Hi,
other than the Workstation, VMware ESXi does not has the functionality to “NATting” virtual machines network traffic into a public network.
My approach to implement NAT is a virtual machine with a slimmed-down (Debian) Linux.
These virtual machine has two network interfaces. The first interface is connected to a vSwitch called “Public LAN” with access to the public LAN, the second interface is connected to a vSwitch which has no physical adapter attached to and is called “NAT Network”. On the NAT interface a DHCP server is assigning IP Addresses.
Before we can start we have something to define, in braces are the values for my configuration example:
- IP Parameters for the Public LAN Interface (IP Address: 172.16.10.10, Subnet Mask: 255.255.255.0, Default Gateway: 172.16.10.1)
- An IP Address Range for the NAT Clients (Range: 192.168.254.10-192.168.254.100, Subnetmask: 255.255.255.0)
- IP Address, from the Range of “NAT Clients”, for the NAT Interface (IP Address: 192.168.254.1, Subnet Mask: 255.255.255.0)
- Locate DNS Servers in your network (DNS 1: 172.31.1.24, DNS 2: 172.31.1.27)
- If you want to deliver a “primary DNS suffix” to the NAT Clients, identify or define one (Primary DNS suffix: natclients.local)
Create a new virtual machine with 1 CPU and 1GB RAM. This should be enough. Add tw0 e1000 network interfaces. Connect NIC 1 to the “Public LAN” and NIC 2 to the “NAT Network” and install debian with a minimum set of packages (“Standard system utilities” and “ssh-server”)
Login as User root. Disable respectively remove some system daemon which are not required:
root@debdev:/# update-rc.d -f exim4 remove root@debdev:/# update-rc.d –f rpcbind remove root@debdev:/# update-rc.d -f nfs-common remove
Install the ISC DHCP Server
root@debdev:/# apt-get update root@debdev:/# apt-get install isc-dhcp-server
Bind the dhcp server only to the interface which is connected to the “NAT Network”, is this example eth1. Edit the file /etc/default/isc-dhcp-server and alter the INTERFACES parameter to
INTERFACES="eth1"
Create a config file /etc/dhcp/dhcpd.conf for the dhcp server.
option domain-name "natclients.local";
option domain-name-servers 172.31.1.24,172.31.1.27;
option ntp-servers 172.31.1.24;
max-lease-time 7200; # 2 hours
default-lease-time 1800;
ddns-update-style none;
subnet 192.168.254.0 netmask 255.255.255.0 {
option routers 192.168.254.1;
option broadcast-address 192.168.254.255;
range 192.168.254.10 192.168.254.100;
authoritative;
}
Enable NAT by the following command
root@debdev:/# iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.254.10-192.168.254.100 -o eth0 -j MASQUERADE
In order to use NAT you have to enable IP forwarding. Therefore some addional firewall rules are necessary to prevent that someone in the “Public LAN” Subnet can send IP packets directly to the NAT Clients. Only outgoing connections from the NAT Clients are allowed.
root@debdev:/# iptables -A FORWARD -i eth1 -o eth0 -s 192.168.254.0/24 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT root@debdev:/# iptables -A FORWARD -i eth0 -o eth1 -d 192.168.254.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT root@debdev:/# iptables -P FORWARD DROP
Also drop all dhcp request at the “Public LAN” interface.
root@debdev:/# iptables -A INPUT -i eth0 -p udp --dport 67 -j DROP
Save all the rules to a file
root@debdev:/# iptables-save > /etc/firewall.conf
To load all rules at system startup create a file /etc/network/if-up.d/iptables
#!/bin/sh
iptables-restore
and make it executable
root@debdev:/# chmod +x /etc/network/if-up.d/iptables
Finally enable ip forwarding. Edit /etc/sysctl.conf. Locate net.ipv4.ip_forward, remove the comment hash and set the option to "1".
net.ipv4.ip_forward=1
Reboot your virtual machine.
Michael