Re: [smartos-discuss] Project-Fifo on a dedicated server on OVH

Alain Deléglise Wed, 06 Jan 2016 03:35:59 -0800

Hi again,

so it seems that it's only the DNS traffic that is not going throught the NAT :

172.16.0.2 -> 8.8.8.8      ICMP Echo request (ID: 8696 Sequence number: 0)
     8.8.8.8 -> 172.16.0.2   ICMP Echo reply (ID: 8696 Sequence number: 0)
172.16.0.2 -> 8.8.8.8      ICMP Echo request (ID: 8696 Sequence number: 1)
     8.8.8.8 -> 172.16.0.2   ICMP Echo reply (ID: 8696 Sequence number: 1)
172.16.0.2 -> 8.8.8.8      ICMP Echo request (ID: 8696 Sequence number: 2)
     8.8.8.8 -> 172.16.0.2   ICMP Echo reply (ID: 8696 Sequence number: 2)
172.16.0.2 -> 8.8.8.8      ICMP Echo request (ID: 8696 Sequence number: 3)
     8.8.8.8 -> 172.16.0.2   ICMP Echo reply (ID: 8696 Sequence number: 3)
172.16.0.2 -> 8.8.8.8      ICMP Echo request (ID: 8696 Sequence number: 4)
     8.8.8.8 -> 172.16.0.2   ICMP Echo reply (ID: 8696 Sequence number: 4)
172.16.0.2 -> 8.8.8.8      ICMP Echo request (ID: 8696 Sequence number: 5)
     8.8.8.8 -> 172.16.0.2   ICMP Echo reply (ID: 8696 Sequence number: 5)
172.16.0.1 -> 172.16.0.255 RIP R (2 destinations)
172.16.0.2 -> 8.8.8.8      ICMP Echo request (ID: 8696 Sequence number: 6)
     8.8.8.8 -> 172.16.0.2   ICMP Echo reply (ID: 8696 Sequence number: 6)
172.16.0.2 -> 8.8.8.8      ICMP Echo request (ID: 8696 Sequence number: 7)
     8.8.8.8 -> 172.16.0.2   ICMP Echo reply (ID: 8696 Sequence number: 7)
172.16.0.2 -> 8.8.8.8      ICMP Echo request (ID: 8696 Sequence number: 8)
     8.8.8.8 -> 172.16.0.2   ICMP Echo reply (ID: 8696 Sequence number: 8)

ping -sn 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0. time=5.424 ms
64 bytes from 8.8.8.8: icmp_seq=1. time=5.386 ms
64 bytes from 8.8.8.8: icmp_seq=2. time=5.387 ms
64 bytes from 8.8.8.8: icmp_seq=3. time=5.377 ms
64 bytes from 8.8.8.8: icmp_seq=4. time=5.567 ms
64 bytes from 8.8.8.8: icmp_seq=5. time=5.371 ms
64 bytes from 8.8.8.8: icmp_seq=6. time=5.380 ms
64 bytes from 8.8.8.8: icmp_seq=7. time=5.390 ms
64 bytes from 8.8.8.8: icmp_seq=8. time=5.588 ms
64 bytes from 8.8.8.8: icmp_seq=9. time=5.404 ms
64 bytes from 8.8.8.8: icmp_seq=10. time=5.382 ms
64 bytes from 8.8.8.8: icmp_seq=11. time=5.362 ms
64 bytes from 8.8.8.8: icmp_seq=12. time=5.558 ms
64 bytes from 8.8.8.8: icmp_seq=13. time=5.376 ms
64 bytes from 8.8.8.8: icmp_seq=14. time=5.377 ms
64 bytes from 8.8.8.8: icmp_seq=15. time=5.401 ms

ping -s 8.8.8.8
PING 8.8.8.8: 56 data bytes
ping: warning: ICMP responses received, but name service lookups are taking a while. Use ping -n to disable name service lookups

DELEGLISE Alain Architecte Infrastructure ALTER WAY Nord EuraTechnologies 165 avenue de Bretagne 59000 LILLE tél +33 1 41 16 83 42
Membre du Pôle Nord, Pôle de l'Open-source et des Logiciels libres des Entreprises du Nord - Pas de Calais : http://www.polenord.info/
Afin de contribuer au respect de l'environnement, merci de n'imprimer ce mail qu'en cas de nécessité

Le 06/01/2016 11:58, Alain Deléglise a écrit :

Sorry the diagram has been messed up.

Here it is : https://framabin.org/?d951c43fb3b04031#EzV7T3V5nl3NFo6tN0MO5XM7u2V0jOkY5PKQOuTwoE0=

DELEGLISE Alain Architecte Infrastructure ALTER WAY Nord EuraTechnologies 165 avenue de Bretagne 59000 LILLE tél +33 1 41 16 83 42
Membre du Pôle Nord, Pôle de l'Open-source et des Logiciels libres des Entreprises du Nord - Pas de Calais : http://www.polenord.info/
Afin de contribuer au respect de l'environnement, merci de n'imprimer ce mail qu'en cas de nécessité

Le 06/01/2016 11:55, Alain Deléglise a écrit :

Hi,

thanks for your answers guys.


I've been using snoop and can only see outgoing traffic, it seems that
nothing comes back.

I presume that the "map" rules also add a masquerading ?

What i don't understand is how to add this "facing internet" vnic. As I
have my physical interface "e1000g0" configured via DHCP bu kimsufi
(OVH) I have to double/triple NAT ?

Internet    +-----------+            +------------+        +-------------+
DHCP        |           |            |            |        |             |
e1000g0     | Kimsufi   |  stub0     | Firewall   |?       | Client      |
   +--------> server    +------------> zone       +--------> zone        |
            |           |            |            |        |             |
            |           <------------+            <--------+             |
            +-----------+            +------------+        +-------------+


How can I configure this ?

On January 6, 2016 4:10:58 AM EST, "Alain Deléglise" <[email protected]> wrote:

Hi List,

I'm trying to achieve this also.

I've followed the offcial wiki, and the wiki from
https://docu.blackdot.be/snipets/solaris/smartos-nat, but I can't seem
to have traffic outgoing from the client zones.

I've activated the debug log of ipfilter, and see that packets are well
transmitted to the stub0 interface, but aren't going throught the
e1000g0 and then outside.

I'm installing this on a kimsufi with single public IP.

Do you have an idea on what's going on ?

Do you need more informations ?

Thanks,

I'm presuming you have created a nat zone for managing the traffic leaving your client and mapping it back to it coming in? If not, take a look at this guide [0].

Once you set up your nat zone, you'll have one etherstub, and two vnics; one vnic used for internet facing, one used by the client.

An easy diagnostic of what's going on with your traffic is setting up three terminals. One for the etherstubs, and one for each vnic. Use snoop on each device.

As you send traffic from your client VM, if your ipf.conf and ipnat.conf rules in the nat zone are correctly written, you'll see your traffic going out and being mapped (nat'ed) back in. Also, make sure IP forwarding is enabled on the etherstub (routeadm -u -e ipv4_forwarding)



[0] https://wiki.smartos.org/display/DOC/NAT+using+Etherstubs

Re: [smartos-discuss] Project-Fifo on a dedicated server on OVH

Reply via email to