfaces, specify YES)
Second, if you are using the manual method, 'echo > /etc/dhcp.iprb1' I think you must uncomment RELEASE_ON_SIGTERM=yes in /etc/default/dhcpagent
Anyway, I recommend not to use nwam, and re-configure your system with sys-unconfig.
nwam worked for me only in systems with one ether interfaces.When adding more interfaces, (one with dhcp, other with static ip) nwam failed.
With taht setup I tried to starting ipnat, but that gave me some error...
you should check the log files and check if ipfilter and forwarding services are running (svcs -x ipv4-forwarding and svcs -x ipfilter)
I'm an opensolaris user from Indonesia. I am interested with "NAT in opensolaris".
I've tried until write the line:
map elxl0 172.16.16.0/24 -> 0/32
then, when I type this command:
ipnat -CF -f /etc/ipnat.conf
the terminal shows:
ioctl(SIOCGNATS): I/O error
would you help my problem??
it works..
this is my setting:
e1000g0 (NWAM active) -> dhcp (internet)
e1000g1 (NWAM active) -> static (intranet)
sppp0 (pptp e1000g0) -> connect to VPN
I need this pptp-client because internet in my university ruled by VPN.
the result will give an internet sharing for those who not have the VPN account.
hope it's useful...
sppp0 or qfe2 (the interface the tunnel was plumbed on)
This may sound simple to test but, I get very mixed results. When I use say qfe2 for the natting it does not work i have to use sppp0. The weird thing is in ipf.conf some rules will work on qfe2 and some will only work on sppp0. I can't find a direct answer of which should be used.
Thanks in advance!
map sppp0 192..../24 -> 0/32
The nat rule should be on the sppp0 interface, because the IP from the provider is on pppoe interface (and all the traffic is on the pppoe ip).
Can you tell me what rules are not working?