Choose this mode when, in addition to internet access, you want to redirect all incoming traffic (targeting specific IP addresses) to a VM located behind the Virtual Router. This functionality is similar to the DMZ feature found in home routers. This feature enables source NAT, as in the NAT4 module, and maps (1:1) a public IP addresses to a private IP addresses. All the incoming traffic addressed to the public IP is forwarded to the private IP by defining both SNAT and DNAT rules in iptables.

The following figure depicts the basic LAN topology assumed by the module:

       public Network (10.2.11.0/24)
      ┌─────────────────────────────────
   ┌──┴─┐
┌──┤eth0├──┐   eth0 IPs (10.2.11.1, 10.2.11.201. 10.2.11.202)
│  └────┘  │     10.2.11.201 --> 172.20.0.128
│  Virtual │     10.2.11.202 --> 172.20.0.130
│  Router  │
│  ┌────┐  │
└──┤eth1├──┘
   └─┬──┘  private network (172.20.0.0/24)
     └────┬──────────────┬────────────┬────────────
    172.20.0.128   172.20.0.67   172.20.0.130
       ┌──┴──┐        ┌──┴──┐      ┌──┴──┐
       │ VM1 │        │ VM2 │      │ VM3 │
       └─────┘        └─────┘      └─────┘

The following attributes control the basic configuration for NAT'ing:

• ONEAPP_VNF_SDNAT4_ENABLED to activate the module
• ONEAPP_VNF_SDNAT4_INTERFACES defines the public and private interfaces where the mapping occurs. Usually this identifies the public and private networks.

For the example above simply add:

CONTEXT = [
  ...
  ONEAPP_VNF_SDNAT4_ENABLED    = "YES",
  ONEAPP_VNF_SDNAT4_INTERFACES = "eth0 eth1",
  ...
]

For those VMs that you want to forward the incoming traffic to, you need to add a network interface of type NIC_ALIAS attached to the public network, and label it with the EXTERNAL attribute.

$ onevm nic-attach backend_VM_name_or_ID <<'EOF'
NIC_ALIAS = [
  NETWORK  = "public",
  PARENT   = "NIC0",
  EXTERNAL = "YES" ]
EOF

OpenNebula will perform the following actions:

• The VM will get an IP lease from the public network. This IP will not be configured in the VM.
• The VR will discover the new EXTERNAL IP allocation and it will configure the new external IP in its loopback interface for routing purposes. For example, for the 10.2.11.201 map you will see the following IP addresses in the VR:

$ ip addr show lo
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet 10.2.11.201/32 scope global SDNAT4
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever

• It will also install DNAT and SNAT rules for the EXTERNAL IP. For example for the 10.2.11.201 map you will see the following iptables rules in the NAT table:

$ iptables -t nat -vnL DNAT4
Chain DNAT4 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    1    12 DNAT       0    --  *      *       0.0.0.0/0            10.2.11.201          to:172.20.0.128
$ iptables -t nat -vnL SNAT4
Chain SNAT4 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    1    34 SNAT       0    --  *      *       172.20.0.128         0.0.0.0/0            to:10.2.11.201

Connecting to 10.2.11.201 should forward all packets for all protocols, both ways, for example (note, there is no 10.2.11.0/24 ip configured in the VM):

$ ssh [email protected] ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 02:00:ac:14:00:80 brd ff:ff:ff:ff:ff:ff
    inet 172.20.0.128/24 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::acff:fe14:80/64 scope link
       valid_lft forever preferred_lft forever