10.3.5. Example of NAT configuration when using Common Functions via firewall¶
| Operation Confirmed Version: | |
|---|---|
| Brocade 5600vRouter Version4.2R1S1 | |
This example shows how to connect from the server segment under the firewall to the Common Function Pool through the Common Function Gateway.
In this case, assuming access to NTP server.
Note
Common Function Gateway is a gateway to connect from customer tenant to common function pool.
Please refer to Service Descriptions for more details.
10.3.5.1. System diagram¶
Server-01, 02 is configured to be able to access the NTP server of the Common Function pool via the firewall.
As the gateway of Server-01 and 02, VRRP is set with FW-01 and FW-02 to make it redundant.
Configured to SNAT communication from Server-01, 02 to NTP server with FW.
Note
“CentOS 7.1.1503” is used as Server OS.
“chrony-1.29.1-1” is used for NTP client.
10.3.5.2. Configuration of Firewall¶
Firewall Interface setting
Although the interface settings are shown to confirm the setting contents, in actuality, you need to set the interface settings on the customer portal.
Please note that if you submit the interface setting command below, an error will be returned.
Note
Interface settings can not be set except by customer portal.
- FW-01
set interfaces dataplane dp0s10 address '169.254.0.5/17'
set interfaces dataplane dp0s11 address '192.168.4.12/28'
- FW-02
set interfaces dataplane dp0s10 address '169.254.0.6/17'
set interfaces dataplane dp0s11 address '192.168.4.13/28'
VRRP Setting
The server segment redundancy setting is shown below.
Before setting up VRRP, you must configure VRRP communication permission setting on the customer portal.
- FW-01
set interfaces dataplane dp0s11 vrrp vrrp-group 4 advertise-interval '20'
set interfaces dataplane dp0s11 vrrp vrrp-group 4 preempt 'true'
set interfaces dataplane dp0s11 vrrp vrrp-group 4 priority '200'
set interfaces dataplane dp0s11 vrrp vrrp-group 4 'rfc-compatibility'
set interfaces dataplane dp0s11 vrrp vrrp-group 4 version '2'
set interfaces dataplane dp0s11 vrrp vrrp-group 4 virtual-address '192.168.4.11'
- FW-02
set interfaces dataplane dp0s11 vrrp vrrp-group 4 advertise-interval '20'
set interfaces dataplane dp0s11 vrrp vrrp-group 4 preempt 'true'
set interfaces dataplane dp0s11 vrrp vrrp-group 4 priority '150'
set interfaces dataplane dp0s11 vrrp vrrp-group 4 'rfc-compatibility'
set interfaces dataplane dp0s11 vrrp vrrp-group 4 version '2'
set interfaces dataplane dp0s11 vrrp vrrp-group 4 virtual-address '192.168.4.11'
Note
About the value of advertise-interval. It has been confirmed that VRRP communication rarely becomes unstable on the base side in the initial setting (1 sec). For that reason we recommend 20 seconds or more for the set value (detection is total 20 sec × 3 times).
NAT Setting(SNAT)
The setting for SNAT the source IP address of the server to the IP address of the Common Function Gateway segment at the firewall is shown below.
- FW-01
set service nat source rule 10 outbound-interface 'dp0s10'
set service nat source rule 10 source address '192.168.4.0/28'
set service nat source rule 10 translation address '169.254.0.5'
- FW-02
set service nat source rule 10 outbound-interface 'dp0s10'
set service nat source rule 10 source address '192.168.4.0/28'
set service nat source rule 10 translation address '169.254.0.6'
Confirmation of setting contents
If the above setting has been thrown correctly, you can check the output below.
- FW-01
user-admin@FW-01# show interfaces
interfaces {
dataplane dp0s10 {
address 169.254.0.5/17
}
dataplane dp0s11 {
address 192.168.4.12/28
vrrp {
vrrp-group 4 {
advertise-interval 20
preempt true
priority 200
rfc-compatibility
version 2
virtual-address 192.168.4.11
}
}
}
user-admin@FW-01# show service nat
nat {
source {
rule 10 {
outbound-interface dp0s10
source {
address 192.168.4.0/28
}
translation {
address 169.254.0.5
}
}
}
}
- FW-02
user-admin@FW-02# show interfaces
interfaces {
dataplane dp0s10 {
address 169.254.0.6/17
}
dataplane dp0s11 {
address 192.168.4.13/28
vrrp {
vrrp-group 4 {
advertise-interval 20
preempt true
priority 150
rfc-compatibility
version 2
virtual-address 192.168.4.11
}
}
}
user-admin@FW-02# show service nat
nat {
source {
rule 10 {
outbound-interface dp0s10
source {
address 192.168.4.0/28
}
translation {
address 169.254.0.6
}
}
}
}
10.3.5.3. Flow of traffic¶
When Server-01, 02 is normal, communication is performed to the NTP server through FW-01 which is Master.
