Don't Read My Blog

Configure NAT for Solaris Zones Lab

Configure NAT for Solaris Zones Lab

We needed to create a lab environment that could spin up several Solaris zones at one time in a somewhat isolated environment.  To do this, we created a kernel zone which would contain non-global zones in their own isolated subnet.  We wanted these non-global zones to be able to connect to resources outside of the isolated environment, so we configured an ether stub and used the PF firewall to create a NAT.

Create Ether Stub

In the kernel zone, we want to create an ether stub and then use this for the lower link for the anet resources defined in our non-global zones.  We’ll also want to create an IP address on the ether stub within the kernel zone.

dladm create-etherstub ether0
dladm create-vmic -l ether0 outside0
ipadm create-ip outside0
ipadm create-addr -T static -a 192.168.138.1/24 outside0/v4

Enable Packet Forwarding

Our kernel zone will need to be able to forward packets between its interfaces:

ipadm set-prop -p forwarding=on ipv4

Configure the Packet Filter Firewall for NAT

You’ll need to install the packet filter firewall on your kernel zone, if not installed already:

pkg install network/firewall

Create a NAT entry in the packet filter firewall.  A good way is to use the pfconf tool, then add this line at bottom:

pass out on net0 from 192.168.138.0/24 to any nat-to (net0)

The use of (net0) in the rule above prevents us from having to update this rule if the IP address of our kernel zone changes on the external network.  In our case this is important as the kernel zone will itself be cloned and assigned unique external addresses into our lab environment.

Next, enable the firewall, or refresh it if already enabled:

svcadm enable network/firewall

Test a Connection

Finally, test a connection from one of the non global zones inside your kernel zone to a host outside of the kernel zone, and then use pfctl -s state to examine the NAT states:

#From non-gobal zone
ssh 192.168.1.10

#From global zone
pfctl -s state

You should see an active connection (established) in the output of pfctl.

Leave a Reply

Your email address will not be published. Required fields are marked *