VMware Server NAT Configuration
|Previous||Table of Contents||Next|
|Managing VMware Virtual Networks and Adapters||VMware Server 2.0 DHCP Configuration|
Network Address Translation (NAT) is a mechanism whereby a number of different computers, typically on a private internal network, are represented by a single external IP address. When one of the clients on the private network communicates with a remote system it does so through a NAT device which modifies the data to make it appear that it has been sent from the shared NAT IP address. When the remote system responds, the NAT device directs the response to the original client that initiated the connection.
In physical network environments, NAT serves two primary purposes. Firstly, it helps to conserve the limited number of class A and B IPv4 IP addresses. Using NAT, an entire enterprise with many thousands of computer systems can operate on the internet using up only one unique public IP address by assigning private IP addresses to the internal clients and using NAT to have them all represented by a single external IP address. Secondly, in the general belief that the less a potential intruder knows about an internal network the better, NAT also provides an additional level of security by hiding the internal IP addresses of computer systems behind the external IP address.
In the context of VMware Server, a NAT based virtual network allows an entire private network to be created within the VMware Server environment, all participants of which are represented by a single IP address, i.e that of the host computer.
How VMware Server based NAT Works
Both the NAT device and any virtual machines connected to the default NAT virtual network use the vmnet8 virtual network switch. Also attached to this virtual switch is the VMware internal DHCP server which can be used to assign dynamic IP addresses, gateway and DNS information to the virtual machines on the NAT based network.
When a virtual machine sends a packet, the NAT device changes the source address (that of the virtual machine) to the address of the host computer before transmitting it to its intended destination. When the recipient responds, the NAT device modifies the packet so that it is addressed to the IP address of the virtual machine which initiated the connection, and subsequently forwards it to that system on the virtual network.
Unless some form of port forwarding is configured on the NAT device (a topic which is discussed later in this chapter), it is not possible for an external client to initiate a network connection with a virtual machine running inside a VMware Server NAT based virtual network.
Configuring NAT on Windows VMware Hosts
The VMware Server NAT device may be configured on Windows hosts using the Virtual Network Editor tool, which is accessed by selecting Start -> All Programs -> VMware Server -> Manage Virtual Networks. Once loaded, clicking on the NAT tab displays the NAT configuration screen as illustrated in the following figure:
The main NAT page is divided into sections. The top section, titled NAT, displays the IP address and netmask of the NAT device. To add NAT to other virtual networks, select the network from the VMnet host menu. If the selected virtual network is currently bridged a warning dialog will appear seeking confirmation of the change. The option of adding a DHCP server to a virtual network is also provided so that virtual machines on the network can obtain dynamic IP addresses and other information such as gateway and DNS details. If NAT is to be disabled entirely, change this menu to the Disabled option.
The NAT service panel displays the current status of the NAT device and provides the ability to stop, start or restart the device. Additional NAT settings are configured on a per virtual network basis, and are accessed by selecting the desired virtual network and clicking the Edit... button:
The NAT Settings dialog allows a number of options to be configured for the selected virtual network:
- Gateway IP address - The IP address of the NAT device on the virtual network.
- UDP Timeout -The amount of time, in seconds, to retain UDP mapping within the NAT device. The UDP timeout is essentially the amount of time for which the NAT device remembers which virtual machine initiated a specific UDP based connection to an external system. If the external system responds after the timeout period has elapsed, the NAT will no longer know to which virtual machine the data should be forwarded, and the UDP packet will be discarded.
- Config port - The TCP/IP port used for accessing information about the NAT device.
- Active FTP - Governs whether the NAT device allows Passive or Active FTP sessions.
- Port Forwarding - The Port Forwarding button allows network traffic arriving on a particular TCP or UDP port on the host system to be forwarded to a specific port on a specific virtual machine within the NAT based virtual network. Since an external client cannot ordinarily initiate a connection with a virtual machine in NAT based virtual network, port forwarding is useful in situations where, for example, a virtual machine is required to act as web or FTP server. As illustrated in the following figure, the Port Forwarding dialog is divided into two sections, one for UDP and the other for TCP. In each case, buttons are provided to Add, Remove and View port forwarding rules:
To configure a port forwarding rule, click on one of the two Add... buttons (depending on whether the forwarding is to apply to UDP or TCP traffic) and enter the Host port on which arriving traffic is to be forwarded, together with the IP address and port of the destination virtual machine. In addition, an optional description of the port forwarding rule may be entered into the Description field. Once configured, any traffic arriving on the specified port of the host system will be forwarded to the specific port of the designated virtual machine.