Status check at normal state
The status of the firewall during normal communication can be confirmed as follows.
VRRP status
FW-01 must be Master.
user-admin@FW-01:~$ show vrrp
RFC Addr Last Sync
Interface Group State Compliant Owner Transition Group
--------- ----- ----- --------- ----- ---------- -----
dp0s11 4 MASTER dp0vrrp1 no 2d15h49m31s <none>
FW-02 must be Backup.
user-admin@FW-02:~$ show vrrp
RFC Addr Last Sync
Interface Group State Compliant Owner Transition Group
--------- ----- ----- --------- ----- ---------- -----
dp0s11 4 BACKUP dp0vrrp1 no 2d15h49m34s <none>
NAT translation status
The source IP address of Server-01, 02 passing through FW-01 is SNAT as set.
user-admin@FW-01:~$ show nat source translations
Pre-NAT Post-NAT Prot Timeout
192.168.4.1:123 169.254.0.5:123 udp 57
192.168.4.2:123 169.254.0.5:124 udp 57
Note
Since FW-02 is Backup, there is no traffic passing. Therefore there is no translation log of SNAT.
Synchronization check on Server
It is synchronized with the NTP server (169.254.127.1) as follows.
If * or + is displayed before the NTP server address, time synchronization is in state.
- Server-01
[root@server-01 test-user]# chronyc sources
210 Number of sources = 1
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* 169.254.127.1 3 6 17 20 -131us[ -103us] +/- 80ms
- Server-02
[root@server-02 test-user]# chronyc sources
210 Number of sources = 1
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* 169.254.127.1 3 6 17 21 -207us[ -140us] +/- 80ms
10.3.5.4. Flow of traffic at failure occurs¶
When an instance failure occurs on FW-01, Server-01, 02 passes through FW-02 and communicates to the NTP server.
Note
As a test method of instance failure, we adopted a method to temporarily invalidate VRRP of FW-01.
Following is stop/resume any vrrp-group by following command.
# Stop
set interfaces dataplane [INTERFACE NAME] vrrp vrrp-group [GROUP ID] disable
# Resume
delete interfaces dataplane [INTERFACE NAME] vrrp vrrp-group [GROUP ID] disable
Check Status When a Failure Occurs
The status of the firewall at the time of failure can be confirmed as follows.
VRRP status
FW-01 VRRP is stopped.
user-admin@FW-01:~$ show vrrp
RFC Addr Last Sync
Interface Group State Compliant Owner Transition Group
--------- ----- ----- --------- ----- ---------- -----
Note
The status is not displayed since VRRP of FW-01 is stopped.
FW-02 is Master.
user-admin@FW-02:~$ show vrrp
RFC Addr Last Sync
Interface Group State Compliant Owner Transition Group
--------- ----- ----- --------- ----- ---------- -----
dp0s11 4 MASTER dp0vrrp1 no 2s <none>
NAT translation status
The source IP address of Server-01, 02 passing through FW-02 is SNAT as set.
user-admin@FW-02:~$ show nat source translations
Pre-NAT Post-NAT Prot Timeout
192.168.4.1:123 169.254.0.6:123 udp 60
192.168.4.2:123 169.254.0.6:124 udp 60
Note
Since VRRP of FW-01 is stopped, communication does not pass. Therefore, there is no log of NAT conversion.
Synchronization check on Server
Server synchronization is confirmed even when a failure occurs.
If * or + is displayed before the NTP server address, time synchronization is in state.
- Server-01
[root@server-01 test-user]# chronyc sources
210 Number of sources = 1
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* 169.254.127.1 3 6 17 22 -2307ns[ +50us] +/- 92ms
- Server-02
[root@server-02 test-user]# chronyc sources
210 Number of sources = 1
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* 169.254.127.1 3 6 17 23 +83us[ +229us] +/- 57ms