{"id":1901,"date":"2014-04-21T13:07:23","date_gmt":"2014-04-21T11:07:23","guid":{"rendered":"http:\/\/michlstechblog.info\/blog\/?p=1901"},"modified":"2014-04-22T13:21:27","modified_gmt":"2014-04-22T11:21:27","slug":"vmware-esxi-setting-up-nat-with-a-linux-virtual-machine","status":"publish","type":"post","link":"https:\/\/michlstechblog.info\/blog\/vmware-esxi-setting-up-nat-with-a-linux-virtual-machine\/","title":{"rendered":"VMware ESXi: Setting up NAT with a linux virtual machine"},"content":{"rendered":"<div class=\"twoclick_social_bookmarks_post_1901 social_share_privacy clearfix 1.6.4 locale-en_US sprite-en_US\"><\/div><div class=\"twoclick-js\"><script type=\"text\/javascript\">\/* <![CDATA[ *\/\njQuery(document).ready(function($){if($('.twoclick_social_bookmarks_post_1901')){$('.twoclick_social_bookmarks_post_1901').socialSharePrivacy({\"services\":{\"flattr\":{\"uid\":\"Michl\",\"status\":\"on\",\"the_title\":\"VMware%20ESXi%3A%20Setting%20up%20NAT%20with%20a%20linux%20virtual%20machine\",\"the_excerpt\":\"Hi%2C%0D%0A%0D%0Aother%20than%20the%20Workstation%2C%20VMware%20ESXi%20does%20not%20has%20the%20functionality%20to%20%22NATting%22%C2%A0virtual%20machines%20network%20traffic%20into%20a%20public%20network.%0D%0A%0D%0AMy%20approach%20to%20implement%20NAT%20is%20a%20virtual%20machine%20with%20a%20slimmed-down%20%28Debian%29%20Linux.%0D%0A%0D%0AThese%20virtual%20machine%20has%20two%20network%20interfaces.%20The%20first%20interface%20is%20connected%20to%20a%20vSwitch%20called%20%22Public%20LAN%22%20with%20access%20to%20the%20public%20LAN%2C%20the%20second%20...\",\"txt_info\":\"2 clicks for more data protection:\\r\\n\\r\\nOnly when you click here, the button will be come active and you can send your recommendation to Flattr. When activating, data are transmitted to third parties. \",\"perma_option\":\"off\"}},\"txt_help\":\"When you activate these fields by clicking, information to Flattr may be transferred abroad, and probably may also stored there.\",\"settings_perma\":\"Enable permanently and accept data transmission. \",\"info_link\":\"http:\\\/\\\/www.heise.de\\\/ct\\\/artikel\\\/2-Klicks-fuer-mehr-Datenschutz-1333879.html\",\"uri\":\"https:\\\/\\\/michlstechblog.info\\\/blog\\\/vmware-esxi-setting-up-nat-with-a-linux-virtual-machine\\\/\",\"post_id\":1901,\"post_title_referrer_track\":\"VMware+ESXi%3A+Setting+up+NAT+with+a+linux+virtual+machine\",\"display_infobox\":\"on\"});}});\n\/* ]]> *\/<\/script><\/div><p>Hi,<\/p>\n<p>other than the Workstation, VMware ESXi does not has the functionality to &#8220;NATting&#8221;\u00a0virtual machines network traffic into a public network.<\/p>\n<p>My approach to implement NAT is a virtual machine with a slimmed-down (Debian) Linux.<\/p>\n<p>These virtual machine has two network interfaces. The first interface is connected to a vSwitch called &#8220;Public LAN&#8221; with access to the public LAN, the second interface is connected to a vSwitch which has no physical adapter attached to and is called &#8220;NAT Network&#8221;. On the NAT interface a DHCP server is assigning IP Addresses.<br \/>\n<!--more--><\/p>\n<p>Before we can start we have something to define, in braces are the values for my configuration example:<\/p>\n<ul>\n<li>IP Parameters for the Public LAN Interface (IP Address: 172.16.10.10, Subnet Mask: 255.255.255.0, Default Gateway: 172.16.10.1)<\/li>\n<li>An IP\u00a0 Address Range for the NAT Clients (Range: 192.168.254.10-192.168.254.100, Subnetmask: 255.255.255.0)<\/li>\n<li>IP Address, from the Range of &#8220;NAT Clients&#8221;, for the NAT Interface (IP Address: 192.168.254.1, Subnet Mask: 255.255.255.0)<\/li>\n<li>Locate DNS Servers in your network (DNS 1: 172.31.1.24, DNS 2: 172.31.1.27)<\/li>\n<li>If you want to deliver a &#8220;primary DNS suffix&#8221; to the NAT Clients, identify or define one (Primary DNS suffix: natclients.local)<\/li>\n<\/ul>\n<p>Create a new virtual machine with 1 CPU and 1GB RAM. This should be enough. Add tw0 e1000 network interfaces. Connect NIC 1 to the &#8220;Public LAN&#8221; and NIC 2 to the &#8220;NAT Network&#8221; and install debian with a minimum set of packages (&#8220;Standard system utilities&#8221; and &#8220;ssh-server&#8221;)<\/p>\n<figure id=\"attachment_1910\" aria-describedby=\"caption-attachment-1910\" style=\"width: 412px\" class=\"wp-caption alignnone\"><a href=\"http:\/\/michlstechblog.info\/blog\/wp-content\/uploads\/2014\/04\/debian-minimum-install.png\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-1910 \" alt=\"Minimum Debian package installation\" src=\"http:\/\/michlstechblog.info\/blog\/wp-content\/uploads\/2014\/04\/debian-minimum-install.png\" width=\"412\" height=\"166\" srcset=\"https:\/\/michlstechblog.info\/blog\/wp-content\/uploads\/2014\/04\/debian-minimum-install.png 515w, https:\/\/michlstechblog.info\/blog\/wp-content\/uploads\/2014\/04\/debian-minimum-install-300x121.png 