Configuring a Virtual Network with NAT

Hi all,

I’ve looked through the docs and through other issues on here but nothing seems to work, or I’m not understanding things right.

I created a virtual network as follows:


I can create a VM that uses this network, I can ssh to it from the oneadmin login and traffic flows between machines on this network but I cannot get any access to the external, physical networks, nor to the Internet.

tcpdump shows packets arriving from the VM at the virbr1 interface but they go nowhere:

14:55:13.479374 IP > Flags [P.], seq 97:133, ack 89, win 971, options [nop,nop,TS val 2157157246 ecr 13981986], length 36
14:55:13.480373 IP > Flags [P.], seq 89:125, ack 133, win 341, options [nop,nop,TS val 13984137 ecr 2157157246], length 36
14:55:13.480400 IP > Flags [.], ack 125, win 971, options [nop,nop,TS val 2157157247 ecr 13984137], length 0
14:55:13.489828 IP > 59542+ [1au] A? (35)
14:55:13.489873 IP > ICMP udp port domain unreachable, length 71

I checked out the OpenNebula docs on NAT but the only example I can find has host-only networks, I need the VMs to be able to talk to each other.


Hi @MartinW,

To configure NAT for on host, you have to add the the following iptables rule:

iptables -tnat -A POSTROUTING -s ! -d -j MASQUERADE


1 Like

Thanks Ricardo. I tried that but it still didn’t work, I suspect that I have other virtual network problems so I will go away and look at them and see if I can work out why it’s still not working.

Do you have the IP forwarding enabled? This link explains how to do it.

Yes, that’s set:

sudo sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1

Hi Martin,

maybe you could consider the usage of VNF/VROUTER appliance which was designed for things like this.

The documentation describes both the use as VM or VROUTER.

In your case VROUTER appliance would be the easiest and then you would just set these contextualization variables with the right out-going NAT interface (public/internet facing) and attached the local/private network as other interface.

Just FYI - it is up to you.

P.S. just checking - did you enabled port forwarding and masquerade on the node where this VM is running and are these packets leaving the interface with the default route? The more interesting tcpdump would be from that default interface.


Hi Petr,

Thanks for the response, having just rasied an RFE for NATing I will go and check this VROUTER out as an alternative, it certainly sounds like it will do what I need.

I will also check the port forwarding and masquerade options, I thought I had done but the memory is not a reliable storage device :slight_smile:

Not sure if you already solved this, but you may want to check if bridge interface configuration is created.
For example, in Debian, it should be in location /etc/network/interfaces or /etc/network/interface.d/
The content should be something like:

auto virbr1
iface virbr1 intet static
    bridge_stp off
    bridge_fd 0
    bridge_maxwait 0
    bridge_ports <physical interface name>

This setup works for me.

Thanks Vladimir. I’m still fighting with this. I’m using a CentOS installation but will try to translate your suggested configuration in a bit. I want the virtual router to work really, but will definitely try this later.

Hi Petr,

I finally got some time to try the VROUTER but I’m still struggling with it. Right now I’ve instantiated the router and I’m looking at the docs where it says “You should also be able to login inside and look around.”

Given that OpenNebula does not provide us with a root password I cannot login using the terminal that is available via the web interface. One interface has been assigned an IP address but I have no route to that interface because the virtual router is not set up!

Clearly I am missing something, I’d appreciate some clues as to what and where, if you would be so kind.


Hi Martin,

yes, by default appliance (or any VM) does not setup root password - you can do it globally for each and every new VM (I think) or in this case setting up PASSWORD contextualization variable. How to do it is in the documentation: password

Also you can setup ssh access which is also described in the documentation.

I recommend to reread the documentation - both of these points are right at the beginning in the Quick Start section.

BUT there should be no need to even trying to get inside this appliance because it should provide all the features via contextualization parameters and act as a blackbox.

Because you did not ask any other question I cannot help you further.

Maybe after you familiarize yourself with the VM instantiation and contextualization you can try to follow both of the tutorials.

Good luck


Hi Martin (again),

FYI if you struggle with OpenNebula setup and deployment then maybe it would be best for you to try minione.

Basically all you should need is:

root@localhost$ wget ''
root@localhost$ bash minione

By default it should setup a functioning frontend and node on that one machine.

If you are trying OpenNebula inside another VM then don’t forget to enable nested virtualization.


Thank you Petr, the ssh access does not work because there is no network configured initially, at least not in the quickstart instructions I was following. But you are correct, of course, about the PASSWORD context variable, I had forgotten about that.

That said, I will do as you suggest as re-read the docs with the expectation of being able to use this as a black box, which is exactly what I am after but where I seem to be struggling.

Thank you for your guidance so far.


Thank you Petr, I had previously got a minione system up and running successfully but it was not enough for my needs. hence the step up to a full-blown Open Nebula installation.

I can see where my mistake was now. I was looking at the exact same document you directed me to but from the top of the page I jumped straight to the “Tutorials” section, skipping out the part that discusses the ssh keys and password, hence showing my ignorance here.

I will let you know how I get on.