- DNS - When clicked, the DNS... button allows DNS servers to be configured for use with the NAT device as illustrated in the following figure:
In addition to specifying the IP address of one or more DNS servers, the Policy for handling multiple DNS servers may also be altered. Options include Burst where a request is sent simultaneously to three servers and the first response is accepted, Order where requests are sent one by one to each server and Rotate where requests are rotated through the available servers. When Autodetect is selected, VMware Server automatically identifies available name servers without the need for the servers to be specifically configured. In addition, the number of retries and length of time the NAT device should attempt to connect to a DNS server may be configured via the Timeout and Retries values.
- Allow any OUI - The MAC address of a network device is comprised of 6-bytes of information. The first three bytes are referred to as the Organizationally Unique Identifier (OUI) and uniquely identify the issuer of the MAC address of the device. The last three bytes uniquely identify the device within the context of the OUI. Manually changing the OUI portion of a virtual machine's MAC address can prevent connection to the NAT device. In the event of such a problem, ensure that the Allow any OUI option is selected.
- Netbios - The Netbios section of the NAT Settings dialog allows the timeout and retry values for the NetBIOS Name Service (NBNS) and NetBIOS Datagram Service (NBDS) to be specified if these services are being used on the network.
Configuring NAT on Linux Hosts
Unfortunately, VMware Server on Linux currently lacks a user friendly equivalent of the Windows Manage Virtual Networks tool, instead requiring the manual editing of the /etc/vmware/vmnet8/nat/nat.conf file (keeping in mind that the vmnet8 name will need to be changed if the settings are to be configured for a custom created virtual network).
The nat.conf file contains a number of different sections, each allowing a different aspect of the NAT device to be configured:
- ip - The IP address of the NAT device on the virtual network. By default this will be <xxx>.2 where the <xxx> is the subnet address assigned to the virtual network (for example, 172.16.86.2).
- netmask - The subnet mask to be used for the NAT device.
- configport - The port to be used for accessing information about the NAT device. By default this directive is commented out with a # character for security purposes and is supposedly only for use by VMware Inc's technical support staff.
- device - The VMnet virtual network switch to which the NAT device is attached.
- activeFTP - A value of 1 indicates that active FTP sessions (i.e connections initiated by remote FTP servers) are supported. A setting of 0 limits connections to passive sessions.
- timeout - The amount of time, in seconds, to keep UDP mapping for the NAT device. This is essentially the amount of time for which the NAT device remembers which virtual machine initiated a specific UDP based connection with an external system. If the external system responds after the timeout period has elapsed, the NAT will no longer know to which virtual machine the data should be forwarded, and the UDP packet will be discarded.
The [incomingtcp] section of the nat.conf file is used to configure TCP port forwarding. This essentially involves mapping an incoming TCP port on the host to the IP address and TCP port of a virtual machine. For example, to map data coming into TCP port 8080 on the host to port 80 on a virtual machine with an IP address of 172.16.86.128, the following directive would need to be entered into the [incomingtcp] section of the configuration file:
8080 = 172.16.86.128:80
As many TCP port forwarding directives as necessary may added to this section of the NAT configuration file.
The [incomingudp] section of the nat.conf file is used to configure UDP port forwarding. Similar to the [incomingtcp]] section, this essentially involves mapping an incoming UDP port on the host to the IP address and UDP port of a virtual machine. For example, to map data coming into UDP port 8081 on the host to port 8082 on a virtual machine with an IP address of 172.16.86.128, the following directive would need to be entered into the [incomingudp] section of the configuration file:
8081 = 172.16.86.128:8082
As many port UDP forwarding directives as necessary may added to this section of the NAT configuration file.