Solaris Virtual Interfaces and NAT
At work I use a Sun X2100 with a AMD dual core 64bit. We colocate it at an ISP. Its got Solaris 10 on it with virtual interfaces on the bge0 interface. The nge0 if connects to the ISPs router and the other is for our network. I've had it routing for quite some time. But now I needed to see if I could get NAT working too. Well it took a while (cause I'm stupid), but I got it. Sun's docs really aren't bad when you find it. I had heard that getting NAT to work on virtual interfaces wouldn't work, but I went ahead with it.
Using IPFilter obviously, I configured /etc/ipf/pfil.ap to load the modules (or whatever) for the interfaces. Then I configured /etc/ipf/ipnat.conf for plain old NAT. Heres my ipnat.conf with some edits.
map nge0 192.168.1.0/24 -> 1.2.3.4/32 proxy port ftp ftp/tcp
map nge0 192.168.1.0/24 -> 1.2.3.4/32 portmap tcp/udp auto
map nge0 192.168.1.0/24 -> 1.2.3.4/32
rdr nge0 1.2.3.4/32 port 70002 -> 192.168.1.2 port 80
So the first three lines are for NAT. It maps the private subnet to one of our public IPs on nge0. The first one is for something that goes wrong with FTP when using IPFilter for NAT. I'm not quite sure, but all the docs say to use it. The second one is for using the higher ports or something. The third does the real thing. That last line is for portmapping. All the data that comes in on our public IP on port 70002 goes to 192.168.1.2 on port 80. Pretty simple.
Now you must restart pfil. Then unplumb your interfaces then replumb them. Last is to restart IPFilter. I found I had to disable and enable it to work.
svcadm restart network/pfil
ifconfig nge0 unplumb
ifconfig bge0 unplumb
ifconfig nge0 plumb up
ifconfig nge0 1.2.3.4 netmask 255.255.255.248
ifconfig bge0:1 plumb up
ifconfig bge0:1 192.168.1.1 netmask 255.255.255.0
svcadm disable ipfilter
svcadm enable ipfilter
Then you should be good. I'm not quite sure, but I think it may not work if you have your gateway interface (the public IP, or nge0 in this case) as a virtual interface. I'd have to do some more testing, but I think thats right.
0 Comments:
Post a Comment
<< Home