Configuring a Virtual Network with NAT

Hi all,

I’ve looked through the docs and through other issues on here but nothing seems to work, or I’m not understanding things right.

I created a virtual network as follows:


I can create a VM that uses this network, I can ssh to it from the oneadmin login and traffic flows between machines on this network but I cannot get any access to the external, physical networks, nor to the Internet.

tcpdump shows packets arriving from the VM at the virbr1 interface but they go nowhere:

14:55:13.479374 IP > Flags [P.], seq 97:133, ack 89, win 971, options [nop,nop,TS val 2157157246 ecr 13981986], length 36
14:55:13.480373 IP > Flags [P.], seq 89:125, ack 133, win 341, options [nop,nop,TS val 13984137 ecr 2157157246], length 36
14:55:13.480400 IP > Flags [.], ack 125, win 971, options [nop,nop,TS val 2157157247 ecr 13984137], length 0
14:55:13.489828 IP > 59542+ [1au] A? (35)
14:55:13.489873 IP > ICMP udp port domain unreachable, length 71

I checked out the OpenNebula docs on NAT but the only example I can find has host-only networks, I need the VMs to be able to talk to each other.


Hi @MartinW,

To configure NAT for on host, you have to add the the following iptables rule:

iptables -tnat -A POSTROUTING -s ! -d -j MASQUERADE


1 Like

Thanks Ricardo. I tried that but it still didn’t work, I suspect that I have other virtual network problems so I will go away and look at them and see if I can work out why it’s still not working.

Do you have the IP forwarding enabled? This link explains how to do it.

Yes, that’s set:

sudo sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1

Hi Martin,

maybe you could consider the usage of VNF/VROUTER appliance which was designed for things like this.

The documentation describes both the use as VM or VROUTER.

In your case VROUTER appliance would be the easiest and then you would just set these contextualization variables with the right out-going NAT interface (public/internet facing) and attached the local/private network as other interface.

Just FYI - it is up to you.

P.S. just checking - did you enabled port forwarding and masquerade on the node where this VM is running and are these packets leaving the interface with the default route? The more interesting tcpdump would be from that default interface.


Hi Petr,

Thanks for the response, having just rasied an RFE for NATing I will go and check this VROUTER out as an alternative, it certainly sounds like it will do what I need.

I will also check the port forwarding and masquerade options, I thought I had done but the memory is not a reliable storage device :slight_smile: