ON THIS PAGE
Source Network Address Translation (SNAT)
Source Network Address Translation (source-nat or SNAT) allows traffic from a private network to go out to the internet. Virtual machines launched on a private network can get to the internet by going through a gateway capable of performing SNAT. The gateway has one arm on the public network and as part of SNAT, it replaces the source IP of the originating packet with its own public side IP. As part of SNAT, the source port is also updated so that multiple VMs can reach the public network through a single gateway public IP.
The following diagram shows a virtual network with the private subnet of 10.1.1.0/24. The default route for the virtual network points to the SNAT gateway. The gateway replaces the source-ip from 10.1.1.0/24 and uses its public address 172.21.1.1 for outgoing packets. To maintain unique NAT sessions the source port of the traffic also needs to be replaced.
SNAT on MX Series Routers Acting as Data Center Gateways
Starting in Contrail Networking Release 2011.L1, you can enable SNAT on MX Series routers using MS-MPC line cards when the MX Series router is functioning in the DC-Gateway fabric role. See Contrail Networking Supported Hardware Platforms and Associated Roles And Node Profiles for a list of MX Series routers that support the DC-Gateway or any other fabric role.
When SNAT is enabled on the MX Series router, it can be used to translate source IP addresses from physical interfaces on bare metal servers and from virtual interfaces on virtual machines. SNAT can only translate the IP addresses of source traffic leaving the fabric; it cannot be used to translate IP addresses for traffic entering the fabric.
For additional information on SNAT on MX Series routers, see Network Address Translation Overview.
How to Enable SNAT on an MX Series Router Using Contrail Command
To enable SNAT on an MX Series Router from Contrail Command:
- Ensure that a fabric using an MX Series router with one
or more MS-MPC line cards is configured into the DC-Gateway fabric role in your fabric.
See In Focus: How to Onboard a Fabric and Create an Overlay
See Assign a Role to a Device to change the routing role of a device in a fabric.
- Click Infrastructure > Fabrics > fabric-name to navigate
to the devices in your fabric. Mouse over the mx-router-name of the router configured as a DC gateway in your fabric that will
perform SNAT. Click the ellipsis (...) button—located as the
last option on the far right for the router—and select Edit.
The Fabric Device page opens.
- From the Fabric Device page,
open Netconf Settings.
In the Junos Service Interface field, add the services interface name—for instance, ms-1/0/0—from the MX Series router.
- (BMS interfaces that require SNAT only) Create a Virtual
Port Group (VPG) that maps VLANs to physical interfaces on bare metal
servers (BMSs). See Configuring Virtual Port Groups.
The VPG will be used later in the process to identify traffic that requires IP address translation using SNAT.
This step is needed to identify source IP addresses on BMS hosts only. You can skip this step when you are using SNAT to translate source IP addresses from virtual machine interfaces.
- Create a public logical router for SNAT. See Create Logical Routers.
The logical router is configured in the Overlay > Logical Routers > Edit Logical Router menu. From this menu, include the following configuration parameters:
connected networks field: add the virtual networks that were created to carry traffic.
The traffic in these virtual networks will be translated using SNAT.
Public Logical Router checkbox: Select the checkbox.
The SNAT POOL drop-down menu appears. Select snat_pool.
Extend to Physical Router field: add the MX Series router in the fabric where source-based IP address translation is performed.
- To monitor SNAT after completing the configuration, log
onto the MX Series router and enter the following JUNOS commands:
show configuration to verify NAT configuration in JUNOS.
show services nat pool to verify translation.
Monitor system messages.
For additional information on using and monitoring NAT in Junos, see the Network Address Translation User Guide.
Neutron APIs for Routers
OpenStack supports SNAT gateway implementation through its Neutron APIs for routers. The SNAT flag can be enabled or disabled on the external gateway of the router. The default is True (enabled).
The Tungsten Fabric plugin supports the Neutron APIs for routers and creates the relevant service-template and service-instance objects in the API server. The service scheduler in Tungsten Fabric instantiates the gateway on a randomly-selected virtual router. Tungsten Fabric uses network namespace to support this feature.
Example Configuration: SNAT for Contrail
The SNAT feature is enabled on Tungsten Fabric through Neutron API calls.
The following configuration example shows how to create a test network and a public network, allowing the test network to reach the public domain through the SNAT gateway.
- Create the public network and set the router external
neutron net-create public
neutron subnet-create public 172.21.1.0/24
neutron net-update public -- --router:external=True
- Create the test network.
neutron net-create test
neutron subnet-create --name test-subnet test 10.1.1.0/24
- Create the router with one interface in test.
neutron router-create r1
neutron router-interface-add r1 test-subnet
- Set the external gateway for the router.
neutron router-gateway-set r1 public
Setting the external gateway is the trigger for Tungsten Fabric to set up the Linux network namespace for SNAT.
The network namespace can be cleared by issuing the following Neutron command:
neutron router-gateway-clear r1
SNAT and Security Groups
When a logical router is enabled to support SNAT, the default security group is automatically applied to the left SNAT interface. This automatic application of the default security group allows the virtual machine to send and receive traffic without additional user configuration when the default security group is used by interconnected virtual machines. Additional configuration is required to send and receive traffic, however, when your virtual machine is connected to virtual machines that are not using the default security group.
If you are connecting your virtual machine to a virtual machine that is not using the default security group, you must make one of the following configuration updates to allow your virtual machine to pass traffic:
update the default security group to add rules that allow the VM traffic.
update the rules to the VM security group to allow traffic from the default security group.
apply the same security group to the VM and the SNAT left interface.
For information on configuring security groups in environments using Contrail Networking, see Using Security Groups with Virtual Machines Instances.
Using the Web UI to Configure Routers with SNAT
You can use the Contrail user interface to configure routers for SNAT and to check the SNAT status of routers.
To enable SNAT for a router, go to Configure > Networking > Routers. In the list of routers, select the router for which SNAT should be enabled. Click the Edit cog to reveal the Edit Routers window. Click the check box for SNAT to enable SNAT on the router.
The following shows a router for which SNAT has been Enabled.
When a router has been Enabled for SNAT, the configuration can be seen by selecting Configure > Networking > Routers. In the list of routers, click open the router of interest. In the list of features for that router, the status of SNAT is listed. The following shows a router that has been opened in the list. The status of the router shows that SNAT is Enabled.
You can view the real time status of a router with SNAT by viewing the instance console, as in the following.
Using the Web UI to Configure Distributed SNAT
The distributed SNAT feature allows virtual machines to communicate with the IP fabric network using the existing forwarding infrastructure for compute node connectivity. This functionality is achieved through port address translation of virtual machine traffic using the IP address of the compute node as the public address.
The following distributed SNAT use case is supported:
Virtual networks with distributed SNAT enabled can communicate with the IP fabric network. The session must be initiated from a virtual machine. Sessions initiated from the external network are not supported.
Distributed SNAT is supported only for TCP and UDP, and you can configure discrete port ranges for both protocols.
A pool of ports is used for distributed SNAT. To create a pool of ports, go to Configure > Infrastructure > Global Config. The following shows an example of a port range used for port address translation.
To use distributed SNAT, you must enable SNAT on the virtual network. To enable SNAT on the virtual network, go to Configure > Networking > Networks. The following shows a virtual network for which SNAT has been enabled under Advanced Options.