We needed to create a lab environment that could spin up several Solaris zones at one time in a somewhat isolated environment. To do this, we created a kernel zone which would contain non-global zones in their own isolated subnet. We wanted these non-global zones to be able to connect to resources outside of the isolated environment, so we configured an ether stub and used the PF firewall to create a NAT.
Create Ether Stub
In the kernel zone, we want to create an ether stub and then use this for the lower link for the anet resources defined in our non-global zones. We’ll also want to create an IP address on the ether stub within the kernel zone.
dladm create-etherstub ether0 dladm create-vmic -l ether0 outside0 ipadm create-ip outside0 ipadm create-addr -T static -a 192.168.138.1/24 outside0/v4
Enable Packet Forwarding
Our kernel zone will need to be able to forward packets between its interfaces:
ipadm set-prop -p forwarding=on ipv4
Configure the Packet Filter Firewall for NAT
You’ll need to install the packet filter firewall on your kernel zone, if not installed already:
pkg install network/firewall
Create a NAT entry in the packet filter firewall. A good way is to use the pfconf tool, then add this line at bottom:
pass out on net0 from 192.168.138.0/24 to any nat-to (net0)
The use of (net0) in the rule above prevents us from having to update this rule if the IP address of our kernel zone changes on the external network. In our case this is important as the kernel zone will itself be cloned and assigned unique external addresses into our lab environment.
Next, enable the firewall, or refresh it if already enabled:
svcadm enable network/firewall
Test a Connection
Finally, test a connection from one of the non global zones inside your kernel zone to a host outside of the kernel zone, and then use pfctl -s state to examine the NAT states:
#From non-gobal zone ssh 192.168.1.10 #From global zone pfctl -s state
You should see an active connection (established) in the output of pfctl.