300w\" sizes=\"auto, (max-width: 412px) 100vw, 412px\" \/><\/a><figcaption id=\"caption-attachment-1910\" class=\"wp-caption-text\">Minimum Debian package installation<\/figcaption><\/figure>\n<p>Login as User root. Disable respectively remove some system daemon which are not required:<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nroot@debdev:\/# update-rc.d -f exim4 remove\r\nroot@debdev:\/# update-rc.d \u2013f rpcbind  remove\r\nroot@debdev:\/# update-rc.d -f nfs-common remove\r\n<\/pre>\n<p>Install the ISC DHCP Server<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nroot@debdev:\/# apt-get update\r\nroot@debdev:\/# apt-get install isc-dhcp-server\r\n<\/pre>\n<p>Bind the dhcp server only to the interface which is connected to the &#8220;NAT Network&#8221;, is this example eth1. Edit the file <b>\/etc\/default\/isc-dhcp-server<\/b> and alter the <b>INTERFACES<\/b> parameter to<br \/>\n<code><br \/>\nINTERFACES=\"eth1\"<br \/>\n<\/code><\/p>\n<p>Create a config file <b>\/etc\/dhcp\/dhcpd.conf<\/b> for the dhcp server. <\/p>\n<pre><code>\r\noption domain-name \"natclients.local\";\r\noption domain-name-servers 172.31.1.24,172.31.1.27;\r\noption ntp-servers 172.31.1.24;\r\nmax-lease-time 7200; # 2 hours\r\ndefault-lease-time 1800;\r\nddns-update-style none;\r\nsubnet 192.168.254.0 netmask 255.255.255.0 {\r\n    option routers 192.168.254.1;\r\n    option broadcast-address 192.168.254.255;\r\n    range 192.168.254.10 192.168.254.100;\r\n    authoritative;\r\n}<\/code><\/pre>\n<p>Enable NAT by the following command<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nroot@debdev:\/# iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.254.10-192.168.254.100 -o eth0 -j MASQUERADE\r\n<\/pre>\n<p>In order to use NAT you have to enable IP forwarding. Therefore some addional firewall rules are necessary to prevent that someone in the &#8220;Public LAN&#8221; Subnet can send IP packets directly to the NAT Clients. Only outgoing connections from the NAT Clients are allowed.<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nroot@debdev:\/# iptables -A FORWARD -i eth1 -o eth0 -s 192.168.254.0\/24 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT\r\nroot@debdev:\/# iptables -A FORWARD -i eth0 -o eth1 -d 192.168.254.0\/24 -m state --state RELATED,ESTABLISHED -j ACCEPT\r\nroot@debdev:\/# iptables -P FORWARD DROP\r\n<\/pre>\n<p>Also drop all dhcp request at the &#8220;Public LAN&#8221; interface.<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nroot@debdev:\/# iptables -A INPUT -i eth0 -p udp --dport 67 -j DROP\r\n<\/pre>\n<p>Save all the rules to a file<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nroot@debdev:\/# iptables-save &gt; \/etc\/firewall.conf\r\n<\/pre>\n<p>To load all rules at system startup create a file <b>\/etc\/network\/if-up.d\/iptables<\/b><\/p>\n<pre><code>\r\n#!\/bin\/sh\r\niptables-restore < \/etc\/firewall.conf\r\n<\/code><\/pre>\n<p>and make it executable<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nroot@debdev:\/# chmod +x \/etc\/network\/if-up.d\/iptables\r\n<\/pre>\n<p>Finally enable ip forwarding. Edit <b>\/etc\/sysctl.conf<\/b>. Locate net.ipv4.ip_forward, remove the comment hash and set the option to \"1\".<br \/>\n<code><br \/>\nnet.ipv4.ip_forward=1<br \/>\n<\/code><\/p>\n<p>Reboot your virtual machine.<\/p>\n<p>Michael<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hi, other than the Workstation, VMware ESXi does not has the functionality to &#8220;NATting&#8221;\u00a0virtual machines network traffic into a public network. My approach to implement NAT is a virtual machine with a slimmed-down (Debian) Linux. These virtual machine has two network interfaces. The first interface is connected to a vSwitch called &#8220;Public LAN&#8221; with access &hellip; <a href=\"https:\/\/michlstechblog.info\/blog\/vmware-esxi-setting-up-nat-with-a-linux-virtual-machine\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">VMware ESXi: Setting up NAT with a linux virtual machine<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,7],"tags":[457,269,14],"class_list":["post-1901","post","type-post","status-publish","format-standard","hentry","category-linux","category-vmware","tag-esxi","tag-nat","tag-vmware-2"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/1901","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/comments?post=1901"}],"version-history":[{"count":21,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/1901\/revisions"}],"predecessor-version":[{"id":1923,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/1901\/revisions\/1923"}],"wp:attachment":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/media?parent=1901"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/categories?post=1901"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/tags?post=1901"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}