Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Applying NAT Rules if CSO Is Deployed Behind NAT

 

If you have deployed Contrail Service Orchestration (CSO) behind NAT, you must apply NAT rules after you run the setup_assit.sh script on central and regional hosts. The NAT rule set determines the direction of the traffic to be processed.

Note

If you do not apply NAT rules after you install or upgrade CSO, you cannot access the Administration Portal, the Kibana UI, and the Rabbit MQ console.

To apply NAT rules:

  1. Log in to the installer VM as root.
  2. Apply NAT rules for central and regional NAT servers.
    • To quickly apply the NAT rules for central NAT servers:

      1. Copy the following commands and paste them into a text file.

        iptables -t nat -A PREROUTING -p tcp -d central-nat-server-public-ip-address--dport 443 -j DNAT --to-destination northbound-virtual-private-ip-address:443
        iptables -t nat -A PREROUTING -p tcp -d central-nat-server-public-ip-address--dport 35357 -j DNAT --to-destination northbound-virtual-private-ip-address:35357
        iptables -t nat -A PREROUTING -p tcp -d central-nat-server-public-ip-address--dport 5601 -j DNAT --to-destination northbound-virtual-private-ip-address:5601
        iptables -t nat -A PREROUTING -p tcp -d central-nat-server-public-ip-address --dport 9200 -j DNAT --to-destination northbound-virtual-private-ip-address:9200
        iptables -t nat -A PREROUTING -p tcp -d central-nat-server-public-ip-address --dport 1947 -j DNAT --to-destination northbound-virtual-private-ip-address:1947
      2. You must specify IP addresses in the command to match your network configuration.

      3. Copy and paste the updated commands into the CLI.

    • To quickly apply the NAT rules for regional NAT servers:

      1. Copy the following commands and paste them into a text file.

        iptables -t nat -A POSTROUTING -o virbr0 -p tcp --dport 5601 -d northbound-virtual-private-ip-address -j SNAT --to-source regional-management-interface-ip-address
        iptables -t nat -A PREROUTING -p tcp -d regional-nat-server-public-ip-address --dport 5601 -j DNAT --to-destination northbound-virtual-private-ip-address:5601
        iptables -t nat -A POSTROUTING -o virbr0 -p tcp --dport 7804 -d northbound-virtual-private-ip-address -j SNAT --to-source regional-management-interface-ip-address
        iptables -t nat -A PREROUTING -p tcp -d regional-nat-server-public-ip-address --dport 7804 -j DNAT --to-destination northbound-virtual-private-ip-address:7804
        iptables -t nat -A POSTROUTING -o virbr0 -p tcp --dport 3514 -d southbound-virtual-private-ip-address -j SNAT --to-source regional-management-interface-ip-address
        iptables -t nat -A PREROUTING -p tcp -d regional-nat-server-public-ip-address--dport 3514 -j DNAT --to-destination southbound-virtual-private-ip-address:3514
        iptables -t nat -A POSTROUTING -o virbr0 -p tcp --dport 514 -d southbound-virtual-private-ip-address-j SNAT --to-source regional-management-interface-ip-address
        iptables -t nat -A PREROUTING -p tcp -d regional-nat-server-public-ip-address --dport 514 -j DNAT --to-destination southbound-virtual-private-ip-address:514
        iptables -t nat -A POSTROUTING -o virbr0 -p tcp --dport 443 -d southbound-virtual-private-ip-address -j SNAT --to-source regional-management-interface-ip-address
        iptables -t nat -A PREROUTING -p tcp -d regional-nat-server-public-ip-address --dport 443 -j DNAT --to-destination northbound-virtual-private-ip-address:443
        iptables -t nat -A PREROUTING -d regional-nat-server-public-ip-address/32 -p tcp -m tcp --dport 2216 -j DNAT --to-destination southbound-virtual-private-ip-address:2216
        iptables -t nat -A POSTROUTING -d southbound-virtual-private-ip-address/32 -o virbr0 -p tcp -m tcp --dport 2216 -j SNAT --to-source regional-management-interface-ip-address
      2. You must specify IP addresses in the commands to match your network configuration.

      3. Copy and paste the updated commands into the CLI.

The NAT rules are applied for central and regional NAT servers, and you can access Administration Portal, Kibana UI, and Rabbit MQ console.